Web applications of all kinds, whether online shops or partner portals, have in recent years increasingly become the target of hacker attacks. The attackers are using methods which are specifically aimed at exploiting potential weak spots in the web application software itself – and this is why they are not detected, or are not detected with sufficient accuracy, by traditional IT security systems such as network firewalls or IDS/IPS systems. OWASP develops tools and best practices to
support developers, project managers and security testers in the development and operation of secure
web applications. Additional protection against attacks, in particular for already productive web applications, is offered by what is still a emerging category of IT security systems, known as Web Application Firewalls (hereinafter referred to simply as WAF), often also called Web Application Shields or Web Application Security Filters.
7. What is this?
Security Hole in
our Web App!!!
OWASP 2
8. What is this?
Security Hole in
our Web App!!!
Let’s fix it using a Web Application Firewall (WAF)! ;-)
OWASP 2
9. What is this?
Security Hole in
our Web App!!!
Let’s fix it using a Web Application Firewall (WAF)! ;-)
But HOW ON EARTH do I deploy a WAF correctly?
OWASP 2
10. Big “Thank you!!!” to the Authors
Maximilian Dermann
Lufthansa Technik AG
Mirko Dziadzka
art of defence GmbH
Boris Hemkemeier
OWASP German Chapter
Achim Hoffmann
SecureNet GmbH
Alexander Meisel
art of defence GmbH
Matthias Rohr
SecureNet GmbH
Thomas Schreiber
SecureNet GmbH
OWASP 3
11. Contents
Introduction and aim
Characteristics of web apps with regards to
security
Overview of what WAFs can do
Benefits and risks of WAFs
Protection against the OWASP TOP 10 (App vs.
WAF vs. Policy)
Criteria for deciding whether or not to use WAFs
Best practices for introduction and operation of
WAFs
OWASP
12. Introduction and aim
Introduction
Online Businesses
Weak spot HTTP
Reference to PCI DSS
Definition of the term “Web Application Firewall”
NOT a Network Firewall
Not only Hardware
Targeted audience
Technical decision-makers
People responsible for operations and security
Application Owners
OWASP 5
13. Characteristics of web applications with
regards to security
Higher level aspects in the company
Prioritizing Web Apps in regard to their importance
Access to personal customer data
Access to (confidential) company information
– Image loss
Certifications
Technical Aspects
Test and quality assurance
Documentation
Vendor-Contracts
OWASP 6
14. Overview of what WAFs can do
Where do WAFs fit into the Web App Sec field
WAFs are part of a solution
Main benefits of a WAF
Additional functionality
What can be archived with WAFs
Table with (wanted) functionality
examples: CSRF, Session fixation, *-Injection
Rating / Evaluation:
+ can be very well implemented using a WAF
- can not be implemented
! dependents on the WAF/application/requirements
= can partly be implemented with a WAF
OWASP 7
16. Benefits and risks of WAFs (I)
Main benefits of WAFs
Base line security
Compliance
Just-in-time patching of problems
Additional benefits of (depending on functionality)
Central reporting and error logging
SSL termination
URL-Encryption
....
OWASP 9
17. Benefits and risks of WAFs (II)
Risks involved using WAFs
False positives
Increased complexity
Yet another proxy
Potential side effects if the WAF terminates the
application
OWASP 10
18. Protection against the OWASP TOP 10
App vs. WAF vs. Policy
Three types of applications:
T1: Web application in design phase
T2: Already productive app which can easily be
changed (e.g. with MVC architecture)
T3: Productive app which cannot be modified or only
with difficulty
Table of OWASP TOP 10 in regards to work
required with the 3 types of application to fix the
problem
in the application itself
using a WAF
using a policy OWASP 11
20. Criteria for deciding whether or not to use
Web Application Firewalls (I)
Company wide criteria:
Importance of the app for the success of the
company
Number of web applications
Complexity
Operational costs
Performance and scalability
OWASP 13
21. Criteria for deciding whether or not to use
Web Application Firewalls (II)
Criteria with regard to the web application
Changeability of the application
Documentation
Maintenance contracts
Time required fixing bugs in third-party products
Consideration of financial aspects
Avoidance of financial damage via successful attacks
Costs of using a WAF
License costs
Update costs
Project costs for evaluation and introducing a WAF
Volume of work required / Personnel costs
OWASP 14
22. Criteria for deciding whether or not to use
Web Application Firewalls (II)
Evaluation and Summary
OWASP 15
23. Best practices for introduction and operation
of Web Application Firewalls (I)
Infrastructure
Central or decentralized infrastructure
central proxy application
host based - plug-in approach
virtualization !!???!!!
Performance
GBits/Second throughput on hardware does NOT matter
HTTP requests processed per second is important
Simultaneous web application users
Think of peak load times (pre Christmas rush)
OWASP 16
24. Best practices for introduction and operation
of Web Application Firewalls (II)
Organizational aspects
Security Policies
Try not to change security policies already in place
Suggestion of new job position
WAF application manager
– One-off task of commissioning a WAF
– In-depth knowledge of WAF capabilities
– Alarm and Error management
– Changes to the rule-set
– Talking to the development department(s)
OWASP 17
25. Best practices for introduction and operation
of Web Application Firewalls (III)
Iterative procedure
Step 1
Definition of the people responsible for security
– ideally the “WAF application manager”
Step 2
Baseline security for all web applications
– mostly blacklisting using vendor signatures
– monitor for false positives/negatives and get rid of them
Step 3
Prioritized list of all web applications which need to be secured
– Use the checklist (attached to the paper)
Further Steps:
Work through the list and systematically secure the app
OWASP 18
26. Appendices
Checklist to define the ‘accessibility’ of the web
application
The more points you score the, the better is the
access to web application
Job descriptions for the ‘new guys’
WAF platform manager
needed in really complex/big environments
WAF application manager (per application)
Application manager
OWASP 19
27. Where to find on the net?
OWASP Wiki of course
https://www.owasp.org/index.php/
Best_Practices:_Web_Application_Firewalls
OWASP 20
28. Hot Fix
Patch
Thank you!
Questions?
Alexander Meisel
alexander.meisel@artofdefence.com
OWASP 21
29. Hot Fix
Patch
Thank you!
Questions?
Alexander Meisel
alexander.meisel@artofdefence.com
OWASP 21
30. Hot Fix
Patch
BTW: I love Taiwan!!! ;-)
Thank you!
Questions?
Alexander Meisel
alexander.meisel@artofdefence.com
OWASP 21