The Top 6 WAF Essentials to Achieve Application Security Efficacy

Similar documents
Complying with PCI DSS 3.0

Citrix NetScaler AppFirewall and Web App Security Service

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Key Considerations in Choosing a Web Application Firewall

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Security

SOLUTION BRIEF FPO. Imperva Simplifies and Automates PCI DSS Compliance

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

Security Solutions. Overview. Business Needs

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

How your network can take on the cloud and win. Think beyond traditional networking toward a secure digital perimeter

ForeScout ControlFabric TM Architecture

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

with Advanced Protection

PCI DSS Compliance. White Paper Parallels Remote Application Server

WHITE PAPER. Best Practices for Web Application Firewall Management

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

CloudSOC and Security.cloud for Microsoft Office 365

ShiftLeft. Real-World Runtime Protection Benchmarking

Web Application Firewall Subscription on Cyberoam UTM appliances

Network Security Protection Alternatives for the Cloud

OWASP Top 10 The Ten Most Critical Web Application Security Risks

GOING WHERE NO WAFS HAVE GONE BEFORE

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

AKAMAI CLOUD SECURITY SOLUTIONS

F5 Application Security. Radovan Gibala Field Systems Engineer

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

SIEMLESS THREAT DETECTION FOR AWS

Security Communications and Awareness

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Comprehensive datacenter protection

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Simple and Powerful Security for PCI DSS

Will you be PCI DSS Compliant by September 2010?

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Copyright

Advanced Threat Protection Buyer s Guide GUIDANCE TO ADVANCE YOUR ORGANIZATION S SECURITY POSTURE

Security Communications and Awareness

SECURITY TESTING. Towards a safer web world

Enterprise D/DoS Mitigation Solution offering

Building Resilience in a Digital Enterprise

SIEMLESS THREAT MANAGEMENT

BUILDING A NEXT-GENERATION FIREWALL

90% of data breaches are caused by software vulnerabilities.

TRUE SECURITY-AS-A-SERVICE

The Need For A New IT Security Architecture: Global Study On The Risk Of Outdated Technologies

Total Security Management PCI DSS Compliance Guide

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Imperva Incapsula Website Security

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Evaluation Criteria for Web Application Firewalls

Vulnerability Assessment with Application Security

The Emerging Role of a CDN in Facilitating Secure Cloud Deployments

IBM Cloud Internet Services: Optimizing security to protect your web applications

The Honest Advantage

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

STOPS CYBER ATTACKS BEFORE THEY STOP YOU. Prepare, recognize, and respond to today s attacks earlier with Verizon Security Solutions.

PT Unified Application Security Enforcement. ptsecurity.com

Imperva Incapsula Product Overview

Continuously Discover and Eliminate Security Risk in Production Apps

PrecisionAccess Trusted Access Control

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

CipherCloud CASB+ Connector for ServiceNow

Isla Web Malware Isolation and Network Sandbox Solutions Security Technology Comparison and Integration Guide

Dynamic Datacenter Security Solidex, November 2009

SoftLayer Security and Compliance:

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

Privileged Account Security: A Balanced Approach to Securing Unix Environments

The threat landscape is constantly

SECURITY PRACTICES OVERVIEW

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

6 Vulnerabilities of the Retail Payment Ecosystem

Overview. Application security - the never-ending story

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

haltdos - Web Application Firewall

Verizon Software Defined Perimeter (SDP).

C1: Define Security Requirements

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Shortcut guide to Web application firewall deployment

Comprehensive DDoS Attack Protection: Cloud-based, Enterprise Grade Mitigation F5 Silverline

Comprehensive Database Security

Security Monitoring. Managed Vulnerability Services. Managed Endpoint Protection. Platform. Platform Managed Endpoint Detection and Response

Information Security Controls Policy

Office 365 Buyers Guide: Best Practices for Securing Office 365

epldt Web Builder Security March 2017

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Keys to a more secure data environment

OWASP TOP OWASP TOP

THE STATE OF MEDIA SECURITY HOW MEDIA COMPANIES ARE SECURING THEIR ONLINE PROPERTIES

Transcription:

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Introduction One of the biggest challenges IT and security leaders face today is reducing business risk while ensuring ease of use and employee productivity. The fact is, people need to be able to work whenever and however they need to meaning any location, device, or network without being frustrated by an overly constrained or complex user experience. At the same time, it s essential to protect enterprise apps and data from being compromised by security threats, and ensure full compliance with standards and regulations. As organizations continue to build and buy web applications, and more of these apps move to the cloud, maintaining a high level of application protection is getting increasingly difficult. The security perimeter is changing and is no longer the edge of the data center. This creates tremendous vulnerabilities to your network and applications, creating a heightened need for protection against a range of cyber threats. Web app attacks represented 40% of breaches in 2015 40% WhiteHat Security Web Applications Security Statistics Report 2016 The solution used to secure web applications and combat these security risks is a web application firewall, or WAF. This ebook will delve into what a WAF is, why it is important, and the six essential features your WAF should have to maintain the highest levels of security efficacy for your organization s application delivery infrastructure. 2 The Top 6 WAF Essentials to Achieve Application Security Efficacy

The Evolution of the Web Application Firewall Firewalls have significantly improved the overall security posture of organizations since they first came on the scene back in the late 1980s. Developed in the early 1990s, web application firewalls (WAFs) were a new species of firewall initially created to respond to threats beyond the scope of traditional firewalls. These threats were difficult to defend against because they utilized authorized protocols (such as HTTP), but attacked the application or underlying infrastructure over that protocol. This was especially dangerous because hackers could attack over trusted protocols to directly compromise systems and steal information, effectively bypassing traditional firewall security. In contrast to regular firewalls, which are designed to restrict access to specific ports, or deny service to unauthorized people, WAFs are much more intelligent. They examine every request and response within the HTTP/HTTPS/SOAP/XML-RPC/Web Service requests to identify attack signatures and abnormal behavior patterns within incoming traffic to a web application. Simply put, whereas network firewalls defend the perimeter of the network, WAFs sit between the web client and web server, analyzing application-layer traffic for violations in the programmed security policy. This positions the WAF to detect whether an application is not behaving the way it was designed to, and enables you to write specific rules to prevent attacks from reoccurring. It is also important to differentiate a WAF from a next-generation firewall or NGFW. A WAF is intended to inspect the application traffic on a narrow protocol scope and focus only on that traffic. A NGFW is a comprehensive product to replace or augment existing network firewalls. 3 The Top 6 WAF Essentials to Achieve Application Security Efficacy

Why Web Application Firewalls Are Critical to Security Every day, thousands of businesses, from the small town bank to the largest enterprise, rely on their web presence to bring in revenue and keep the company moving. WAFs protect this presence by providing essential protection to data and services to help avoid loss of direct revenue, negative impacts to customer confidence, and concerns about sensitive data breaches. Without WAF security, application vulnerabilities can be exploited to conduct a range of actions anything from crashing apps, to taking shell control to corrupt databases. In effect, an application compromise can spell big financial and reputational damage to a breached organization. Because of the nature of web security and how it constantly evolves, it is increasingly difficult to integrate comprehensive security into applications and keep them up-to-date. Having a WAF helps here in two ways: It protects against known threats and it monitors the application layer to identify and protect against new, previously unknown threats. Data Center/ On Premise Private Cloud User Web Traffic Web Application Firewall Web Traffic Hybrid Environment Requests web application Identifies and blocks malicious traffic Public Cloud Public Cloud In short, whether you re conducting business with an online vendor through their web services, or delivering apps to your workforce, WAFs provide the application security you need to dispel risks posed by modern security threats. 4 The Top 6 WAF Essentials to Achieve Application Security Efficacy

Top Six Things to Look for in a Web Application Firewall Solution When selecting a WAF solution to protect your applications, you should prioritize the following features to achieve application security efficacy. 1 Protection Against The OWASP Top 10 OWASP or Open Web Applications Security Project, is an open software security community collecting, among other things, the list of top attacks against web servers. The OWASP Top 10 1 Injection Your WAF must protect web applications and servers from the OWASP Top 10 to ensure security against the most prevalent application attacks. The effectiveness of a WAF solution s security against the OWASP Top 10 is difficult to discern without testing. Seeking research testing and validation from a trusted organization is a reliable way to gain insight into the effectiveness of leading WAFs in the market. Consider reviewing the Security Value Map (SVM) and Comparative Analysis Report (CAR) series by NSS Labs, which evaluates leading WAF products on their ability to prevent intrusions, and detect and mitigate threats. 2 3 4 5 6 7 8 9 10 Broken Authentication and Session Management Cross-Site Scripting (XSS) Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards 5 The Top 6 WAF Essentials to Achieve Application Security Efficacy

2 Protection Against Known and Unknown Attacks Your WAF should support both a positive and a negative security model. A negative security model is easy to deploy because it protects against known exploits. A positive security model denies all transactions by default, but uses rules to allow only those transactions that are known to be valid and safe. This approach is more efficient (fewer rules to process per transaction) and more secure, but it requires very good understanding of the applications being protected. Negative Model Hybrid Model Positive Model Apply signatures for known attacks Protect against known and unknown threats Learn application environment to protect against unknown attacks 6 The Top 6 WAF Essentials to Achieve Application Security Efficacy

3 PCI DSS Compliance Malicious attacks designed to steal sensitive credit card information are increasing, with more and more security breaches and data thefts occurring daily. PCI DSS requirements have been revised in an attempt to prevent these types of attacks and keep customer data secure. If your organization works with, processes, or stores sensitive credit card information, you must comply with PCI DSS requirements. You must strengthen your security posture by protecting your critical web applications, which are often easy pathways for malicious attackers to gain access to sensitive cardholder data. While you can adhere to PCI DSS standards by deploying a vulnerability scanner or a WAF, the most effective solution is to integrate the data from scanning technology with the attackmitigation power of a WAF. The WAF you invest in should identify, isolate, and block sophisticated attacks without impacting legitimate application transactions. In addition, your WAF should offer PCI reporting, which determines if compliance regulations are being met, and if they are not, details the steps required to become compliant. Of all the data breaches investigated over the last ten years, not a single company has been found to be PCI compliant at the time of the breach. Verizon 2015 PCI Compliance Report 7 The Top 6 WAF Essentials to Achieve Application Security Efficacy

4 High Performance Without Negative Impact Performance is key when it comes to a WAF. The WAF you choose should not impact the performance of existing infrastructures, including application and network devices. This means that even though the WAF acts as the security proxy to the application, the application continues to transact the data without suffering from a backlog of requests and does not collapse under heavy loads. The application should behave as though no WAF is present. And from the end user perspective, the WAF should be completely transparent. Users should not experience any noticeable delay or hindrance of service. User Web Application Firewall Apps 8 The Top 6 WAF Essentials to Achieve Application Security Efficacy

5 Centralized Management Centralized management is crucial when you re dealing with web application infrastructure that is distributed in different environments, and especially across the globe. You want to be able to manage different WAF appliances without needing to connect to each appliance separately. This means your WAF solution needs to integrate with a Centrallized Management platform, allowing you to build, maintain, and enforce a unified security policy across your entire organization. Data Center/ On Premise Cloud Centralized Management 9 The Top 6 WAF Essentials to Achieve Application Security Efficacy

6 Application Vulnerability Prevention Web application vulnerabilities are among the most common causes of data breaches. Vulnerabilities unique to each application leave companies web infrastructures exposed to attacks such as cross-site scripting, SQL injections, cookie poisoning, and others. When defects and vulnerabilities are found in software code, your WAF should rapidly apply fixes (virtual patches) to prevent exploitation by an attacker. This virtual patching requires no immediate changes to the software, and it allows organizations to secure applications immediately and in some cases, automatically upon dynamic application testing. Virtual patches are a key component of a strong WAF, often requiring integration with a vulnerability scanner. In addition, your WAF solution should integrate with points such as security information event management systems (SIEM), log retention systems, identity management, incident management, and application scanners to provide layered and automated security. 97% of applications tested by Trustwave in 2015 contain at least one vulnerability. 97% 2016 Trustwave Global Security Report 10 The Top 6 WAF Essentials to Achieve Application Security Efficacy

Meet NetScaler AppFirewall: The Industry Leading WAF that Integrates with NetScaler ADC to Ensure Application Security Efficacy NetScaler AppFirewall is a comprehensive full function ICSA, Common Criteria, FIPS-certified web application firewall that analyzes all bi-directional traffic, including SSL-encrypted communication, to protect against a broad range of security threats without any modifications to applications. It offers protection from a number of different known and unknown threats and has the ability to perform deep-packet inspection of HTTP, HTTPS, and XML as well as protection against the OWASP Top 10. NetScaler AppFirewall is available both as a standalone appliance and as a WAF solution tightly integrated into the NetScaler ADC platform, and is available across its various form factors including physical, virtual, and containerized. This gives you the flexibility to deploy different form factors based on different needs NetScaler standalone AppFirewall provides the highest throughput in the industry at 44 Gbps, and according to NSS Labs, NetScaler AppFirewall is the recommended leader in the WAF market today with the best price to performance ratio. 11 The Top 6 WAF Essentials to Achieve Application Security Efficacy

NetScaler AppFirewall can be used in conjunction with NetScaler Security Insight a powerful security management, reporting, and analytics solution that is part of NetScaler Management and Analytics System to provide an overall view of security posture, a summary of factors contributing to the level of threat imposed on applications, and actionable data that security teams can use to mitigate security risks, maintain integrity, and achieve compliance. Citrix NetScaler AppFirewall is the only WAF that gives you the performance and essential features you need, so you can say yes to digital transformation and application security efficacy. Learn more about Citrix NetScaler AppFirewall www.citrix.com/products/netscaler-appfirewall 12 The Top 6 WAF Essentials to Achieve Application Security Efficacy

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback