Web Applications Security. Radovan Gibala F5 Networks

Similar documents
F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

F5 Big-IP Application Security Manager v11

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Security

F5 Application Security. Radovan Gibala Field Systems Engineer

Imperva Incapsula Website Security

Configuring BIG-IP ASM v12.1 Application Security Manager

GOING WHERE NO WAFS HAVE GONE BEFORE

Imperva Incapsula Product Overview

BIG-IP Application Security Manager : Getting Started. Version 12.1

Comprehensive DDoS Attack Protection: Cloud-based, Enterprise Grade Mitigation F5 Silverline

Web Application Firewall Subscription on Cyberoam UTM appliances

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

Introduction Who needs WAF anyway? The Death of WAF? Advanced WAF Why F5?

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

What s next for your data center? Power Your Evolution with Physical and Virtual ADCs. Jeppe Koefoed Wim Zandee Field sales, Nordics

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

How your network can take on the cloud and win. Think beyond traditional networking toward a secure digital perimeter

Maximum Security, Zero Compromise in Availability and Performance

Herding Cats. Carl Brothers, F5 Field Systems Engineer

Improving Security in the Application Development Life-cycle

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

RETHINKING DATA CENTER SECURITY. Reed Shipley Field Systems Engineer, CISSP State / Local Government & Education

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Vulnerability Assessment with Application Security

Comprehensive datacenter protection

Beyond Blind Defense: Gaining Insights from Proactive App Sec

Check Point DDoS Protector Introduction

Sam Pickles, F5 Networks A DAY IN THE LIFE OF A WAF

Securing Your Microsoft Azure Virtual Networks

ADC im Cloud - Zeitalter

Enhancing Exchange Mobile Device Security with the F5 BIG-IP Platform

Complying with PCI DSS 3.0

Securing Your Amazon Web Services Virtual Networks

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Gladiator Incident Alert

SIEMLESS THREAT MANAGEMENT

SOLUTION BRIEF FPO. Imperva Simplifies and Automates PCI DSS Compliance

A different approach to Application Security

WHITE PAPER. Best Practices for Web Application Firewall Management

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Presenting the VMware NSX ECO System May Geert Bussé Westcon Group Solutions Sales Specialist, Northern Europe

Future-ready security for small and mid-size enterprises

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

F5 Azure Cloud Try User Guide. F5 Networks, Inc. Rev. September 2016

Securing the Cloud. White Paper by Peter Silva

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

SIEM: Five Requirements that Solve the Bigger Business Issues

White paper. Keys to Oracle application acceleration: advances in delivery systems.

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

F5 Synthesis Information Session. April, 2014

Continuously Discover and Eliminate Security Risk in Production Apps

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

KERIO TECHNOLOGIES KERIO WINROUTE FIREWALL 6.3 REVIEWER S GUIDE

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Hardening the Education. with NGFW. Narongveth Yutithammanurak Business Development Manager 23 Feb 2012

The Emerging Role of a CDN in Facilitating Secure Cloud Deployments

How were the Credit Card Numbers Published on the Web? February 19, 2004

303 BIG-IP ASM SPECIALIST

Cisco ISR G2 Management Overview

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

Key Considerations in Choosing a Web Application Firewall

CoreMax Consulting s Cyber Security Roadmap

SECURING THE NEXT GENERATION DATA CENTER. Leslie K. Lambert Juniper Networks VP & Chief Information Security Officer July 18, 2011

User Interface. An Introductory Guide

How WebSafe Can Protect Customers from Web-Based Attacks. Mark DiMinico Sr. Mgr., Systems Engineering Security

BIG-IP Application Security Manager : Attack and Bot Signatures. Version 13.0

Advanced Techniques for DDoS Mitigation and Web Application Defense

Cyber Security Audit & Roadmap Business Process and

The Business Case for Network Segmentation

Comodo cwatch Web Security Software Version 1.6

Application Security at Scale

Threat Control and Containment in Intelligent Networks. Philippe Roggeband - Product Manager, Security, Emerging Markets

Document version: 1.0 What's inside: Products and versions tested Important:

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Secure Development Lifecycle

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

How NOT To Get Hacked

A10 HARMONY CONTROLLER

Pulse Secure Application Delivery

SecOps : Security Operations. Saurav Sinha Head of Presales India

War Stories from the Cloud Going Behind the Web Security Headlines. Emmanuel Mace Security Expert

The IBM Platform Computing HPC Cloud Service. Solution Overview

Sichere Applikations- dienste

RiskSense Attack Surface Validation for Web Applications

Single-Tenant vs. Multi-Tenant Enterprise Software

New World, New IT, New Security

74% 2014 SIEM Efficiency Report. Hunting out IT changes with SIEM

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

SECURE YOUR APPLICATIONS, SIMPLIFY AUTHENTICATION AND CONSOLIDATE YOUR INFRASTRUCTURE

Transcription:

Applications Security Radovan Gibala F5 Networks

How does the current situation look like?

Application Trends and Drivers ification of applications Intelligent browsers and applications Increasing regulatory requirements (PCI) Untargeted attacks BOTs Targeted attacks (D)DoS Public awareness of breach attempts and data security Tough economy = constrained resources and budgets cuts increasing security risks; reducing compliance

Almost every web application is vulnerable! 97% of websites at immediate risk of being hacked due to vulnerabilities! 69% of vulnerabilities are client side-attacks - Application Security Consortium http://www.webappsec.org/projects/statistics/ 8 out of 10 websites vulnerable to attack - WhiteHat security report http://www.whitehatsec.com/home/assets/wpstats0808.pdf 75 percent of hacks happen at the application. - Gartner Security at the Application Level 64 percent of developers are not confident in their ability to write secure applications. - Microsoft Developer Research

How much effort would the fix require?

What are the vulnerability costs? The average custom business application has 150k to 250k lines of code -- Software Magazine Every 1k lines of code averages 15 critical security defects -- U.S. Department of Defense That means there are an average of 2.25k security defects in every business application The average security defect takes 75 minutes to diagnose and 6 hours to fix -- 5-year Pentagon Study That s 2.8k hours to diagnose the defects and 13.5k hours to fix them Average worldwide cost of programmer = $40 per hour -- F5 Networks That s a cost of $112k to diagnose the defects and $540k to fix the defects k=1,000

How long to resolve a vulnerability? site Security Statistics Report

The standard way

Applications Tunnel Through Traditional Firewalls Encryption leaves network firewalls blind

Challenges of traditional solutions HTTP attacks are valid requests HTTP is stateless, application is stateful applications are unique there are no signatures for YOUR web application Good protection has to inspect the response as well Encrypted traffic facilitates attacks Organizations are living in the dark missing tools to expose/log/report HTTP attacks

Traditional Scan and Fix and Audits Scan and Fix Scanners can t find all vulnerabilities Scanners can t reverse engineer the code Scanners can t find business logic vulnerabilities When something is detected, it requires an immediate code change Not a pro-active solution Security Code Audits Extremely expensive ($25,000 for medium to small app) Requires preparation and availability of the dev team. Requires iterations of audit and fix Each fix may add more bugs to current application or may add another vulnerability We only protect from what we know, We never protect from what we don t know

The way to have your web application secure Application Firewall

Traditional Security Devices vs. WAF Known Worms Unknown Worms Known Vulnerabilities Unknown Vulnerabilities Illegal Access to -server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Layer 7 DoS Attacks Brute Force Login Attacks App. Security and Acceleration Network Firewall Limited Limited Limited Limited Limited IPS Limited Partial Limited Limited Limited Limited Limited WAF

Value of a web application firewall? Application Security Virtually patch vulnerabilities in minutes without changing application code Reduce operation costs Ensure high application availability by stopping attacks Reduce the expenses of meeting PCI security compliance requirements by showing clean scans Streamline application delivery Cut your infrastructure costs - consolidation Get out-of-the-box application security policies with minimal configuration Improve workforce efficiency Application visibility and reporting Handle changing threats with greater agility

Comprehensive Application Security Integrated architecture with application protection and performance Attack protection from the latest web threats PCI compliance reporting Protects valuable intellectual property Smarter security and access control Visibility into attacks

Examples

Airline Inventory Vulnerable to Scraping Ryanair Forbids screen-scraping as commercial use. Major business problem Unister online travel site: Duesseldorf to London Ryanair 93.25 Euros vs. Unister 111.86 Euros, a 20% increase in price easyjet warns Expedia: 'Hands off our flights Tried to block IP address but Expedia uses millions of IP addresses Alternatives: Litigation and legal letters Ryanair sent cease and desist letters to 300 sites Ryanair wins injunction against Vtours GmBH

Automated scanner and BOT programs Remote users Dublin datacenter Frankfurt datacenter Scraping a public page or requesting private data behind login page Domino ADC Network Automated scraper Domino ADC Network Legitimate user and web scraping traffic copying or requesting data Problem Entire web site is being scraped of valuable IP information Scrapers fail to provide company s terms and updates Sites copying content end up ranking above company s for keywords Need logging and reporting on scraping

Protection from Scraping Remote users Legitimate users see data while scrapers are remediated Dublin Datacenter Frankfurt Datacenter Automated scraper Domino Network Detect requests and determine web site is being scraped Domino Network BIG-IP 8900 LTM/ASM BIG-IP 6900 LTM/ASM Comprehensive reporting on scraping attacks Solution Protects valuable intellectual property Prices are controlled and users see airline approved inventory Integrated scrape reporting for PCI compliance Avoid litigation drastically reducing legal costs

Healthcare Organization Example Need application security with SharePoint Kansas City Data Center Remote Users Medical Staff Exchange Network Hacker BIG-IP 8900 Columbus Branch Problems Availability and security Uploading test results into ftp folders, via email, etc. application traffic needs security Current network firewall unable to view attacks No one assigned to web application security Medical Staff BIG-IP 6900 Exchange

Healthcare Organization Example Fast web application security implementation Kansas City Data Center Remote Users Medical Staff Policy templates deployed SharePoint in minutes SharePoint Exchange Network Polices: attack protection - L7 DoS and Brute Force Hacker Solution BIG-IP 8900 LTM/ASM Easy security and availability Unwanted clients are remediated Desired clients are serviced Fast SharePoint deployment Pre-configured application security policies View how SharePoint is accessed and behaving Rapid rollout within compliance Cost-effective data center platform View application layer to see what's transpiring Medical Staff Application visibility and reporting: signatures, violations, URIs Columbus Branch Exchange BIG-IP 6900 LTM/ASM

EMEA Customer site Cape Town Data Center Users Linux Network Attacker ADC Problems Unaware of attacks nor ability to block them End user performance is declining Current network firewall unable to view attacks Separate solutions for acceleration and security were difficult to manage

EMEA Customer with WAF We didn t even know we were being attacked Cape Town Data Center Aware of attacks Linux Network Users BIG-IP 6900 WA LTM ASM Availability, security and acceleration on one platform Attackers Solution Unified application delivery 10x user performance increase 50% bandwidth reduction Attack and threat protection (SQL Injection, signatures) Visibility into attacks Provisioning resources to ASM during large attacks

EMEA Customer with WAF Fast and secure Cape Town Data Center Attacks mitigated Attacker Linux Network Users BIG-IP 6900 WA WA LTM ASM ASM Automatically adjusts between CPUs loads for cluster multi processing Solution On Demand service provisioning Allocate resources to other application delivery services Attack and threat protection (SQL Injection, signatures) Burst and accelerate applications to meet user demands Dynamic Content Caching 80-90% of page loads ASM and WA pre-configured policies

Fortune 500 Financial applications are vulnerable Remote Users New York Data Center Hacker Zurich Data Center Domino Network Domino Network ADC ADC Executive Problem Banking services are important but. Brute Force login attacks are rendering our web sites ineffective Inability to access information due to Layer 7 DoS attacks Slow response times from attacks overloading web servers Unable to view the attack source or slow the requests

Fortune 500 Financial Application protection from attacks Remote Users Legitimate users gain access while hackers are blocked New York Data Center Zurich Data Center and Branch Downtime averted Hacker IP address automatically identified and throttled Domino Network Domino Network BIG-IP 8900 ASM Polices: Attack Prevention Brute Force and L7 DoS BIG-IP 6900 Identify attacks based on ASM detection and three prevention methods Solution Unwanted clients are remediated and desired clients are serviced Improved application availability Focus on higher value productivity while automatic controls intervene Helps companies achieve security standards compliance

Děkujeme za pozornost. Radovan Gibala F5 Networks r.gibala@f5.com 16. února 2011? PROSTOR PRO OTÁZKY

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback