WAPPLES Introduction & the Future

Similar documents
May 2014 Penta Security Systems Inc.

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

The Top 6 WAF Essentials to Achieve Application Security Efficacy

GOING WHERE NO WAFS HAVE GONE BEFORE

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

OWASP TOP OWASP TOP

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Citrix NetScaler AppFirewall and Web App Security Service

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Web Application Security. Philippe Bogaerts

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Security

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Web Application Penetration Testing

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Application Layer Security

Your Turn to Hack the OWASP Top 10!

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Web Application Firewall

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Security Communications and Awareness

Copyright

haltdos - Web Application Firewall

Vulnerabilities in online banking applications

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

THUNDER WEB APPLICATION FIREWALL

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

SECURITY TESTING. Towards a safer web world

Managed Application Security trends and best practices in application security

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

C1: Define Security Requirements

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

Citrix NetScaler Make web applications run five times better

Table of Content Security Trend

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

Mitigating Security Breaches in Retail Applications WHITE PAPER

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

Simplifying Application Security and Compliance with the OWASP Top 10

F5 Application Security. Radovan Gibala Field Systems Engineer

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Web Application Threats and Remediation. Terry Labach, IST Security Team

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

Application. Security. on line training. Academy. by Appsec Labs

Solutions Business Manager Web Application Security Assessment

IBM Security Network Protection Solutions

ShiftLeft. Real-World Runtime Protection Benchmarking

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

Top 10 Web Application Vulnerabilities

Curso: Ethical Hacking and Countermeasures

Security Communications and Awareness

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Web Application Firewall Subscription on Cyberoam UTM appliances

Dell SonicWALL Secure Mobile Access 8.5. Web Application Firewall Feature Guide

90% of data breaches are caused by software vulnerabilities.

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Q WEB APPLICATION ATTACK STATISTICS

RiskSense Attack Surface Validation for Web Applications

TIBCO Cloud Integration Security Overview

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Imperva Incapsula Website Security

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

6-Points Strategy to Get Your Application in Security Shape

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

Applications Security

Sichere Software vom Java-Entwickler

Firefly Perimeter ( vsrx ) Technical information 12.1 X47 D10.2. Tuncay Seyran

BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION

Dynamic Datacenter Security Solidex, November 2009

Aguascalientes Local Chapter. Kickoff

CONTENTS. Recommendations. Prize Q & A

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Integrated Web Application Firewall & Distributed Denial of Service (DDoS) Mitigation Solution

Hacking by Numbers OWASP. The OWASP Foundation

Security Best Practices. For DNN Websites

CSWAE Certified Secure Web Application Engineer

Presentation Overview

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Welcome to the OWASP TOP 10

PCI DSS Compliance with Riverbed Stingray Traffic Manager and Stingray Application Firewall WHITE PAPER

Penta Security Systems Inc. February, 2012

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Overview. Application security - the never-ending story

Transcription:

WAPPLES Introduction & the Future March, 2011 Penta Security Systems Inc.

Table of Contents Why a Web Application Firewall? Risk on the rise Targets of web attacks Why should we care about web application attacks? What Is a Web Application Firewall? WAF is for What? FW, IDS/IPS, and WAF enabled list Boasting Top-notch WAF - WAPPLES Intelligent Web Application Firewall - WAPPLES Key Differences WAPPLES logical analytic detection engine WAPPLES Major Features Must-have Trend Cloud Computing Security 2

Why Web Application Firewall Risk on the rise! Expansion of web applications B2B, B2C, G2C, etc. Used for internal tasks as well as external services Rapid growth of web vulnerabilities 53% of all vulnerabilities disclosed in 2008 were related to web applications 1 Only 26% of known vulnerabilities are patched by the end of 2008 2 Web applications are the #1 focus of hackers: One new infected webpage is discovered every 4.5 seconds 2 SQL Injections are the #1 reported vulnerability 3 Others, 30% SQL Injection, 30% CSRF, 3% 1. IBM Internet Security Systems in 2008 X-Force Trend & Risk Report 2. Sophos, Security threat report: 2009 - Prepare for this year s new threats 3. WASC : The Web Hacking Incidents Database Cross Site Scripting (XSS), 8% Unknown, 29% 3

Why a Web Application Firewall? Targets of web attacks Injection Flaws Command execution by query Sniffing SSL redirection Web Server S/W Vulnerabilities Request Response Cross Site Scripting (XSS) Active Contents Execution Authentication / Authorization Site Structure Input Validation Attack on Application Logic 4

Why a Web Application Firewall? Why should we care about web application attacks? Security Spending % of Attacks 75% Web Applications 10% % of Dollars 25% Network Servers 90% 75% of attacks on Information Security are directed to the Web Application Layer - Gartner - 5

Why a Web Application Firewall? Web application firewall has a higher priority Web applications are the #1 focus of hackers 75% of attacks are directed at the Application layer (Gartner) SQL Injections are the #1 reported vulnerability (The web hacking incidents DB, 2008) Most websites are vulnerable 90% of websites are vulnerable to application attacks (Watchfire) 78% percent of easily exploitable vulnerabilities affect Web applications (Symantec) 80% of organizations will experience an application security incident by 2010 (Gartner) Web applications are high value targets for hackers Customer data, Credit Cards, Social Security Numbers, ID theft, fraud, website defacement, etc. Compliance requirements Payment Card Industry Standards (PCI-DSS), GLBA, HIPPA, and FISMA 6

Why a Web Application Firewall? Cost Saving Introducing a WAF is cost-saving for a company s IT resources Much more cost effective than hiring a person to manage application security manually Item Assumptions Sum <Revenue in U$> Homepage source code lines 100,000 Lines Number of vulnerabilities per source code 1,000 lines 10 1,000 Time to find and eliminate 1 vulnerability 6 hr. 6,000hr. Average working hours a day 8 hr. 750days Daily payment for engineer 150 112,500 US CERT, DEPT 7

What Is a Web Application Firewall? Application Security Is A Totally Different World Network Security Part of IT Networking Experts Product Focused 1000s of Copies Signature Based Patch Management Application Security Part of Business Units Software Experts Custom Code Focused 1 Copy of Software No Signatures Prevents Vulnerabilities Don t let anyone rely on network security techniques to gain application security 8

What Is a Web Application Firewall? WAF Is For What? Definition It executes a security analysis of the OSI 7 layer between all messages between the web server and the web client. It protects against attacks aimed at the web application. Roles Protects web servers from external attacks (service in) Protects against leakage of the web server s most important information (service out) Web Application Firewall IDS / IPS Network Firewall 9

What Is a Web Application Firewall? WAF Is For What? (Cont d) OSI 7 Layers Protection Device Web Application Firewall Based on White-list Signature Detects highly sophisticated attacks and encoded traffic Detects unknown attacks Analyzes not only protocol but also context Intrusion Detection / Prevention System Based on Black-list Signature Detects by comparing patterns of attack signatures with network traffic Cannot detect unknown attacks Network Firewall Allows/blocks the specific port of the specific IP bandwidth Does not have attack detection ability 10

What Is a Web Application Firewall? FW, IDS/IPS, and WAF enabled list Top Ten 2010* FW IDS / IPS WAF A1: Injection X O A2: Cross Site Scripting (XSS) X O A3: Broken Authentication and Session Management X O A4: Insecure Direct Object References X X O A5: Cross Site Request Forgery (CSRF) X X O A6: Security Misconfiguration X X O A7: Insecure Cryptographic Storage X X O A8: Failure to Restrict URL Access X X O A9: Insufficient Transport Layer Protection X O O A10: Unvalidated Redirects and Forwards X X O * OWASP Top Ten Web Application Security Vulnerabilities (2010) 11

Boasting Top-Notch WAF - WAPPLES Intelligent Web Application Firewall - WAPPLES PORT 23 Close PORT 80 Open Firewall WAPPLES Web Application Firewall Web Server Protection of Web Applications 12

