Hyperguarding your Web Applications

Posts Tagged ‘WAF’

Scanners and WAFs Work Hand-in-Hand

Posted by hyperguard on March 31, 2010

Larry Suto, an application security consultant, recently published a sequel to his 2007 best seller research about web application scanners, which drew much attention from the industry because he claimed that scanners do not perform as well as advertised.  In his sequel, Larry elaborates and updates his initial findings by testing various vendors solutions, such as, Acunetix, Portswigger.net BurpSuitePro, Cenzic’s Hailstorm, NT Objectives’ NTOSpider and among others, and found yet again that most Web application scanning tools missed vulnerabilities and generated false positives.  While Larry’s findings are quite interesting, businesses should never rely solely on a single solution.

In this particular instance, we always urge the use both scanners and WAFs for an added layer of security.  In fact, these two technologies are melding together today, as we see from the analyst community, such as, Chenxi Wang in her recent report, Web Application Firewall 2010 And Beyond.  Stand alone security solutions are almost nonexistent within the industry today.  Ofer Shezaf states in his post, WAFs are not perfect, but is any security tool perfect? no single security solution is sufficient—only combining multiple defense mechanisms would provide adequate security, which still does not imply 100%.


Posted in Post | Tagged: , , , | Leave a Comment »

WAF in the Cloud

Posted by hyperguard on January 22, 2010

Fellow OWASP member, Ofer Shezaf, recently presented at a chapter meeting, and gave an overview of how WAFs interact with cloud computing—both using the cloud and protecting cloud based applications.  During his presentation he discussed the following scenarios:

  • Enterprise Security Gateway
  • WAF as a service: For protecting a data center or SaaS
  • WAF for a cloud deployment: Host Based or Infrastructure Based
  • WAF stubs

Mentioned in his presentation and also in an earlier post, Ofer notes that the two challenges facing WAFs in the cloud are bandwidth and complexity, however, art of defence has tacked these problems with hyperguard and meets XIOMs definition of a true WAF.

Ofer mentions hyperguard SaaS for AWS within his presentation, and notes that many well-known WAFs are actually lacking simply at signatures and hardly true WAFs.  What is considered a true WAF for the cloud?

Xiom is a great source of information for WAFs and resource to our readers, check out Ofer’s blog at http://www.xiom.com/ and view his entire presentation under our ‘Resources’ tab

Follow this discussion on Twitter @hyperguard

Posted in Post | Tagged: , , | Leave a Comment »

First dWAF?

Posted by hyperguard on December 18, 2009

We’re glad to see others are seeing the importance and worth in a distributed Web Application Firewall (dWAF); however, we wouldn’t call Akamai’s recent news the first WAF in the cloud.  The technology is a black list filter for requests.

Adrian Lane @ Jeremiah: in reference to Jeremiah’s point on white list vs. black list

…I am making the assumption that Akamai relieves their customers from specific ‘black list’ threats and the burden on web site WAFs, but does not relieve customers of the need to build their own ‘white list’ of policies.

Today’s WAF technology looks very differentBlack, white and gray listing is considered a basic functionality.  Proactive features like session protection, form field virtualization, learning and assisted security policy refinements are a must. Exchanging information with web application security related products, such as web application security vulnerability scanners or static code analysis tools, are a must-have.

For these reasons, art of defence launched the first fully fledged dWAF for their customers at RSA 2009.  More recently, we’ve made this service available to AWS customers or solution providers so they can protect their applications by applying hyperguard SaaS either as software plug-in to an existing web server Amazon Machine Image (AMI), or by using AoD’s custom AMI.  The technology behind this is going to be implemented at other various cloud service providers in the near future so they can offer a true dWAF (at least) in their cloud.

Follow the discussion on Twitter @hyperguard.

Posted in Post | Tagged: , , | Leave a Comment »

You Could Fall Victim to a Phishing Attack

Posted by hyperguard on December 10, 2009

As stated in the OWASPs guide, phishing attacks are one of the highest visibility problems for banking and e-commerce sites because they have the potential to destroy a customer’s credit rating and livelihood.  Needless to say, this is a major concern.  To make matters worse, a recent report by Trusteer states that on average 12.5 users out of 1 million accidently access a phishing website, while this number may seem relatively small, it isn’t for banks.  They lose about $2.4-9.4 million annually.  In addition, 45% of bank customers who are redirected to a phishing site divulge their personal credentials—wow!  This report proves just how important it is for banks to use a WAF.

A WAF will detect the linking of third party websites to the legit web application and initiate counter-measures. This detection can also be carried out dynamically by only blocking access once a specific number of requests have occurred.

Trusteer’s data was compiled by measuring live phishing attacks from their Rapport browser plug-in.   Read the report in its entirety or check out ZDNet or The Tech Herald for additional commentary.

Follow the discussion on Twitter @hyperguard.

Posted in Post | Tagged: , | Leave a Comment »

Burglars, Rush Hour and Web Application Firewalls

Posted by hyperguard on October 1, 2009

Who would have thought a carpool service web site could be the stuff of pulp novels and Hollywood capers? After reading about the early September plight of RideMatch.info in the New York Times, you might not see the connection since ‘Agent Smith’ reported technically about this run-of-the-mill SQL injection attack on the popular Southern California commuter website. Dig into the details and you will assuredly start to crave popcorn and your favorite soda!

The opening shot would pan stage-left to settle on a robed gentleman at his PC. Steaming cup of java in hand, our subject clicks his mouse on SEND to whisk his phone number, address, commute time, work location, employee ID number and name to RideMatch’s member database to find a suitable carpool. Satisfied, our man walks slowly off camera.

Camera fades to black as the narrator sets the stage for drama to come, “little did Joe know his life was about to crash into those of a cat burglar, overworked web application developer and an eager hacker.”

Because a hacker had exploited a coding flaw in RideMatch’s site – the infamous SQL injection – a hacker was able to see every user’s data, pinpointing who was home when, employment information and social security numbers (a.k.a. employee ID numbers), whose value was only in the sale of this information to others. While the burglary didn’t actually happen, it isn’t much of a stretch to see that it very well could have. Would a web application firewall (WAF) have prevented this and saved RideMatch from certain liability? If configured correctly, yes.

How prevalent is this issue? Very. Here are just a few of the interesting public cases.

On August 17, 2009, the United States Justice Department charged an American citizen Albert Gonzalez and two unnamed Russians with the theft of 130 million credit card numbers using an SQL injection attack. In reportedly “the biggest case of identity theft in American history”, the man stole cards from a number of corporate victims after researching their payment processing systems. Among the companies hit were credit card processor Heartland Payment Systems, convenience store chain 7-Eleven, and supermarket chain Hannaford Brothers.

In 2008, at least April through August, a sweep of attacks began exploiting the SQL injection vulnerabilities of Microsoft’s IIS web server and SQL Server database server. The attack doesn’t require guessing the name of a table or column, and corrupts all text columns in all tables in a single request. [21] A HTML string that references a malware JavaScript file is appended to each value. When that database value is later displayed to a website visitor, the script attempts several approaches at gaining control over a visitor’s system. The number of exploited web pages is estimated at 500,000

On April 13, 2008, Sexual and Violent Offender Registry of Oklahoma shuts down site for ‘routine maintenance’ after being informed that 10,597 social security numbers from sex offenders had been downloaded by SQL injection

Posted in Post | Tagged: , , | 1 Comment »

A Virtual Certainty for PCI?

Posted by hyperguard on September 25, 2009

This week in Las Vegas, the PCI Virtualization Special Interest Group (PCI SIG) is meeting to figure out how to handle the growing use of this computing market. Long overdue, the group still is neglecting important aspects for web application firewall (WAF) specifics. There have been countless discussions, articles and commentary about PCI in general, yet the WAF guidelines remain simple: get one, use it and make sure it integrates with other measures. Technically, this is the web application protection requirement 6.6 option 2.

What’s missing is ruleset flexibility and control, which also happen to be the biggest points of contention with WAF technology today. A little variety in deployment is also handy in a virtualized setting for ease of deployment – a distributed WAF if you will, or dWAF. Specifically:

Detection and Protection

Foundational security using black, white and grey listings for application requests and responses must be possible. To make sure pre-set policy enforcements are not activated or deactivated without approval from an administrator, deployment and policy refinement through establishing rulesets must be possible in a shadow monitoring or detection only mode. Once the shadow monitoring ruleset is stable, only then should it be allowed to deploy in an enforcement mode on the dWAF. This allows complete transparency for the administrator into the real-world effect of this ruleset, while at the same time allowing layered rulesets to be tested without compromising existing policy enforcement. Avoiding false positives and relaxed established defenses are essential for a real-world, usable dWAF in a cloud.

Automated learning and ruleset suggestions based on intelligent algorithms or recommendations from a static source code analyzer or web vulnerability scanner are also desirable from a manageability view. Again, this only holds true if the administrator retains full control over activation / deactivation of each ruleset. Without this control, wanted traffic may become blocked and policy settings would become compromised.

Application Shielding

Pro-active security functions are highly recommended to reinforce any application in a cloud. Detection is simply not enough for today’s web application security. Features like transparent secure session management, URL encryption and form-field virtualization will provide strong deterrence to attack, while saving application development and deployment time. These features are effective because session management, URL encryption and form-field virtualization is done at the dWAF level and not in the application itself.

An authentication framework support that enables businesses to consolidate their applications under one management schema is also desirable for a dWAF. This enables users to handle the authentication in front of their applications rather than behind, which adds another perimeter of security. A consolidation of all applications with dedicated rights-management ability is also a strong usability function that will make an administrator’s life easier.

More info here: http://www.artofdefence.com

Posted in Post | Tagged: , , | Leave a Comment »

Reaction to SearchSOA.com: Common WebAppSec exploits

Posted by hyperguard on September 17, 2009

Great article on the 16th from SearchSOA.com by Rob Barry. He interviews a developer at Mozilla Labs – Joe Walker – about a few of the OWASP Top 10 and how to develop around them. Walker’s focus as a developer is on creating / patching / managing security threats to apps. What’s missing from Barry’s article, however, is the incredible pain this approach causes companies right now.

Refactoring code once it’s in use (particularly WebApps and cloud services) is incredibly expensive, time consuming and difficult. Source code scanners play a role in easing some of this pain, although web application firewalls (WAF’s) are a much more practical fix, AND, linking the scanner software directly with the WAF cuts down the need for application downtime.

If done right, the scanner detects software vulnerabilities and feeds any findings directly into the WAF. For our distributed WAF (dWAF) solution, hyperguard, all security lapses identified by a scanner are immediately presented to the administrator through dynamic ruleset suggestions. Conflicting dWAF rulesets, which may leave holes in web application shielding, are prevented. In plain English, this means that development, testing and deployment of new application security policies can happen in real-time without ever relaxing the established defenses or risking false positives. ‘Patches’ are applied through the dWAF until regular maintenance cycles can be scheduled to refactor the actual application code.

Posted in Post | Tagged: , , , , | Leave a Comment »

Jeremiah’s Right about Scalability

Posted by hyperguard on September 1, 2009

I recently read Web security is about scalability, a very interesting post by Jeremiah Grossman of White Hat Security. He discusses the importance of scalability in overcoming today’s Web security challenges. I would like to add some of my thoughts.

It has taken the industry over 10 years to realize that when dealing with Web application vulnerabilities, they must also deal with the scalability issues these applications face. This needs to happen in parallel with normal security testing. As Jeremiah highlights the incredible scaling needed today:

“Consider that there are 240+ million websites, millions more added every month, an unknown number of Intranet Web applications, 17+ million developers, and over one billion people on the Web. Any solution capable of making a real difference must be valued by its potential worldwide impact.”

Testing a web application on a single system (how most are tested before being sent out into the world) without taking into account scalability is costly. Once that application hits it’s performance limit it usually means a redesign and rewrite of core elements to make it more scalable, changing how and what is important to test. Think of the OWASP top 10 on Jeremiah’s scale!

Cluster computing, or cloud computing, presents a remedy to developing, testing and scaling web applications in a much more practical sense.

Flip the coin to protecting the applications once they’re live and in action, and Jeremiah’s scalability point becomes painfully apparent. Web application firewall’s (WAF) are the industry standard for this purpose, however they are predominantly hardware. Hardware doesn’t scale – you have to buy another box. More boxes, more resource drain, less virtualized resources and on and on.

The article Jeremiah references in his post (check here for the white paper), outlines my view of what the market needs from a WAF.

Posted in Post | Tagged: , , , , | Leave a Comment »