Web Applications & APIs

Similar documents
Web Applications & APIs

Web Application Firewall Getting Started Guide. September 7, 2018

Qualys Cloud Suite 2.x

Automating Security Practices for the DevOps Revolution

Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.

Qualys Cloud Platform

Community Edition Getting Started Guide. July 25, 2018

Application Security. Rafal Chrusciel Senior Security Operations Analyst, F5 Networks

Qualys Cloud Platform

Application security : going quicker

Framework for Application Security Testing. September 11th, 2018

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

First Look Showcase. Expanding our prevention, detection and response solutions. Sumedh Thakar Chief Product Officer, Qualys, Inc.

Qualys Cloud Suite 2.30

QUALYS SECURITY CONFERENCE Qualys CertView. Managing Digital Certificates. Jimmy Graham Senior Director, Product Management, Qualys, Inc.

First Look Showcase. Expanding our prevention, detection and response solutions. Marco Rottigni Chief Technical Security Officer, Qualys, Inc.

ForeScout Extended Module for ServiceNow

Real-Time Vulnerability Management Operationalizing the VM process from detection to remediation

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

Vulnerability Management & Vulnerability Assessment. Nessus Attack Scripting Language (NASL). CVE databases, NVD database

Qualys Cloud Platform

Industry-leading Application PaaS Platform

Solutions Business Manager Web Application Security Assessment

A10 HARMONY CONTROLLER

TIBCO Cloud Integration Security Overview

ADC im Cloud - Zeitalter

Qualys Cloud Suite 2.23

ForeScout Extended Module for Qualys VM

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

Real-Time Vulnerability Management Operationalizing the VM process from detection to remediation

McAfee Web Gateway Administration

Web Application Firewall

Imperva Incapsula Website Security

McAfee Network Security Platform 8.3

Web Application Penetration Testing

haltdos - Web Application Firewall

Regaining Our Lost Visibility

Integrated Web Application Firewall & Distributed Denial of Service (DDoS) Mitigation Solution

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

ForeScout Extended Module for ServiceNow

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Web Application Firewall

McAfee Network Security Platform 8.3

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Herding Cats. Carl Brothers, F5 Field Systems Engineer

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

THE THREE WAYS OF SECURITY. Jeff Williams Co-founder and CTO Contrast Security

The Bots Are Coming The Bots Are Coming Scott Taylor Director, Solutions Engineering

Running MarkLogic in Containers (Both Docker and Kubernetes)

CAMSCANNER TURN YOUR PHONE AND TABLET INTO SCANNER FOR

DefectDojo. The Good, the Bad and the Ugly. OWASP Stammtisch Hamburg Tilmann Haak Manuel Schneider

Application Security at DevOps Speed and Portfolio Scale. Jeff Contrast Security

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Version 2.38 April 18, 2019

WEBSCALE CONVERGED APPLICATION DELIVERY PLATFORM

BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION

OpenShift Roadmap Enterprise Kubernetes for Developers. Clayton Coleman, Architect, OpenShift

EFFECTIVE, SCALABLE, #FULLSTACK VULNERABILITY MANAGEMENT

DevSecOps Shift Left Security. Prioritizing Incident Response using Security Posture Assessment and Attack Surface Analysis

DDoS Hybrid Defender. SSL Orchestrator. Comprehensive DDoS protection, tightly-integrated on-premises and cloud

NoScript, CSP and ABE: When The Browser Is Not Your Enemy

Qualys Cloud Platform (VM, PC) v8.x Release Notes

Everything visible. Everything secure.

1. APPLICATION SECURITY: KEY CHALLENGES

Going Without CPU Patches on Oracle E-Business Suite 11i?

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Comodo cwatch Web Security Software Version 1.6

ForeScout Extended Module for IBM BigFix

Automating the Top 20 CIS Critical Security Controls

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

AWS Web Application Firewall. Darren Weiner Cloud Architect/Engineer

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Secure DevOps: A Puma s Tail

Securing Your Amazon Web Services Virtual Networks

Qualys Cloud Platform (VM, PC) v8.x Release Notes

Taking Control of Your Application Security

Chapter 5: Vulnerability Analysis

A10 Lightning Application Delivery Service

CONTRAST ASSESS MARKET-DEFINING APPLICATION SECURITY TESTING FOR MODERN AGILE AND DEVOPS TEAMS WHITEPAPER

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

Continuous Delivery for Cloud Native Applications

Real-Time Vulnerability Management Operationalizing the VM process from detection to remediation

Tenable.io Web Application Scanning. Last Updated: November 19, 2018

LaunchStation Controller

F5 Synthesis Information Session. April, 2014

Comodo Certificate Manager

Configuring Vulnerability Assessment Devices

WHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Securing Your Microsoft Azure Virtual Networks

Qualys Cloud Suite 2.28

Corrigendum 3. Tender Number: 10/ dated

Our sponsors Zequi V Autopsy of Vulnerabilities

Deployment Scenarios Microsoft TMG Standard, TMG Enterprise, TMG Branch Office series Appliances

The Way of the Bounty. by David Sopas

How to Secure Your Cloud with...a Cloud?

ForeScout Extended Module for Tenable Vulnerability Management

Qualys 8.7 Release Notes

Transcription:

18 QUALYS SECURITY CONFERENCE 2018 Web Applications & APIs The Soft Belly of the Cloud Dave Ferguson Director, Product Management, WAS Remi Le Mer Director, Product Management, WAF

Agenda Web Apps & APIs in the Cloud Qualys Web Application Scanning (WAS) Review What's New Roadmap Qualys Web Application Firewall (WAF) Review Q&A What's New Roadmap 2

Insecure Apps & APIs are a Problem Your business depends on web applications Any app or API can be a foothold into your organization Developers are not incentivized for security Cloud-based apps are easy for developers to deploy Web Applications are Being Targeted! Most common data breach pattern *! Top hacking vector * U.S. Postal Service (API) Facebook (API) Google+ (API) MyFitnessPal (API?) Equifax Yahoo Ashley Madison * Source: 2018 Verizon DBIR 2018 2018 2018 2017 2017 2016 2015 3

Apps & APIs are Everywhere Apps in Public Clouds Public-Facing Web Apps REST APIs Internal Web Apps New Apps under Development 4

Web Application Scanning Review

Qualys Web Application Scanning A leading dynamic application security testing (DAST) tool Delivered via the Qualys Cloud Platform Identifies app-layer vulnerabilities OWASP Top 10 CWEs Web-related CVEs Includes automated crawling Supports Selenium scripts Malware monitoring as a bonus 6

Built for the Enterprise Web App Discovery Unlimited scans & users RBAC Tagging Scheduled scans Ad-hoc, targeted scans Multi-site scans Retest vulnerability Scan for malware Massive scalability Detection history Scheduled reports Customizable reports Swagger support Robust API CI/CD integration Unique integration w/qualys WAF Integration with manual pen testing tools 7

What's New in Qualys WAS

Scanning REST APIs Swagger is specification that describes a set of REST APIs Swagger file typically available from dev team https:// swagger.io Set Swagger file as target URL in Qualys WAS 9 https:// www.openapis.org API endpoints are automatically tested for vulnerabilities Swagger v2 JSON format currently supported

Jenkins Plugin for WAS

Manual Testing Complements WAS Dynamic application testing is one piece of the AppSec puzzle Manual penetration testing important for your businesscritical apps Qualys WAS offers: Bugcrowd integration Burp Suite integration Partnerships with consulting shops 11

Bi-directional Integration with Bugcrowd 12

Qualys WAS Burp Extension Burp Suite A quick, intuitive way to send Burp-discovered issues into WAS Provides centralized viewing/reporting of WAS detections + Burp issues Available in Burp's BApp Store 13

Qualys WAS Burp extension

WAS Enhancements, YTD April 2018 Swagger Jenkins plugin Qualys Browser Recorder Test Authentication Exclude parameters June 2018 SSTI Header injection WebLogic RCE RichFaces RCE "Spring Break" Sept 2018 Browser engine upgrade XSS Power Mode Tag apps upon import ESI injection WebSocket detection PrimeFaces RCE 2018 2019 Jan 2018 CMS vulns Multi-scan alerts Update QID mappings to 2017 OWASP Top 10 May 2018 Added CSV v2 report Add'l CMS vulns July 2018 Burp extension Results for cancelled scans Improved scan status Scan settings snapshot Retest multiple findings Oct 2018 Blueimp file upload Telerik crypto flaw 15