Boasting Top-Notch WAF - WAPPLES Key Differences WAPPLES s advanced architecture and technology provides the strongest intrusion detection and protection for web applications with near 0 false positive detection and an immunity to unknown attacks. Unique Logic Based Detection Engine provides automated best of breed detection/protection capability for web applications, overcoming configuration/operation complexity (which had been the biggest barrier toward rapid growth of the WAF market, in spite of its critical importance). Commercially proven and tested solution with more than 900 customers including SMB to Large Enterprises. 9+ years of experience in WAF business 13

Boasting Top-Notch WAF - WAPPLES WAPPLES logical analytic detection engine is called COCEP COCEP stands for COntents Classification and Evaluation Processing. Logic analysis based engine is not a signature based approach. It analyzes and blocks each type of attack. 14

Boasting Top-Notch WAF - WAPPLES Our Detection Engine uses 3 evaluation mechanisms Logical analytic engine means a detection engine performs an application layer interpretation and verification based on the below 3 mechanisms: Evaluation based on Heuristic analysis Evaluation based on Semantic analysis Evaluation based on Pattern Matching WAPPLES 26 detection rules and 1 function (IP Block) can be classified as follows: Evaluation based on Heuristic Analysis Evaluation based on Semantic Analysis Cross Site Scripting Include Injection Evaluation based on Pattern Matching Buffer Overflow Directory Listing Cookie Poisoning Invalid HTTP Error Handling IP Block Invalid URI Extension Filtering Parameter Tampering Parameter Tampering File Upload Suspicious Access Privacy File Filtering Input Content Filtering URI Access Control Privacy Input Filtering IP Filtering Privacy Output Filtering Request Header Filtering SQL Injection Stealth Commanding Request Method Filtering Response Header Filtering User Defined Pattern Web Site Defacement Unicode Directory Traversal 15

Boasting Top-Notch WAF - WAPPLES WAPPLES Unique Technology Enables the Following: Higher Performance No additional system load due to the inputting of new patterns. Generally, more than 3000 patterns lead to low system performance. No difference in performance, in both test environment and real operation environment. Ease of Use and Less Maintenance Installation without (or with minimal) changes in server and network settings is possible. Extremely low management burden for administrator. Low operation cost signature update service, but S/W version update service. Visualizes Various Information Web Traffic, Hit Count, Detection Log summary Statistics for hour, day, week, month, and year Supports more than 22 visualized charts 16

Boasting Top-Notch WAF - WAPPLES WAPPLES Major Features Provides User View using Docking Capability Relocation of each window Saves User View settings Supports Quick Configuration Supports configuration by levels Simplifies complex settings 17

Certifications and Patents Korea National Intelligence Service CC Evaluation (EAL4) Registration No. NISS-2049-2010 PCI-DSS Certification Registration No. AK 50170345 0001 Patents United States: METHOD OF DETECTING A WEB APPLICATION ATTACK U.S. Application No. 12/876,820 China: METHOD OF DETECTING A WEB APPLICATION ATTACK Chinese Patent Application for Invention No. 201010287262.2 Japan: METHOD OF DETECTING A WEB APPLICATION ATTACK Japanese Patent Application No. 2010-178803 Republic of Korea: 2 patents are registered METHOD FOR DETECTING A WEB APPLICATION ATTACK 10-2010-0064363 METHOD FOR DETECTING A WEB ATTACK BASED ON A SECURITY RULE 10-2009-0077410 18

Boasting Topnotch WAF - WAPPLES Class Value Performance High-End Model WAPPLES-50 WAPPLES-100 eco WAPPLES-500 WAPPLES-1000 type2 WAPPLES-2000 WAPPLES-5000 Appearance Capacity Maximum Throughput 100 Mbps 300 Mbps 500 Mbps 2 Gbps 4 Gbps 6 Gbps HTTP Transactions/sec 3,000 9,000 15,000 30,000 50,000 70,000 SSL Transactions/sec 2,000 5,000 8,000 15,000 24,000 33,000 Hardware Form Factor 1U 1U 1U 2U 2U 2U CPU Intel Dual Core 2.5GHz Intel Quad Core 2.66GHz Intel Quad Core Xeon 2.66GHz Intel Quad Core Xeon 2.33GHz * 2 Intel Quad Core Xeon 2.66GHz *2 Intel Westmere 2.53GHz * 2 Memory 2 GB 4 GB 8 GB 8 GB 16 GB 24 GB HDD 160GB 500GB 500GB 500GB 500GB 1TB Dimensions 443mm/292mm/44.5m m 443mm/292mm/44.5m m 443mm/406mm/44.5mm 443mm/512mm/88mm 443mm/512mm/88mm 431.8mm/580mm/88mm Weight 8Kg 8Kg 11Kg 18.75Kg 18.75Kg 21KG NIC 2 x10/100/1000 BaseTX 4 x10/100/1000 BaseTX Bypass 2 x10/100/1000 BaseTX 8 x10/100/1000 BaseTX Bypass 6 x10/100/1000 BaseTX Bypass OR 2 x1000 Base Optical Bypass 2 x10/100/1000 BaseTX Bypass 8 x10/100/1000 BaseTX Bypass 2 x1000 BaseSFP (Optional) 2 x1000 Base Optical Bypass 2 x10/100/1000 BaseTX 8 x10/100/1000 BaseTX Bypass 4 x1000 BaseSFP (Optional) 2 x1000 Base Optical Bypass 2 x10/100/1000 BaseTX 8 x10/100/1000 BaseTX Bypass 4 x1000 BaseSFP 2 x1000 Base Optical Bypass (Optional) 4 x1000 Base Optical Bypass 2 x10g Base Optical Bypass Power Supply AC100~240V 50/60Hz 200W AC100~240V 50/60Hz 200W AC100~240V 50/60Hz 300W AC100~240V 50/60Hz 400W Redundant Power Supply AC100~240V 50/60Hz 400W Redundant Power Supply AC100~240V 50/60Hz 500W Redundant Power Supply 19

Must-have Trend Must-have Trend - Cloud Computing Security Web-based cloud computing All businesses (services) based on cloud computing are provided via the web: whether it is in the form of IaaS, PaaS, SaaS The service that satisfies the essential characteristics of Cloud Computing is the web (according to the Visual Model of NIST Working Definition) The web is the most appropriate and optimized interface to provide cloud computing service It s the Web! Cloud Computing Security is Web Application Security Since cloud computing is web-based, its security issues have much in common with web application security. 20

Must-have Trend Cloud Computing Security Is A No. 1 Issue Cloud computing issues : Security There are many issues related to newly-rising cloud computing: Performance, Availability, Integration, etc. Despite the existence of many issues, security sector is the most important one. The challenges/issues ascribed to the cloud /ondemand model Security Performance 63.1% 74.6% Source: IDC Enterprise Panel, August 2008 Availability 63.1% Hard to integrate with in-house IT 61.1% Not enough ability to customize 55.8% 40% 50% 60% 70% 80% 21

Must-have Trend WAPPLES Meets the Demands Cloud Computing Environment Web service User Virtual appliance(waf) V50 V500 V1000 V2000 V4000 CPU 1 Cores 2 Cores 4 Cores 8 Cores 16 Cores Performance CPS (Connection per Second) Minimum requirements per physical host <2011 Virtual Appliance Lineup> 5,000 10,000 20,000 40,000 80,000 Hypervisor Processor Memory Hard drive Network Interface Citrix XenServer 5 (update 3 or higher); VMWare ESX/ESXi 3.5 or higher Dual core server with Intel VTx 2 GB 20 GB Hypervisor supported network interface card 22

Thank you. Penta Security Systems Inc. Hanjin Shipping Bld. 20F, Seoul, Korea TEL: 82-2-780-7728 FAX: 82-2-786-5281 www.pentasecurity.com Penta Security Systems K.K. 東京都浜田区赤坂 3-2-8 アセンド赤坂 3 階 TEL: 81-3-5573-8191 FAX: 81-3-5573-8193 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback