Upload
tuanfet2005
View
22
Download
0
Embed Size (px)
DESCRIPTION
firewall
Citation preview
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 1/24
Category:OWASPBestPractices:UseofWebApplicationFirewallsFromOWASP
[edit]
Abstract
Webapplicationsofallkinds,whetheronlineshopsorpartnerportals,haveinrecentyearsincreasinglybecomethetargetofhackerattacks.Theattackersareusingmethodswhicharespecificallyaimedatexploitingpotentialweakspotsinthewebapplicationsoftwareitselfandthisiswhytheyarenotdetected,orarenotdetectedwithsufficientaccuracy,bytraditionalITsecuritysystemssuchasnetworkfirewallsorIDS/IPSsystems.OWASPdevelopstoolsandbestpracticestosupportdevelopers,projectmanagersandsecuritytestersinthedevelopmentandoperationofsecurewebapplications.Additionalprotectionagainstattacks,inparticularforalreadyproductivewebapplications,isofferedbywhatisstillaemergingcategoryofITsecuritysystems,knownasWebApplicationFirewalls(hereinafterreferredtosimplyasWAF),oftenalsocalledWebApplicationShieldsorWebApplicationSecurityFilters.
Oneofthecriteriaformeetingthesecuritystandardofthecreditcardindustrycurrentlyinforce(PCIDSSPaymentCardIndustryDataSecurityStandardv.1.1)forexample,iseitheraregularsourcecodereviewortheuseofaWAF.
Thedocumentisaimedprimarilyattechnicaldecisionmakers,especiallythoseresponsibleforoperationsandsecurityaswellasapplicationowners(specialistdepartment,technicalapplicationmanagers)evaluatingtheuseofaWAF.Specialattentionhasbeenpaidwhereverpossibletothedisplayofworkestimatesincludingincomparisontopossiblealternativessuchasmodificationstothesourcecode.
InadditiontotheimportanceofthewebapplicationregardingturnoverorimagethetermaccesstoawebapplicationusedinthisdocumentcanbeagoodcriterioninthedecisionmakingprocessrelatingtotheuseofWAFs.Specifically,theaccesstoawebapplication,measurestheextenttowhichtherequiredchangestotheapplicationsourcecodeareactuallycarriedoutinhouse,ontime,orcanbecarriedoutbythirdparties.Asillustratedbythegraphbelow,awebapplicationtowhichthereisnoaccess,canonlybeprotectedsensiblybyaWAF(additionalbenefitoftheWAF),.Evenwithanapplicationinfullaccess,aWAFcanbeusedasacentralservicepointforvariousservicessuchassecuresessionmanagement,whichcanbeimplementedforallapplicationsequally,andasasuitablemeansforproactivesafetymeasuressuchasURLencryption
http://www.owasp.org/Image:Best_Practice_WAFchartEN.png
Main Download Terminology Licence Authors ProjectAbout
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 2/24
FurtherkeytopicsdiscussedinthispaperincludebestpracticesforprocessesconcerningtheinstallationandoperationofaWAFaswellasinparticularforlargercompaniesadescriptionoftheroleoftheWAFapplicationmanager.
A1Introductionandaimofthisdocument
A1.1Introduction
Whethertheonlinebranchofabank,anonlineshop,acustomer,partneroremployeeportalallofthesewebapplicationsareavailabletotheircustomersaswellastheirattackersaroundtheclockduetothealwaysonnatureoftheinternet.AttackssuchasSQLinjection,crosssitescriptingorsessionhijackingareaimedatvulnerabilitiesinthewebapplicationsitselfandnotatthoseonthenetworklevel.Forthisreason,traditionalITsecuritysystemssuchasfirewallsorIDS/IPSareeithertotallyunabletoguardagainsttheseattacksorareincapableofofferingcomprehensiveprotection.
Fromatechnicalpointofviewthefundamentalissueis,thattheweb,especiallytheHTTPprotocol,wasnotdesignedforsuchcomplexapplicationswhicharecurrentlystateoftheart.Manyvulnerabilitieshavetheiroriginhere:forexample,HTTPisnotstateful,i.e.sessionsorstatefulapplicationsmustbedefinedseparatelyandimplementedsecurely.Thesevulnerabilitiesareincreasedevenfurtherbythehighdegreeofcomplexityofthewebscripts,frameworksandwebtechnologiesfrequentlyused.
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 3/24
Inadditiontotherecentintroductionofindustrialstandards,e.g.thedatasecuritystandardofthecreditcardindustry(PCIDSSv1.1),securitybreachesinGermanywhichhaveonlyrecentlybeenrevealed,suchasthelossofapprox.70,000itemsofcustomerdataincl.creditcardinformationforonlineticketdealerkartenhaus.de,haveensuredanincreasedlevelofinterestinpossiblesecuritymeasuresagainstapplicationlevelattacks.
Thisdocumentcoversacategoryofsecuritysystems,theWebApplicationFirewalls(WAF),whichareespeciallywellsuitedforsecuringwebapplicationswhicharealreadyinproduction.
A1.2DefinitionofthetermWAFWebApplicationFirewall
Inthisdocument,aWAFisdefinedasasecuritysolutiononthewebapplicationlevelwhichfromatechnicalpointofviewdoesnotdependontheapplicationitself.ThisdocumentfocusesontheexpositionandevaluationofthesecuritymethodsandfunctionsprovidedbyaWAF.AspectsofthedeploymentwithintheexistingITinfrastructurewhetherasahardwareappliance,asoftwarepluginforawebserverorasanaddonforexistinginfrastructurecomponents,suchasloadbalancersornetworkfirewallsareonlycoveredinbrief.UnlikethedefinitioninWAFECitisnotassumedthataWAFhastobeavailableasaseparatehardwareapplianceinfrontofthewebserversthiscertainlydoesnotrepresentthebestimplementationoption,especiallyinlarge,fastgrowinginfrastructures.
A1.3Targetreadershipandobjective
Thedocumentisaimedprimarilyattechnicaldecisionmakers,especiallythoseresponsibleforoperationsandsecurityaswellasapplicationowners(specialistdepartment,technicalapplicationmanagers)evaluatingtheuseofaWAF.Specialattentionhasbeenpaidwhereverpossibletothedisplayofworkestimates.FurtherkeytopicsdiscussedinthispaperincludebestpracticesforprocessesconcerningtheinstallationandoperationofaWAFaswellasinparticularforlargercompaniesadescriptionoftheroleoftheWAFapplicationmanager.
A2CharacteristicsofwebapplicationswithregardtoWebApplicationSecurity
A2.1Higherlevelaspectswithintheorganization
Especiallywithinlargerorganizations,manyaspectsneedtobetakenintoaccountregardingtheimportanceofthesecurityofthewebapplicationsinoperation.
Oneofthemostimportantaspectsisthenumberofproductivewebapplicationsinthecompany.Largecompaniesoftenoperateinhouseorexternallywebapplicationsnumberinginthehundreds.Evenifaprioritisationofeachindividualwebapplicationinorderofitsrelevanceforthesuccessoftheorganizationisreasonable,itisneverthelessnecessarytoassumethatallwebapplicationsoperatedinhousedependingonthearchitecturecouldpermitanattackoninternalsystemsgiventherightattackmethods.Evenwebapplicationswhichseemtobeunimportantatfirstglanceshouldatminimumbesecuredagainstknownattacks.
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 4/24
Thefollowingaspectsshouldbeconsideredwhenprioritizingwebapplicationsinregardtotheirimportancefortheorganization:
Accesstopersonaldataofcustomers,partnersand/oremployeesAccesstoconfidentialinformationEssentialrequirementforthecompletionofcriticalbusinessprocessesRelevancefortheattainmentofcritical(security)certifications.
Possibleeffectsofthenonavailabilityordatalossinthewebapplicationsinclude:
Interruptionofbusinessprocesses(includingthoseofcustomersorpartners)LossofreputationDamagecompensationclaimsRevocationoflicensesLossofconfidentialinformation.
Forotheraspectssuchasrisksandcosts,seeA4.3andA6.4.
A2.2Technicalaspectsofeachofthecompanysindividualwebapplication
Thedecisionregardingsuitablesecuritymeasuresforawebapplicationessentiallydependsontherelevantphaseintheapplicationdevelopmentprocess.Thismeansthatinthedesignphasesuitabletoolsfortheimplementationaswellastestandqualityassurancetoolscanbeselectedwhereappropriatethedeveloperscanalsobetrainedinwebapplicationsecurityandtherelevanttimeframeuntilthedeploymentintoproductiveoperationcanbeextended.
Foralreadycompletedorproductiveapplications,verydifferentaspectsarerelevantwithregardtosubsequentpossiblesecuritymeasures,suchas:
CompletedocumentationofthearchitectureandthesourcecodeoravailabilityofthedevelopersofthewebapplicationMaintenancecontractsforallcomponentsoftheapplicationarchitectureShorterrorrectificationtimesbythemanufacturerofthirdpartyproductsused
Onlyiftheseaspectshavebeenmet,theapplicationcanbesecuredwithintheexistingapplicationinfrastructure,notregardingtheamountofworkinvolved.
A3OverviewofWebApplicationFirewall(WAF)features
A3.1WhereWAFsfitintotheWebApplicationSecurityfieldasawhole
Thebasicprincipleisthateverywebapplicationshouldbedevelopedassecureaspossible.Thisisbecausethelatervulnerabilityisdetectedinthelifecycleofawebapplication,thegreatertheriskofasuccessfulattack,andoftenalsotheamountofworkinvolvedincorrectingtheissue.
Inadditiontoappropriatetrainingmeasures,e.g.onthebasisoftheOWASPguidelinestheapplicationdevelopmentcanbesupportedeffectivelybytheusevarioustools.ToolssuchasStingerarenormallybasedonaframeworkJ2EEinthisexampletheyarepartoftheapplication(eveniftheycanbeaddedtocompletedapplicationsconformingtoJ2EE)and,froman
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 5/24
organisationalpointofview,arethusgenerallysubjecttothenormalapplicationreleasecycle.Attheircore,theyeffectivehelpdevelopersinmakingtheirapplicationmoresecure.UnlikeWAFs,theywillalwaysbepartoftheapplication,however.Thesetoolsarementionedinthisdocumentatvariouspoints,inparticularinrelationtothecomparativeamountofworkforvarioussecuritymeasures,buttheythemselvesarenotthefocusofthisdocument.
Inthedevelopmentphase,methodssuchasstaticsourcecodeanalysishelptopromptlydetectandrectifyvulnerabilitiesinthecode.Thisadditionallyincludespenetrationtests,ideallycarriedoutbyexperts,whichcoverthevulnerabilitiesintheexternalbehaviourofthewebapplicationinproductiveoperationaswell.
Inthiscontext,itistheprimaryfunctionofaWAFtosecurewebapplicationsagainstdetectedvulnerabilities,withaslittleeffortaspossible,sothattheycannotbeexploitedbyattackers.Thisisalreadyaverychallengingtaskduetothehighdegreeofcomplexityofthetypicalwebapplicationinfrastructure:webservers,applicationservers,frameworks,aswellasthetypicalcomponentsofawebapplicationsessionhandlingwithcookies,inputvalidation,etc.
ThemainaiminusingaWAFisthereforesecuringtheexisting,oftenproductivewebapplications,wheretherequiredchangeswithintheapplicationcannolongerbeimplementedorcanonlybeimplementedwithadisproportionatelylargeamountofwork.Thisappliestovulnerabilitiesinparticularwhichhavebeenrevealedviaapenetrationtestorevenviaanalysisofthesourcecode,,andespeciallyintheshorttermcannotbefixedwithintheapplication.BesidesthebasicprotectionviablacklistinginotherwordsthedescriptionofknownattackpatternsthebasicfeatureoftheWAFistheoptionofwhitelistingwhichcanbeconfiguredappropriately.Withactivewhitelisting,therulesetoftheWAFdescribestheexactbehaviouroftheapplicationtheconfigurationofsuitablewhitelistsisoftensupportedviaalearningmode.
Inaddition,severalWAFsalsoofferfunctionalitieswhichextendbeyondapurelyprotectivenatureandwhichcanthereforealsobeusedinthedesignprocessinordertoavoidunnecessarywork.TheWAFthereforebecomesacentralservicepointforcompletingtaskswhichshouldotherwisebeontheapplicationside,butwhichcanandshouldbeaddressedinthesamewayforallapplications.Examplesofthisincludesecuresessionmanagementforallapplicationsbasedoncookiestores,centralauthenticationandauthorisation,thecollectionofallrelevanterrormessagesandlogfilesortheoptionforproactivesecuritymechanismssuchasURLencryption.
ThetablebelowuseswhatarecurrentlythemostwellknownvulnerabilitiesormethodsofattackonwebapplicationstoindicatetheprotectionofferedbyWAFs.TheusualfunctionalityofaWAFisassumed,althoughnotallWAFsavailableonthemarketnecessarilyofferallthefunctionalitydescribedhere.
A3.2TypicalsecuritymechanismsofWAFsusingspecificvulnerabilitiesasexample
Thetablebelowgivespossiblesecuritymeasures(Countermeasurecolumn)fortypicalthreats,vulnerabilitiesandattacks(Problemcolumn),andintheWAFcolumn,evaluateshowwellaWAFcanprotecttheapplication.Thesymbolsindicate:
+verywellcoveredbyaWAFcannotbecovered(oronlytoasmalldegree)byaWAF
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 6/24
!dependentontheWAF/application/requirements=canpartiallybecoveredbyaWAF
Problem WAF Countermeasure
Cookieprotection
++!!
Cookiescanbesigned.
Cookiescanbeencrypted.
Cookiescanbecompletelyhiddenorreplaced(CookieStore)CookiescanbelinkedtotheclientIP.
Informationleakage + Cloakingfilter,outgoingpagescanbecleaned(errormessages,comments,undesirableinformation).Sessionriding(CSRF) + URLencryption/token.
Sessiontimeout !
Timeoutforactiveandinactive(idle)sessionscanbespecified(iftheWAFcanmanagethesessionsitself).
Evenifthesessionsaremanagedbytheapplication,theWAFcandetecttheseandterminatethemwiththeappropriateconfiguration.
Sessionfixation = CanbepreventediftheWAFmanagesthesessionsitself
Sessionhijacking Difficulttoprevent,althoughtheWAFcanissueanalarmintheeventofirregularities(e.g.changingIP)orterminateasessionwithchangingIP.
Fileupload + Viruscheck(generallyviaexternalsystems)viaICAPlinkedtotheWAF.
Parametertampering ++
Inadditionto/insteadofdatavalidation(seebelow),parametermanipulationcanbepreventedviaURLencryption(GET)andparameterencryption(GETandPOST).
Siteusageenforcement,meaningthepossiblesequenceofURLscanbefixedorcanbedetected
Forcedbrowsing ++
CanbepreventedviaURLencryption.
Siteusageenforcement.
Pathtraversal(URL)linkvalidation
++
CanbepreventedviaURLencryption.
Siteusageenforcement.
Pathtraversal(parameter),path + Seeparametertamperinganddatavalidation.
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 7/24
manipulation
Logging + Alloronlyspecific/permittedpartsofthedataofarequestandoftheconnectedtestscanbelogged.
Priv.escalation Privilegeescalationcannotbechecked,orcanonlybecheckedtoalimiteddegree,forexampleviacookie/parameterencryption.
Logicallevel ApplicationlogicgoingbeyondthevalidityofURLsandformfields,cannotnormallybecheckedbyaWAF.
Antiautomation = Automaticattackscanbepartiallydetectedandblocked(e.g.numberofrequests/timeinterval,identicalrequests,etc.).
ApplicationDoS(moderate)
==
Transactions,IPs,and/oruserscanbeblocked.
Connections,and/orsessionscanbeended.
SSL+++
WAFcanforceSSLwithpredefinedencryptionstrength(dependingontheinfrastructurescenario).
SSLterminationontheWAF,forwardingoftheSSLdata(e.g.clientcertificate)toapplication.
SSLconnectionpossiblefromWAFtoapplication.
Datavalidation(relatingtofield/content/context/appl)
+
+!
Canbetestedtoverydetaileddegree(length,constantvalue/rangeofvalues,e.g.forSELECT,characterarea)validationpossiblewithwhitelistand/orblacklist(signature).
Rulescaninpartbegeneratedautomatically.
Highdependencyonapplication,specificfields(hiddenform)orpredefinedparametersintheURLcanbeautomaticallyverifiedbytheWAFhowever.
Riskduetofalsepositives,problematicwithbusinesscriticalapplicationsinparticular.
Datavalidation(general/global) +
HTTP(w3c)conformity,aWAFconductsacanonalisationofthedatasothatitisavailabletotheapplicationinastandardisedform.
Bufferoverflow + Seedatavalidation[1]
Formatstringattack =
Canbedetectedusingdatavalidationifthecorrespondingcharactersorstringsarefiltered(difficultinpractice,aspreciseknowledgeoftheapplicationisrequiredtodothis).
Forthemajorityofthehiddeninputfields,thiscanbecarriedoutwithoutknowledgeoftheapplication.
Usingdatavalidation,onlyreflectedXSScanbedetectedand
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 8/24
Crosssitescripting = prevented,persistentXSScannotbedetected,DOMbasedXSSonlytobelimiteddegreeifpartoftheattackissentinparametersoftherequest.
Crosssitetracing + RestrictionoftheHTTPmethodto,forexampleGETorPOST.WebDAV + RestrictiontoonlyreadingWebDAVmethodspossibleCodeinjection(PHP,perl,java) + Seedatavalidation[1]
Commandinjection + Seedatavalidation[1]SQLinjection + Seedatavalidation[1]LDAPinjection + Seedatavalidation[1]XML/Xpathinjection + Seedatavalidation[1]
Justintimepatching(hotfixpatching) +
Usingdatavalidation(seeabove),theWAFcanprotectagainstnewlydetectedvulnerabilitiesand/orattacks(ZeroDayExploit).
HTTPresponsesplitting(HTTPsplitting) !
CanonlybedetectedusingdatavalidationinURLand/orparametersif%0d%0aisfilteredhoweverthiscanbecarriedoutonvirtuallyanyinputfieldwithoutimpairingthefunctionalityoftheapplication.
HTTPrequestsmuggling + Ispreventedviastricttestingoftheconformitytostandardsofeachrequest.
1Basicprotectionwithblacklistinggenerallysufficient,otheroptionsbecombiningblacklistingandwhitelisting
A4OverviewofbenefitsandrisksofWebApplicationFirewalls
ThespecificpotentialbenefitsofaWAFdescribedhereareexplainedindetailintheindepthoverviewinthenextchapter.Thischapterisusedprimarilyasasummaryfordecisionmakerswhoonlywanttoworkthroughthenextchapterasanoverview.
A4.1MainbenefitsofWAFs
ThemainbenefitofaWAFisthesubsequentprotectionofcompleted,productivewebapplicationsontheapplicationlevelwithareasonableamountofeffortandwithouthavingtochangetheapplicationitself.
Ontheonehand,theWAFoffersabasicprotectionagainstknownattacksorvulnerabilitiesbasedonblacklists:Thedatasecuritystandardofthecreditcardindustry(PCIDSSv.1.1)forexample,initscurrentversionprescribestheuseofaWAFasanalternativetoregularcodereviewsbyaspecialistasanadequatemeasuretoprotectwebapplications.TheWAFisthereforeasuitabletoolforattainingindustrialstandardsaswellasfulfillinglegalrequirements.
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 9/24
TheuseofaWAFbecomesespeciallyrelevantinthecaseofconcretevulnerabilities,forexampleuncoveredviapenetrationtestsorsourcecodereviews.Evenifitwerepossibletofixthevulnerabilityintheapplicationpromptlyandwithareasonableamountofeffort,themodifiedversioncangenerallyonlybedeployedatthenextmaintenanceinterval,often24weekslater(patchdilemma).ForaWAFwithwhitelisting,thevulnerabilitycanbefixedpromptly(hotfix),sothatitcannotbeexploitedbeforethenextscheduledmaintenance.WAFsareespeciallyfastinthisaspect,meaningtheycancollaboratewithsourcecodeanalysistools,sothatdetectedexternalvulnerabilitiescanautomaticallyresultinarecommendedrulesetfortheWAF.
AWAFisparticularlyimportantinsecuringproductivewebapplicationswhichthemselvesinturnconsistofmultiplecomponentsandwhichcannotbequicklychangedbytheoperatore.g.inthecaseofpoorlydocumentedapplicationsorregardingthirdpartyproductswithoutsufficientmaintenancecycles.AWAFistheonlyoptionforpromptlyclosingexternalvulnerabilities.
A4.2AdditionalbenefitsofWAFsdependingontheactualfunctionalityoftheproduct
ThereareotherconsiderablepotentialbenefitswhichareduetothecentralroleoftheWAF.TheerrorlocationprocessissimplifiedconsiderablyiftheWAFsupportscentralerrormessagesincontrasttoindividuallygeneratederrormessagesbyseveralapplications.ErrormessagescanthenbecentrallyevaluatedattheWAF.Thesameappliestoallaspectsofmonitoringandreporting.Asacentralservicepoint,theWAFcanimplementtaskswhichcanbesolvedinthesamewayforeveryapplication.Agoodexampleofthisissecuresessionmanagementforallapplicationsbasedoncookiestores.
ManyWAFsalsoprovideproactivesecuritymechanismssuchasURLencryptionorsiteusageenforcement,inordertominimisetheareaofattackwithaslittleeffortaspossible.Inaddition,theuseofaWAFincreasestherobustnessofawebapplicationtoexternalattacks.
WAFsofferotheradditionalbenefitsdependingonthetypeofimplementation.AhardwareapplianceinfrontofthewebserverscanoftenterminateSSLconnectionsandalsosometimeshasloadbalancercapabilities.Thiscanbedesirable,butcanalsobeprovidedbysuitablewebapplicationsecurityaddonsforproductsalreadyinuse.InhighsecurityenvironmentsDafrgibtseinenbesserenBegriff,however,theexistingsecurityguidelinesfrequentlyprohibittheterminationofSSLconnectionsinfrontofthewebserver.Inthiscase,WAFswhichareimplementedasapluginforthewebserverareespeciallywellsuited.
TheWAFcanalsoprovideaSSLterminationiftheapplicationtobeprotectedoritswebserverorapplicationserverdoesnothavethiscapability.
A4.3RisksintheuseofWAFs
NotethatchangesintheexistingIT,webandanyapplicationinfrastructurearerequiredwhenusingaWAF.DependingontheWAFsimplementatione.g.hardwareappliancevs.embeddedWAFtherearealsoadditionaltasksandrisks:
Yetanotherproxyargument(increasedcomplexityoftheITinfrastructure)Organisationaltasks(seeA8.2RolemodelwhenoperatingWAFs)
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 10/24
TrainingtheWAFOneachnewreleaseofthewebapplicationTesting
Falsepositives(whichmayhaveasignificantbusinessimpact)Morecomplextroubleshooting
WAFsalsohave/generateerrorsResponsibilityforsystemwideerrorsituations
AnypotentialeffectonthewebapplicationiftheWAFterminatestheapplicationsession,forexampleCosteffectiveness
A5SecurityversusOWASPTOP10acomparisonofWAFsandothermethods
ThischaptercoversthevarioussecurityoptionsforwhatisknownastheOWASPTop10vulnerabilities.Threedifferentclassesofwebapplicationsareusedasexamples:
T1:awebapplicationinthedesignphase,newapplicationT2:analreadyproductiveapplication(withMVCarchitecture),whichcanbeeasilyadaptedT3:aproductiveapplicationwhichcannotoronlywithdifficultybemodified.
Securitymeasureswithintheapplicationortheapplicationarchitectureitselfaredescribedindetailandareevaluated,basedonthesethreeclasses,eitherwiththeuseofaWAFor,alternativelybydefinitionofanappropriatesecuritypolicyThesecuritymeasuresarealsoassessedinregardtotheamountofworkrequiredfortheirimplementation.Insomeinstances,therearenotesonspecialfunctionalitiesofWAFsorassumptionsontheapplicationinfrastructureused,asthesedonotapplyglobally.
Asthetablebelowclearlyshows,especiallyinthecaseofapplicationswhichareinproduction,theuseofWAFsveryoftenrequirestheleastamountofwork..Inthecaseofapplicationswhichcannotbemodifiedorwhicharedifficulttomodify,insomeinstancestheuseofWAFsisactuallytheonlyfeasiblesecuritymeasure.
Inthetablebelow,theWorkvolumecolumnliststheestimatedamountofworkrequiredfortheapplicationtypes(T1,T2,T3),aWAForasecuritypolicy(P)inregardtothethreat(Top10column)CommentsandnotesforeachtyperegardingtheimplementationofsecuritymeasurescanbefoundintheCommentcolumn.Thecategoriesfortheworkvolumeare:
1littleworkrequired2moderateamountofworkrequired3considerableamountofworkrequirednotnormallyimplemented
Top10 Type Comment Workvolume
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 11/24
A1 Crosssitescripting(XSS)
T1E.g.bytheconsistentuseoftaglibs(Java),orcontrols(ASP.NET),oradditionalframeworks(PHPIDS).
1
T2
Inputencodingisdifficulttointegrate(e.g.usingOWASPStinger),usinganupstreamWAFisabettersolutionhere.For.NETapplicationsXSSfilterscanbeactivated.
3(.NET:
2)
T3 For.NETapplications,activateXSSfilters.
(.NET:2)
WAF
WAFdoesnotpermitoutputvalidationinthiscase,asitdoesnotrecognisethecontextofthedata.Thevalidationmustbecarriedoutduringtheinputphase,andmaybecorrelatedwiththeoutput
2
P
A2 Injectionflaws T1
CanbeavoidedbyusinganORmapper(e.g.Hibernate)orconsistentparameterisationofallinputs(e.g.storedproceduresorideally:preparedstatements).Otherinjectionflaws(e.g.withXML)canonlybeavoidedwithdedicatedoutputcoding,wherenecessary.
1
T2 Complicated,asprogrammodificationsarerequired. 3T3
WAF
WAFwithblacklisting:
Inprinciplecanonlysearchforspecificcharactersorcharacterstringsandpreventprocessing.Essentiallythereareproblemswiththisapproachinthedegreeofcoverageaswellaswithpossiblefilterevasionattacks(e.g.withmultiplecoding)ifnoinputnormalisationiscarriedout.Thisworksverywellwithknownattacks(e.g.SQLinjection),butcertainlylesswellwithprotocolsnotknowntotheWAForwithproprietaryprotocols.Inaddition,injectionattacksonsometypesofinputdatacanbeeffectivelypreventedusingURLencryptionandhiddenformparameterprotection.Anexampleofthisistheitemnumberinanonlineshop,whichtraditionallywouldoftenbeusedforSQLinjectionattacks,butitshouldneveractuallybepossibleforuserstomanipulatethesedirectly.
WAFwithwhitelisting:
2
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 12/24
Forallotherinputfields,thereisawhitelistapproach.HeretheWAFcanmakesuggestionsfortheindividualfieldsfollowingalearningphase.Thismeansthatnotall,butthemajorityoftheinputfieldscanbeprotectedagainstalltypesofinjectionattacks.
PInthecaseofSQLinjection:Specificationsfordatabaseaccesspermissions,otherwiselittleornooptions.
A3 MaliciousFileExecution
T1 Integratinguploadscannersorwhitelistingofthepermittedremoteinclusions. 2
T2 3T3
WAF
WhitelistingoftheparametersforthepermittedinclusionofURLsexternaltothesystem
inclusionofuploadscannersviaICAPprotocol
responseanalysistopreventthedisplayofcriticaldata(partiallyalsoerrormessages).
12
P Specificationsfordeploymentplatform,specificationsforaccesspermissions. 2
A4InsecureDirectObjectReference
T1
Implementationofanobjectvirtualisationisverytimeconsuming,asdatabaseobjectsarefrequentlymappedtoparametersbytheframeworksinuse(ORmapper).Protectionrequiresintensivetesting.
3
T2 PreventionofIDmanipulationgenerallynecessitatescodemodifications.Protectionrequiresintensivetesting. 3
T3
WAF ProtectionagainstIDmanipulationusingIDvirtualisationorhiddenparameterprotection. 1
P Useofimpersonationanddelegation. 3
T1 Canbesolvedusingspecificapplicationarchitecture. 1
T2 Significantamountofwork.Programchangesgenerallyrequired. 3
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 13/24
A5 CrosssiteRequestForgery(CSRF)
T3 WAF CanbepreventedusingpagetokenorURLencryption. 1P
A6.1 InformationLeakage
T1 Toolsupportedtestingwithhightestcoverageandrelevantfocus. 2
T2 Toolsupportedtestingwithhightestcoverageandrelevantfocus. 2
T3
WAF
Automaticfilteringofcommentspossible.Siteusageenforcementcanpreventaccesstoexistingbutunpublished(unlinked)documents.TraditionalexamplesarebackupfilesonthewebserverwhichcontaindatabasepasswordsinplaintextandwhoseURLcanbeguessedbytheattacker
12
PRequirementforprogrammersandauthorsnottoenteranycomments.Specificationsforthedesignoferrormessages.
2
A6.2 ImproperErrorHandling
T1 Canbeconfigureddeclarativelydependingontheplatform. 1
T2 Canbeconfigureddeclarativelydependingontheplatform. 1
T3 Canbeconfigureddeclarativelydependingontheplatform.1/
WAF Difficulttodetect. 2P
A7.1Broken
T1 Linkuptoacentralaccessmanagementsystemwithappropriatesecuritystandards 1
T2Linkuptoacentralaccessmanagementsystemwithappropriatesecuritystandards.Programmodificationsmayberequired.
2
T3 DependsontheabilitiesoftheWAF.AWAFcancarry
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 14/24
Authentication WAF outauthenticationindependentoftheapplicationandthuspermitalinkuptoacentralauthenticationinfrastructurewithoutchangingtheapplication.
2
P Specificationswithregardtopasswordcomplexity. 2
A7.2 SessionManagement
T1
Onthedesignlevel,e.g.usingsessionmanagerdesignpattern,otherwisenumerousoptions.Amountofimplementationworkpartiallydependentonapplicationserver,seealsoA7.1,ifthesessionmanagementiscarriedoutbytheaccessmanagementsystem.
2
T2
Canbeintegratedcentrallytoalargeextent(usingfilters,listenersorhardenedserverconfiguration)nevertheless,alargeamountofworkinsomeplacesseealsoA7.1,ifthesessionmanagementiscarriedoutbytheaccessmanagementsystem.
23
T3 Dependsonapplicationserver,partiallyconfigurable
WAF Hardeningofinsecuresessionmanagementpossibleviavarioustechniques(e.g.pagetokens). 1
P
A8InsecureCryptographicStorage
T1 UseofcryptoAPIs. 1
T2 UseofcryptoAPIs.Subsequentimplementationrequiresnumerousprogrammodifications. 3
T3 WAF P Specificationsforsavingsensitivedata.
T1 Canbeconfigureddeclarativelyintheapplicationorwebserver. 1
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 15/24
A9 InsecureCommunications
T2Canbeconfigureddeclarativelyintheapplicationorwebserver.VeryhighamountofworkifURLschema(HTTP)hasbeenhardcoded.
1/
T3Canbeconfigureddeclarativelyintheapplicationorwebserver(ifthereisaccess).NotpossibleifURLschema(HTTP)hasbeenhardcoded.
1/
WAF CansecureHTTPapplicationsusingHTTPS. 1P
A10FailuretoRestrictURLAccess
T1Useofafrontcontrollerwithgateway.Codemuststillcheckuserassignmentviatheprogramatvariouspoints(e.g.intheservice).Gapspossible.
12
T2
Differsdependingontheapplication.URLaccesspermissionscanbeconfigureddeclarativelywithJ2EEand.NET.PreventionofIDmanipulationgenerallynecessitatescodemodifications.
23
T3Differsdependingontheapplication.URLaccesspermissionscanbeconfigureddeclarativelywithJ2EEand.NET.
3
WAF
PagetokensorURLencryptioncanbeusedtorestrictuserstopagesreceivedfromtheapplicationaslinks.Theapplicationmustnotdisplayprotectedlinks,however(limitedaccesspattern).Withsiteusageenforcement,theusercanonlyaccesslinkedcontent.SpecificURLs/subtreescanalsobeexcludedviawhitelist/blacklistapproaches(e.g.onlyallowaccessfor*.html,*.php,*.gif,*.jpgbutnotfor*.bakorotherextensions).
1
A6CriteriafordecidingwhetherornottouseaWAF
A6.1Organizationwidecriteria
Corecriteriainthisareaare:
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 16/24
Importanceofthewebapplication(s)forthesuccessoftheorganization(proportionalturnover,reputation)Importanceofthelossofdataofthewebapplication(customerdata,confidentialinformation,reputation)NumberofwebapplicationsBasiclegalconditionsorindustrialstandardsComplexityOperatingcostsPerformanceScalability
A6.2Criteriawithregardtoawebapplication
Thetermofaccesstothewebapplicationisintroducedandexplainedbelow.ThechecklistinappendixA8.1isusedtodeterminethedegreeofaccessindividuallyforeachwebapplication,usingapointssystem.
Theaccesstoawebapplicationcanbeusedasameasureoftheextenttowhichtheorganizationinpossessionoftheapplicationcanpromptlycarryoutorinitiateandimplementthenecessarychangestothewebapplication,inotherwordshasaccesstothesourcecodeoftheapplication.
Awebapplicationinthedesignphase(seeT1inA5)canbeconsideredasaspecialcaseofawebapplicationwithoptimumaccess.
Theotherextreme,awebapplicationwithoutaccessisanapplicationconsistingofmanyundocumentedcomponents,forexample,whosedevelopercannotbecontacted,andwhichusesthirdpartysoftwareproducts,whicharenolongermaintainedbythemanufacturer,orincaseofopensourceprojectsbythecommunity(seeT3inA5).
Importantcriteriafordeterminingthedegreeofaccesstoawebapplicationare:
CompletedocumentationofthearchitectureandthesourcecodeoravailabilityofthedevelopersofthewebapplicationMaintenancecontractsforallcomponentsoftheapplicationarchitectureShorterrorrectificationtimesbythemanufacturerforallthirdpartyproductsused(portals,frameworks,SAP,etc.).
Otherimportantcriteriaforeachwebapplicationaregiveninthechecklistwhichcanbefoundintheappendix.
A6.3Evaluationandsummary
ThedegreeofaccesscanbedeterminedforeverywebapplicationusingthechecklistinappendixA8.1.Thisalsoallowstodetermineameanvalueofaccessforallthewebapplicationsofanorganizationitisimportanttonotethatapplicationswhicharecriticaltothesuccessortheimageoftheorganizationneedtoberatedaccordingly.
TheillustrationgivenbelowmaybeusefulasaguideinthedecisionmakingprocessregardingthebenefitsofusingaWAF:
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 17/24
http://www.owasp.org/Image:Best_Practice_WAFchartEN.png
Ifanorganizationhasfullaccesstotheirwebapplications,theuseofaWAFprimarilyprovidesareductionofthecostofoperationespeciallyduetotheadditionalbenefitsofaWAFgiveninA3asacentralservicepoint,aswellassomecomparativelyeasytoimplementsecuritymechanisms,seeA4.
Ifthereisvirtuallynoaccesstothewebapplications,theuseofaWAFisdefinitelyappropriateasthisistheonlywaythattherelevantsecuritymeasurescanbeimplemented.
WithdecreasingaccesstothewebapplicationanddependingonitsimportanceandcomplexitythebenefitsstemmingfromtheuseofaWAFgrowrapidly:fromasecondlineofdefencetotruefullprotectionofthewebapplicationfromoutsideinfluence,attainedbytheuseofwhitelisting.UsingaWAFoftenresultsintheleastadditionalworkfortherequiredsecuritylevel.
A6.4Aconsiderationofthefinancialaspects
ThecosteffectivenessoftheprocurementandtheoperationofaWAFcanbeconsideredfrommultiplepointsofview:
Avoidanceprevention?offinancialdamageresultingfromsuccessfulattacksonthewebapplicationLowercostsforreachingthenecessaryprotectionlevelforthewebapplicationincomparisontootheroptionsSavingsviatheuseofcentralserviceswhicharemadeavailablebyaWAFformultiplewebapplications,andthereforenolongerhavetobeimplementedorconfiguredinevery
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 18/24
application.
Whenprotectingapplicationswithinsufficientaccess(seeA6.2),butwhichstillneedtobeprotected,thecostsofaWAFcaneitherbeviewedasastrategicinvestment,orwhererealistic,setagainstthecostsofreplacingtheapplicationinquestion.
ThecostsofusingaWAFnormallyconsistofthefollowingcomponents:
LicencecostsLicenceupdates/softwaresupportProjectcostsforevaluatingandintroducingaWAF(Partial)costsforoperatingthenecessaryplatformPersonnelcostsfortheWAFapplicationmanager(s)TimerequiredinprojectsforcoordinationwiththeWAFapplicationmanager.
A7BestpracticesforintroducingandoperatingaWAF
A7.1Aspectsoftheexistingwebinfrastructure
A7.1.1Centralordecentralinfrastructurepredictablechanges
ItisessentialtonotethatitstheWAFthatneedstobeintegratedintotheexistingWebinfrastructureanditsplannedorforeseeablechangesandnottheinfrastructurewhichneedstobefundamentallychangedduetotheimplementationofaWAF.
Accordingly,aWAFcanbeinstalledinacentralinfrastructurewhichisnotpredictedtochange,asacentralinfrastructurecomponent,e.g.asahardwareappliancewhereaswithaninfrastructurewhichisstilldecentral,butwhichmaybegrowingquicklyforexamplealargeonlineshopadistributedWAFapproach,e.g.asapluginintotheexistingwebservers,ismoreappropriate.Withregardtotheinfrastructureaspects,thoseWAFproductsareparticularlyflexible,whichcombineanessentiallydistributedimplementationapproachwithacentraladministrationpointandthereforeofferthebenefitsofbothscenarios.
Whatisworthmentioningandbecomingincreasinglyimportantwithregardtoprobablefuturedevelopmentsistheoptionofhardenedinfrastructuresusingvirtualisation.WhenselectingtheWAF,itisparticularlyimportantthattheWAFcanalsobeintegratedseamlesslyintoavirtualisedapproach.
A7.1.2Performancecriteria
Withregardtotechnicalperformance,itisnecessarytoensurethattherequiredWAFinfrastructuresupportsthemainkeyperformanceindicatorsoftheexistingwebinfrastructure.StatementswhichpurelyrefertotheGBthroughputofhardwareshouldnotbetakenatfacevalue,asthegivennumbersareoftennotachievableinpractice.Whatismoreimportantarethetypicalkeyperformanceindicatorsofawebapplicationsuchasthenumberofsimultaneoususersoftheapplicationandonthatbasis,thenumberofHTTPrequestspertimeunitonaverageandatpeakloadtimes.Itshouldbenotedthatmanyapplicationshavehighloadphaseswhichoccuronlyrarely,e.g.duringtheChristmasseasonforanonlineshop.
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 19/24
A7.2Organisationalaspects
A7.2.1Conformingtoexistingsecuritypolicies
Asfaraspossible,existingsecuritypoliciesshouldnothavetobechangedduetotheimplementationofaWAF.
AtypicalexampleisSSLterminationinfrontofthewebservers.Thisisoftendenied,inparticularinhighsecurityAndersWortinfrastructures,bytheexistingsecurityguidelinesThispolicycanbemaintainedbytheuseofasuitableWAF,asapluginonthewebserverwiththeSSLterminationstillsubsequentlybeingcarriedoutinthewebserver.
A7.2.2Newrolemodel:WAFapplicationmanager
Aftertheoneofftaskofcommissioning,thesubsequentsuccessfuluseofaWAFessentiallydependsontheseamlessinteractionoftheWAFwithallothercomponentsoftheapplicationinfrastructure.TheseincludebothobviousissuessuchasunderstandingofandappropriateresponsetoerrorandalarmmessagesoriginatingfromtheWAF,aswellasaspectssuchasthemodificationoftheWAFrulesetinconjunctionwithchangestotheapplicationsbeingprotected.TofullyexploittheopportunitypresentedbyaWAFasacentralservicepointforinstanceforsecuresessionmanagement,positivecollaborationwithapplicationdevelopmentisrequired.
Inotherwords:InordertofullyexploitthepotentialofaWAF,itisnotsufficienttoviewtheWAFsolelyasaninfrastructurecomponent.
Forthisreason,weproposethenewroleofaWAFapplicationmanagerinadditiontotheroleofaWAFplatformmanager,whoinasimilarwaytoanetworkfirewallplatformmanagerisresponsiblefortheinfrastructurerelatedaspectsoftheWAFforeachapplicationDerSatzisterstnachdemdrittemlesenhalbwegsverstandlichwhichmetaphoricallyspeakingrepresentsthebridgebetweentheWAFandthespecialistapplication.ThispersonmusthaveexcellentknowledgeoftheWAFinordertobeabletoconfigureandmonitoritforeachindividualapplication.HeorshemustknowtheapplicationwelltobeabletoclassifyandinterpretmessagescomingfromtheWAF.AWAFapplicationmanagerwillnormallymaintaintheWAFconfigurationformultipleapplications.AnexamplewouldbemanagingtheWAFforallwebbasedSAPsystems,whilsttheshopsystemismanagedbyanotherWAFapplicationmanager.
AdetaileddescriptionoftheproposedrolemodelcanbefoundinappendixA8.3.
A7.3Iterativeprocedureforimplementationfrombasicsecuritytofullprotection
AniterativeprocedurehasbeentriedandtrustedasbestpracticeintheimplementationandoperationofWAFs.
A7.3.1Step1:Specificationofroledistribution/inclusionofapplicationdevelopment
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 20/24
Firsttheresponsibilitiesneedtobedefined,ideallyonthebasisoftheroleconceptpresentedabove.Ifthewebapplicationdevelopmentisbeingcarriedoutinhouse,thisneedstobeintegratedintotheprocessasearlyonaspossible.ThismeansthatallapplicationsnotyetinproductionusethecentralfunctionsoftheWAFassoonaspossible,whichincreasessecurityandsavestimeandmoney.Inaddition,possibleobstaclesonthepersonallevelcanalsobeovercomeatanearlystage.
A7.3.2Step2:Basicprotectionforallwebapplications
Regardlessofthecharacteristicsofthewebapplicationinquestion,basicprotection,normallyimplementedasblacklisting,isactivatedfirst.Initialevaluationsnormallyshowthefirstsuccessfulprotectionmeasures,orshowfalsepositivesi.e.rulesaresettoostrictlyAtthesametimethisphaseservesastrainingfortheorganisationalprocesses.
A7.3.3Step3:Creatingaprioritylistofallexistingwebapplications
TheprincipleforthislistofprioritiescanbethemeasureoftheaccesstothewebapplicationaccordingtothechecklistinappendixA8.1,inadditiontothehigherlevelcriteriasuchasalossofreputation,etc..
A7.3.4Furthersteps:Fullprotectionofthewebapplicationsaccordingtopriority
Webapplicationsarefullyprotectedfromoutsideattackwithwhitelistrulesetsinastepbystepprocessaccordingtotheprioritylist.ThisisnormallysupportedbyalearningmodeintheWAForasourcecodereview/penetrationtest.TheWAFapplicationmanager,incollaborationwiththespecialistapplicationmanager,ensuresthefullavailabilityoftheapplicationatalltimes,includingduringaconversionoftheruleset.
A8Appendices
A8.1Checklist:Accesstoawebapplicationfromasecuritystandpoint
Thefollowingchecklistcanbeusedtoevaluatetheaccessthatacompanyhastothewebapplication.Accesstoawebapplicationgetsbetter,asmorepointsareaccumulated.
Criterion Points Comment
DocumentationcompleteThedocumentationfortheapplicationiscompleteinsuchdetail,thatpotentialvulnerabilitiesrelatingtosecuritycanbedetectedandrectified.Thisespeciallypertainstothedocumentationofthearchitectureandthesourcecode
2
Especiallyimportantisadetaileddocumentationofthearchitecture,aswellasadescriptionoftheinterfacesbetweentheindividualcomponentsandadescriptionofthevalidationstakingplaceontheseinterfaces.Documentationonthislevelofdetailisnormallynotavailable.
Developersavailable
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 21/24
Thedeveloperswhooriginallydesignedandimplementedtheapplicationarestillavailableformodifications.
3
MaintenancecontractsforallcomponentsTherearecontractscoveringtherectificationoferrorsorwithopensourcecomponents,thereisanactivecommunitycontinuingthedevelopmentforallcomponentsoftheapplication(webserver,applicationserver,database,etc.)andtheapplicationitself.
5 Nomaintenancecontract,nopossibilityforbugfixes.
Errorrectificationtimesbythemanufacturerareshort.
Theresponsetimesfromthemanufacturerfromthereportingofanerrortodeliveryofapatcharelessthanaweekforcriticalerrors.Thesescaneitherbeerrorrectificationtimesbasedoncontractsorempiricalerrorrectificationtimes,e.g.foropensourceproducts.
3 Important,butonlyhelpstoalimitedextent.
AutomatedtestsexistThereareautomatedtestsforqualityassuranceoftheapplicationrepresentingahighdegreeoftestcoverageandtheyareusedwithnewreleases.
1
Teststendtocheckwhethertherequiredfunctionalityisavailable.Securityinthiscontextdoesmeanthattheundesirablefunctionalityisnotpresent>thisdoesnotnormallyaccomplishmuch.
Sourcecodeanalysishasbeencompletedinpastdevelopmentandongoingdevelopmentoftheapplication,anautomatedsourcecodeanalysis(whiteboxtest)iscarriedoutwiththefocusonapplicationsecurity.
3
Theanalysismustbecarriedoutbyaspecialist,regardlessofwhetheritisautomatedorcarriedoutbyexternalexperts.
Lowcomplexity
Fewerthan1000hourshavebeenspentpurelyonimplementingtheapplication(notincludingprojectmanagement)inthedevelopmentphase.
1
Basedonexperience,complexityisbestmeasuredusingthetimespentonimplementingtheapplication.Linesofcodeorfunctionpointsprovideverydifferentresults,dependingonwhoisdoingthecounting.Ideally,itwouldbebettertoconsiderthecomplexityofthearchitecture,notthetimespentonimplementation.
CentralcontrollerpresentThearchitectureoftheapplicationincludesacentralcontroller,whichprocessesalltheinputsandoutputsoftheapplication(MVC).
3
SecurityframeworkisusedTheapplication Thismeansmainlythatthedevelopers
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 22/24
usesasecurityframeworkthat,amongotherthings,providesvalidators/filtersforinputandoutput..
4 haveconsideredsecurityaspectsasimportant.Certainlyaverypositiveandimportantissue,seelastpoint.
SecurityaudithasbeencarriedoutAsecurityaudit/penetrationtesthasbeencarriedoutagainsttheapplicationandallvulnerabilitiesdetectedintheaudithavebeenrectified.
2
Developershavebeentrainedinsecureprogrammingandareexperienced. 5
Alwaysthemostimportantthingaretraineddevelopers!
A8.2RolemodelwhenoperatingaWAF
TherolemodeldescribedhereshouldbeimplementedprimarilywhentheWAFcarriesouttasksinthecontextofwhitelistingdescribedinthisdocument,inordertoprotectthewebapplications,inadditiontofunctioningasasecondlineofdefenceandbasicsecurity.Itshouldthereforebeconfiguredascloselyaspossibletothefunctionalityofthewebapplication.
TheintroductionofaWAFisnormallycarriedoutaspartofaproject.Thedecisivefactorforalongterm,successfuloperationofaWAF,however,isarolemodelinwhichtheresponsibilitiesofallpartiesinvolvedaredefinedintheoverallsoftwaredevelopmentcycle.AWAFhasbothcharacteristicsofaninfrastructurecomponent,anditsbehaviourisalsohighlyspecifictotheapplication.Itsconfigurationandbehaviourcanevenvaryconsiderablybetweendifferentreleasesofthesameapplication.TheconfigurationofaWAFismuchmorecomplexthanthatofatraditionalfirewall.Toputitsimply,itnolongersufficestoconfigureasingleIPforanapplication,insteadeachinputfieldofthatapplicationhastobeconfigured.
InlargerITorganisations,operationofthenetwork,towhichthefirewallbelongs,andoftheapplications,iscarriedoutbydifferentorganizationalunits,sometimesevenbydifferentcompanies.Mostoperatingconceptsfollowthisorganizationalseparationwitharoleconceptwhichmakesacleardistinctionbetweentasksontheinfrastructurelevel(networkandoperatingsystem)andontheapplicationlevel.
Aswithafirewall,theroleofaWAFplatformmanagerisrequired,whoisresponsiblefortheoperationalaspectsoftheWAF.WeareproposingthenewroleofaWAFapplicationmanagerwhoseresponsibilitiesliebetweentheWAFandtheindividualapplication.Anapplicationmanagerisstillrequired.ThismanagerisnotrequiredtohaveadeeperunderstandingoftheWAF,however
TheWAFapplicationmanageristhebridgebetweentheWAFandthespecialistapplication.ThispersonmusthaveexcellentknowledgeoftheWAFtobeabletoconfigureitandmonitoritfortheindividualapplication.HeorshemustknowtheapplicationwelltobeabletoclassifyandinterpretmessagescomingfromtheWAF.AWAFapplicationmanagerwillnormallymaintaintheWAFconfigurationformultipleapplications.AnexamplewouldbemaintainingtheWAFforallwebbasedSAPsystems,whilsttheshopsystemismaintainedbyanotherWAFapplicationmanager.
Thismeansthat,ontheonehandthespecificrequirementsforthesecureandefficientoperationofaWAFaretakenintoaccount,andontheotherhand,thetraditionalrolesofinfrastructureorplatformmanagerandapplicationmanagerremainunchangedwithinhighlystructuredorganisations.
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 23/24
Pagesincategory"OWASPBestPractices:UseofWebApplicationFirewalls"
A8.3Theindividualroles
8.3.1WAFplatformmanager
Tasks:
PlanningoftheoperationalarchitectureoftheWAFResponsibilityforoperationandsupportoftheWAF,includingcapacityplanningAllocationofURLstoindividualapplicationsPatchandversionmanagementoftheWAFManagementandadministrationoftheapplicationmanagerWAF
Knowledge:
KnowledgeoftheWAF,itsoperation,administrationandtheauthorisationconcept
8.3.2WAFapplicationmanager(perapplication)
Tasks:
ImplementationandmaintenanceoftheWAFconfigurationspecifictotheapplicationMonitoringandanalysisofthelogfiles(atleastonthesecondlevel)Contactforerrormessages,inparticularfalsepositivesanalysisincollaborationwiththeapplicationmanagerClosecooperationwiththeWAFapplicationmanagersandplatformmanagersTestofWAFfunctionalitiesfortheapplication,especiallywhendeployingnewversionsoftheapplication
Knowledge:
IndepthknowledgeoftheWAFconfigurationinrelationtoapplicationspecificsecuritymechanismVerygoodknowledgeofthebehaviouroftheapplication,inparticularinput,output,uploads,downloads,charactersets,etc.
8.3.3Applicationmanager
OperationordevelopmentoftheapplicationtobeprotectedKnowledgeoftheapplicationarchitectureandtheinputfields,providesthesetotheWAFapplicationmanager.
3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 24/24
Thefollowing2pagesareinthiscategory,outof2total.
B
BestPractices:WebApplicationFirewalls
O
Projects/OWASPBestPractices:UseofWebApplicationFirewalls/Releases/UseofWebApplicationFirewallsv1.0.5/Assessment
Retrievedfrom"https://www.owasp.org/index.php?title=Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls&oldid=195425"Categories: OWASPProject OWASPBestPractices OWASPDocument OWASPDownloadOWASPWAF OWASPBuilders OWASPDefenders SAMMEH3 GermanyOWASPAlphaQualityDocument HowTo
Thispagewaslastmodifiedon28May2015,at09:34.Thispagehasbeenaccessed126,214times.ContentisavailableunderaCreativeCommons3.0Licenseunlessotherwisenoted.