Qualys WAS Roadmap

WAS Roadmap 2018 2019 Feb-Mar 2019 TLS 1.3 support SSL/TLS detections Out-of-band detections Security header tests Enhanced crawling CyberArk PIM integration Dec 2018 Blind XPATH injection Improved KB search Custom report footer Burp & Bugcrowd findings added to report Ignore finding time limit "Launch Now" for scheduled report Jan 2019 Custom scan intensity Jenkins plugin v2 Q2-Q3 2019 Elasticsearch New dashboard UI modernization Support OpenAPI v3 Support Postman Collections 17

And Coming in 2019

Web Application Firewall Review

Qualys WAF Integration with WAS Architecture improvements Integration with Docker Security Improvements Roadmap standalone Roadmap Integrated Suite 20

WAS / WAF Integration: ScanTrust ScanTrust : Challenge your WAF protection Assess both the application and the policy that protects it 3. WAS Report 1. Request inspected and forwarded on server-side HTTP/S 2. WAF annotates HTTP responses with policy violations 21

WAS / WAF Integration: Virtual Patch Virtual Patch : One-click mitigation tool for CISO teams Run from within WAS to address confirmed threats

What's New in Qualys WAF

Supported Platforms Shared and Private Qualys Cloud Platforms 24

WAF Architecture Improvements Easy and Usable Architecture Virtual Reverse-Proxy Cluster-able within hybrid topologies Load-Balancing capabilities SSL/TLS cipher suite categories 25

WAF Architecture Improvements Virtual Appliance & Container (v1.5.3) XML/JSON content inspection Docker Host integration for backend automation Better performance Scheduled upgrades Orchestration via Qualys API 26

Docker Single Host Access t o docker services via unix socket s Controls : - containers (start stop delete inspect ) - networks - images (pull push delete) St ores images Container # 1 Container # 2 Container # 1 Container # 2 Web App B Web App A Web App A Web App B

Docker Multiple Hosts Access t o docker services via net w ork sockets Container # 1 Container # 1 Container # 2 Container # 1 Container # 2 Web App C Web App B Web App A Web App A Web App B

Security Improvements Custom Rules: write and manage your own filters XML/JSON inspection Virtual Patches and Event Exceptions Latency control Rewriting capabilities (headers) Qualys Rulesets and Templates DAG based inspection, programmable logic Drupal 8.0.x, Joomla 3.4.x, Magento 2.5-2.6, Wordpress 4.2.x-4.3.x JBoss 4.x-7.x, OWA 2010-2017, Sharepoint 2010-2017, Tomcat 8.0.x Qualys Generics for unknown apps 29

Qualys WAF Roadmap

WAF Roadmap - Standalone 2018 2019 Mar 2019 Templates API Generics, Microsoft ADFS, JD Edwards Q3 2019 Appliance empowered with Network Clustering Dec 2018 New Custom Rules keys +Community Library Revamped Security Events Jan 2019 Appliance Major Release (v1.6.0) TLSv1.3, HTTP/2, Improved network management capabilities Enriched CLI and local events logs Q2 2019 Customizable Dashboard Alert Reports Improved RBAC Q4 2019 Traffic Management ddos ip-reputation Bots Scraping 31

WAF Roadmap Integrated Suite 2018 2019 Mar 2019 WAS reports with ScanTrust details Q3 2019 Virtual Patch supports Burp and Bug Bounties Dec 2018 AI - Feed Application inventory with backend information Jan 2019 UD WAF widgets and queries Q2 2019 App s Sitemap v2 (WAS & WAF) ScanTrust enabled on VM Q4 2019 CV - fetch app s grade and patch SSL implementation 32

18 QUALYS SECURITY CONFERENCE 2018 Thank You Dave Ferguson - dferguson@qualys.com Remi Le Mer - rlemer@qualys.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback