F5 Application Security. Radovan Gibala Field Systems Engineer

Similar documents
Web Application Security. Philippe Bogaerts

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

C1: Define Security Requirements

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

Copyright

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

The Top 6 WAF Essentials to Achieve Application Security Efficacy

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Web Applications Security. Radovan Gibala F5 Networks

Aguascalientes Local Chapter. Kickoff

Dell SonicWALL Secure Mobile Access 8.5. Web Application Firewall Feature Guide

F5 Big-IP Application Security Manager v11

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

GOING WHERE NO WAFS HAVE GONE BEFORE

PCI DSS Compliance with Riverbed Stingray Traffic Manager and Stingray Application Firewall WHITE PAPER

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

How were the Credit Card Numbers Published on the Web? February 19, 2004

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Security Testing White Paper

Web Application Vulnerabilities: OWASP Top 10 Revisited

OWASP TOP OWASP TOP

Solutions Business Manager Web Application Security Assessment

SECURITY TESTING. Towards a safer web world

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Application Layer Security

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

1 About Web Security. What is application security? So what can happen? see [?]

Web Application Penetration Testing

Web Application Whitepaper

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Evaluation Criteria for Web Application Firewalls

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

HP 2012 Cyber Security Risk Report Overview

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Certified Secure Web Application Engineer

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

INNOV-09 How to Keep Hackers Out of your Web Application

Security

Security Solutions. Overview. Business Needs

Securing the Cloud. White Paper by Peter Silva

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Web Application Firewall Subscription on Cyberoam UTM appliances

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

CSWAE Certified Secure Web Application Engineer

Architecture: Consolidated Platform. Eddie Augustine Major Accounts Manager: Federal

A (sample) computerized system for publishing the daily currency exchange rates

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

RETHINKING DATA CENTER SECURITY. Reed Shipley Field Systems Engineer, CISSP State / Local Government & Education

Herding Cats. Carl Brothers, F5 Field Systems Engineer

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

KEEPING THE BAD GUYS OUT WHILE LETTING THE GOOD GUYS IN. Paul Deakin Federal Field Systems Engineer

Applications Security

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Presentation Overview

Your Turn to Hack the OWASP Top 10!

THUNDER WEB APPLICATION FIREWALL

BIG-IP Application Security Manager : Getting Started. Version 12.1

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Welcome to the OWASP TOP 10

Hardening the Education. with NGFW. Narongveth Yutithammanurak Business Development Manager 23 Feb 2012

OWASP TOP 10. By: Ilia

DATACENTER SECURITY. Paul Deakin System Engineer, F5 Networks

DreamFactory Security Guide

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Integrigy Consulting Overview

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Top 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

TIBCO Cloud Integration Security Overview

Enhancing Exchange Mobile Device Security with the F5 BIG-IP Platform

Web Application Security GVSAGE Theater

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Introduction Who needs WAF anyway? The Death of WAF? Advanced WAF Why F5?

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Application Defense: An emerging Security Concept

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Web Application Threats and Remediation. Terry Labach, IST Security Team

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Overview. Application security - the never-ending story

Identiteettien hallinta ja sovellusturvallisuus. Timo Lohenoja, CISPP Systems Engineer, F5 Networks

Transcription:

1 F5 Application Security Radovan Gibala Field Systems Engineer r.gibala@f5.com +420 731 137 223 2007

2 Agenda Challenge Websecurity What are the problems? Building blocks of Web Applications Vulnerabilities and protection strategies Websecurity with a Web Application Firewall (WAF) Security Policy Setups Deployment Methods Attacking the Application How to mitigate the risk in Web Applications with ASM

3 Market Trends Webalization of Critical Applications Mission-Critical Applications ERP, CRM, SCM - With access from Internet Business-Critical Applications Advantages of Voice, Data and Video Integration Profitability Increase Data Centre Consolidation Centralization of Applications and Access from Internet XML-based Web Services B2B Business Processes over Web Services / XML Mobile Applications Access and Usage of Applications from Mobile (private?) Devices

4 Security s Gaping Hole 64% of the 10 million security incidents tracked targeted port 80. Information Week DATA

5 Web Application Security! Noncompliant Information! Infrastructural Intelligence Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Perimeter Security Is Strong PORT 80 PORT 443 But Is Open to Web Traffic! Forced Access to Information Attacks Now Look To Exploit Application Vulnerabilities High Information Density = High Value Attack

6 Why Are Web Applications Vulnerable? New code written to best-practice methodology, but not tested properly New type of attack not protected by current methodology New code written in a hurry due to business pressures Code written by third parties; badly documented, poorly tested third party not available Flaws in third party infrastructure elements Session-less web applications written with client-server mentality

7 Solution Sentences for Application Security Make Bug-free applications Network Firewalls + Marketing Tools in the Web Servers Infrastructure Solutions

Traditional Alternative: Rely Exclusively on the Developer Application Patching 8 Application Logic Application Optimization 1+1=2 Application Security Application Scalability Application Integration Application Availability Application Performance

9 Web Application Protection Strategy Best Practice Design Methods Only protects against known vulnerabilities Automated & Targeted Testing Web Apps Difficult to enforce; especially with subcontracted code Only periodic updated; large exposure window Done periodically; only as good as the last test Only checks for known vulnerabilities Does it find everything? Web Application Firewall Real-time 24 x 7 protection Enforces Best Practice Methodology Allows immediate protection against new vulnerabilities

10 Web Applications Increasingly Under Attack High information density in the core Flaws in applications & 3rd party software Traditional security does not protect web apps. Gaping hole in perimeter security for web traffic SANS (November 2006) - Top Vulnerabilities in Cross-Platform Applications C1. Backup Software C2. Anti-virus Software C3. PHP-based Applications (50% of all Apache installations worldwide use php!) C4. Database Software... C6. DNS Software... C9. Mozilla and Firefox Browsers...

11 Application Security Lacks Test...or: The Point of Truth Simple Version: Does your WAF discover that the Price of an Item on an Online Shop was changed? Technical Version: OWASP ( http://www.owasp.org/index.php/owasp_top_ten_project ) Unvalidated Input Broken Access Control Broken Authentication and Session Management Cross Site Scripting Buffer Overflow Injection Flaws Emproper Error Handling Insecure Storage Application Denial of Service Insecure Configuration Management

OWASP Top 10 / January 2007 12 A1 Cross Site Scripting (XSS) A2 Injection Flaws A3 Insecure Remote File Include A4 Insecure Direct Object Reference A5 Cross Site Request Forgery (CSRF) A6 Information Leakage and Improper Error Handling A7 Broken Authentication and Session Management A8 Insecure Cryptographic Storage A9 Insecure Communications A10 Failure to Restrict URL Access XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim s browser which can hijack user sessions, deface web sites, etc. Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker s hostile data tricks the interpreter into executing unintended commands or changing data. Code vulnerable to remote file inclusion allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization. A CSRF attack forces a logged-on victim s browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim s browser to perform a hostile action to the benefit of the attacker. Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to violate privacy, or conduct further attacks. Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users identities. Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud. Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. Frequently, the only protection for sensitive areas of an application is links or URLs are not presented to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations.

n-tier Web Application Layer 13

Where does Application Security make Sense? Option 4 Option 2 Routing, ACL Router Network Layer Security Packet Filtering Pros: First point of entry Cons: Zero application fluency Wrong location No support for SSL Too little and expensive processing power Option 3 Network Security Application Security, Optimization & Delivery A combined application delivery Option 1 BIG-IP LTM Application Firewall Security Manager controller and Web application firewall, Web rather than stand-alone Application Layer Server Security, Acceleration, Session Layer products, provides a & single-vendor Availability Security relationship Stateful Inspectionand performance Pros: Application Fluent improvements. Pros: Already used as SSL proxy Experienced in for applications Gartner Network security Research High performance Layer 7 Has some session & processing app protocol awareness Stronger support for L7 Cons: protocol validation No application fluency Perfect location directly in front Out in DMZ / wrong of applications and servers location Cons: Not optimized for L7 Less focus on Layer 2/3 processing security Cannot filter encrypted content Less focus on SSL Application Core Functionality App. Server Pros: Very specific to each application type and vendor Database Cons: Complex to manage Costly to implement inside each application Error-prone In-efficient and re-active 14

Traditional Security Doesn t Protect Web Applications Looking at the wrong thing in the wrong place 15 Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Application Firewall Network Firewall X X X IPS X X X

16 Application Security with a WAF! Unauthorised Access And Stops Bad Requests! Noncompliant Information Browser! Unauthorised Access WAF Allows Legitimate Requests! Infrastructural Intelligence Bi-directional: Inbound: protection from generalised & targeted attacks Outbound: content scrubbing & application cloaking Application content & context aware High performance, low latency, high availability, high security Policy-based full proxy with deep inspection & Java support Positive security augmenting negative security Central point of application security enforcement

17 Application Security with a WAF Intelligent Decisions Allow Only Good Application Behaviour; Positive Security Browser Definition of Good and Bad Behaviour

18 Negative vs. Positive Security Model Negative Security Model Lock Known Attacks Everything else is Allowed Patches implementation is quick and easy (Protection against Day Zero Attacks) Positive Security Model (Automatic) Analysis of Web Application Allow wanted Transactions Everything else is Denied Implicit Security against New, yet Unknown Attacks (Day Zero Attacks)

19 Flexible Policy Granularity Search for: command injection Single quote is a command delimiter: Best practice to disallow from parameters wherever possible Easiest to achieve with a generic policy applied to the whole site BUT... User Name: O Connor Single quote needed in some parameters: Need to be able to selectively relax policy eg single quote allowed in this parameter Need to limit use within relaxed policy eg only one single quote allowed in this parameter

Support of dynamic values 20

21 Example: SAP Application Protect the session information in the URI https://saptest.xyz.de/sap(bd1kzszjptaxma==)/... Protect dynamic parameter names and values &Tdokfilter_subdok_dokstrukturK2_Y123456789103459 185=F

22 Selective Application Flow Enforcement! ALLOWED Should this be a violation? The user may have bookmarked the page! Unnecessarily enforcing flow can lead to false positives.? Username Password! VIOLATION From Acc. To Acc.! VIOLATION $ Amount Transfer This part of the site is a financial transaction that requires authentication; we should enforce strict flow and parameter validation

23 XML Firewall Well formatted validation Schema/WSDL validation Methods selection Attack signatures for XML platforms Backend Parser protection XML islands application protection Full request Logging

24 Flexible Policy Granularity Generic Policies - Policy per object type Low number of policies Quick to implement Requires little change management Can t take application flow into account Optimum policy is often a hybrid Specific Policies Policy per object High number of policies More time to implement Requires change management policy Can enforce application flow Tightest possible security Protects dynamic values

25 Flexible Deployment Options Tighter Security Posture Typical standard starting point OBJECT FLOWS PARAMETER VALUES PARAMETER NAMES OBJECT NAMES OBJECT TYPES POLICY TIGHTENING SUGGESTIONS Policy-Building Tools Trusted IP Learning Live Traffic Learning Crawler Negative RegEx Template

26 WAF deployment with the BIG-IP LTM & ASM Web Servers Internet Firewall BIG-IP with ASM Management Access (browser) ASM = Application Security Manager

27 Link Collection www.f5.com Overall Technical www.f5.com ask.f5.com devcentral.f5.com F5 University www.f5university.com/» Login: your email» Password: adv5tech Partner Informaiotn www.f5.com/partners www.f5.com/training_services/certification/certfaq.html Gartner Report http://mediaproducts.gartner.com/reprints/f5networks/article1/article1.html Important deployment information is available at Data Center Virtualization Application Traffic Management Application Briefs Solution Briefs F5 Compression and Cache Test F5 icontrol Alliance Partners F5 Technology Alliance Partners http://www.f5.com/solutions/deployment/ http://www.f5.com/solutions/technology/pdfs/dc_virtualization_wp.pdf http://www.f5.com/solutions/technology/pdfs/atm_wp.pdf http://www.f5.com/solutions/applications/ http://www.f5.com/solutions/sb/ http://www.f5demo.com/compression/index.php http://www.f5.com/solutions/partners/icontrol/ http://www.f5.com/solutions/partners/tech/ Let us know if you need any clarification or you have any further questions.

28 F5 is the Global Leader in Application Delivery Networking Users Data Centre At Home In the Office On the Road Application Delivery Network SAP Microsoft Oracle Business goal: Achieve these objectives in the most operationally efficient manner

29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback