Category_OWASP Best Practices_ Use of Web Application Firewalls - OWASP

3/6/2015 Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP

https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls 1/24

Category:OWASPBestPractices:UseofWebApplicationFirewallsFromOWASP

[edit]

Abstract

Webapplicationsofallkinds,whetheronlineshopsorpartnerportals,haveinrecentyearsincreasinglybecomethetargetofhackerattacks.Theattackersareusingmethodswhicharespecificallyaimedatexploitingpotentialweakspotsinthewebapplicationsoftwareitselfandthisiswhytheyarenotdetected,orarenotdetectedwithsufficientaccuracy,bytraditionalITsecuritysystemssuchasnetworkfirewallsorIDS/IPSsystems.OWASPdevelopstoolsandbestpracticestosupportdevelopers,projectmanagersandsecuritytestersinthedevelopmentandoperationofsecurewebapplications.Additionalprotectionagainstattacks,inparticularforalreadyproductivewebapplications,isofferedbywhatisstillaemergingcategoryofITsecuritysystems,knownasWebApplicationFirewalls(hereinafterreferredtosimplyasWAF),oftenalsocalledWebApplicationShieldsorWebApplicationSecurityFilters.

Oneofthecriteriaformeetingthesecuritystandardofthecreditcardindustrycurrentlyinforce(PCIDSSPaymentCardIndustryDataSecurityStandardv.1.1)forexample,iseitheraregularsourcecodereviewortheuseofaWAF.

Thedocumentisaimedprimarilyattechnicaldecisionmakers,especiallythoseresponsibleforoperationsandsecurityaswellasapplicationowners(specialistdepartment,technicalapplicationmanagers)evaluatingtheuseofaWAF.Specialattentionhasbeenpaidwhereverpossibletothedisplayofworkestimatesincludingincomparisontopossiblealternativessuchasmodificationstothesourcecode.

InadditiontotheimportanceofthewebapplicationregardingturnoverorimagethetermaccesstoawebapplicationusedinthisdocumentcanbeagoodcriterioninthedecisionmakingprocessrelatingtotheuseofWAFs.Specifically,theaccesstoawebapplication,measurestheextenttowhichtherequiredchangestotheapplicationsourcecodeareactuallycarriedoutinhouse,ontime,orcanbecarriedoutbythirdparties.Asillustratedbythegraphbelow,awebapplicationtowhichthereisnoaccess,canonlybeprotectedsensiblybyaWAF(additionalbenefitoftheWAF),.Evenwithanapplicationinfullaccess,aWAFcanbeusedasacentralservicepointforvariousservicessuchassecuresessionmanagement,whichcanbeimplementedforallapplicationsequally,andasasuitablemeansforproactivesafetymeasuressuchasURLencryption

http://www.owasp.org/Image:Best_Practice_WAFchartEN.png

Main Download Terminology Licence Authors ProjectAbout



FurtherkeytopicsdiscussedinthispaperincludebestpracticesforprocessesconcerningtheinstallationandoperationofaWAFaswellasinparticularforlargercompaniesadescriptionoftheroleoftheWAFapplicationmanager.

A1Introductionandaimofthisdocument

A1.1Introduction

Whethertheonlinebranchofabank,anonlineshop,acustomer,partneroremployeeportalallofthesewebapplicationsareavailabletotheircustomersaswellastheirattackersaroundtheclockduetothealwaysonnatureoftheinternet.AttackssuchasSQLinjection,crosssitescriptingorsessionhijackingareaimedatvulnerabilitiesinthewebapplicationsitselfandnotatthoseonthenetworklevel.Forthisreason,traditionalITsecuritysystemssuchasfirewallsorIDS/IPSareeithertotallyunabletoguardagainsttheseattacksorareincapableofofferingcomprehensiveprotection.

Fromatechnicalpointofviewthefundamentalissueis,thattheweb,especiallytheHTTPprotocol,wasnotdesignedforsuchcomplexapplicationswhicharecurrentlystateoftheart.Manyvulnerabilitieshavetheiroriginhere:forexample,HTTPisnotstateful,i.e.sessionsorstatefulapplicationsmustbedefinedseparatelyandimplementedsecurely.Thesevulnerabilitiesareincreasedevenfurtherbythehighdegreeofcomplexityofthewebscripts,frameworksandwebtechnologiesfrequentlyused.



Inadditiontotherecentintroductionofindustrialstandards,e.g.thedatasecuritystandardofthecreditcardindustry(PCIDSSv1.1),securitybreachesinGermanywhichhaveonlyrecentlybeenrevealed,suchasthelossofapprox.70,000itemsofcustomerdataincl.creditcardinformationforonlineticketdealerkartenhaus.de,haveensuredanincreasedlevelofinterestinpossiblesecuritymeasuresagainstapplicationlevelattacks.

Thisdocumentcoversacategoryofsecuritysystems,theWebApplicationFirewalls(WAF),whichareespeciallywellsuitedforsecuringwebapplicationswhicharealreadyinproduction.

A1.2DefinitionofthetermWAFWebApplicationFirewall

Inthisdocument,aWAFisdefinedasasecuritysolutiononthewebapplicationlevelwhichfromatechnicalpointofviewdoesnotdependontheapplicationitself.ThisdocumentfocusesontheexpositionandevaluationofthesecuritymethodsandfunctionsprovidedbyaWAF.AspectsofthedeploymentwithintheexistingITinfrastructurewhetherasahardwareappliance,asoftwarepluginforawebserverorasanaddonforexistinginfrastructurecomponents,suchasloadbalancersornetworkfirewallsareonlycoveredinbrief.UnlikethedefinitioninWAFECitisnotassumedthataWAFhastobeavailableasaseparatehardwareapplianceinfrontofthewebserversthiscertainlydoesnotrepresentthebestimplementationoption,especiallyinlarge,fastgrowinginfrastructures.

A1.3Targetreadershipandobjective

Thedocumentisaimedprimarilyattechnicaldecisionmakers,especiallythoseresponsibleforoperationsandsecurityaswellasapplicationowners(specialistdepartment,technicalapplicationmanagers)evaluatingtheuseofaWAF.Specialattentionhasbeenpaidwhereverpossibletothedisplayofworkestimates.FurtherkeytopicsdiscussedinthispaperincludebestpracticesforprocessesconcerningtheinstallationandoperationofaWAFaswellasinparticularforlargercompaniesadescriptionoftheroleoftheWAFapplicationmanager.

A2CharacteristicsofwebapplicationswithregardtoWebApplicationSecurity

A2.1Higherlevelaspectswithintheorganization

Especiallywithinlargerorganizations,manyaspectsneedtobetakenintoaccountregardingtheimportanceofthesecurityofthewebapplicationsinoperation.

Oneofthemostimportantaspectsisthenumberofproductivewebapplicationsinthecompany.Largecompaniesoftenoperateinhouseorexternallywebapplicationsnumberinginthehundreds.Evenifaprioritisationofeachindividualwebapplicationinorderofitsrelevanceforthesuccessoftheorganizationisreasonable,itisneverthelessnecessarytoassumethatallwebapplicationsoperatedinhousedependingonthearchitecturecouldpermitanattackoninternalsystemsgiventherightattackmethods.Evenwebapplicationswhichseemtobeunimportantatfirstglanceshouldatminimumbesecuredagainstknownattacks.



Thefollowingaspectsshouldbeconsideredwhenprioritizingwebapplicationsinregardtotheirimportancefortheorganization:

Accesstopersonaldataofcustomers,partnersand/oremployeesAccesstoconfidentialinformationEssentialrequirementforthecompletionofcriticalbusinessprocessesRelevancefortheattainmentofcritical(security)certifications.

Possibleeffectsofthenonavailabilityordatalossinthewebapplicationsinclude:

Interruptionofbusinessprocesses(includingthoseofcustomersorpartners)LossofreputationDamagecompensationclaimsRevocationoflicensesLossofconfidentialinformation.

Forotheraspectssuchasrisksandcosts,seeA4.3andA6.4.

A2.2Technicalaspectsofeachofthecompanysindividualwebapplication

Thedecisionregardingsuitablesecuritymeasuresforawebapplicationessentiallydependsontherelevantphaseintheapplicationdevelopmentprocess.Thismeansthatinthedesignphasesuitabletoolsfortheimplementationaswellastestandqualityassurancetoolscanbeselectedwhereappropriatethedeveloperscanalsobetrainedinwebapplicationsecurityandtherelevanttimeframeuntilthedeploymentintoproductiveoperationcanbeextended.

Foralreadycompletedorproductiveapplications,verydifferentaspectsarerelevantwithregardtosubsequentpossiblesecuritymeasures,suchas:

CompletedocumentationofthearchitectureandthesourcecodeoravailabilityofthedevelopersofthewebapplicationMaintenancecontractsforallcomponentsoftheapplicationarchitectureShorterrorrectificationtimesbythemanufacturerofthirdpartyproductsused

Onlyiftheseaspectshavebeenmet,theapplicationcanbesecuredwithintheexistingapplicationinfrastructure,notregardingtheamountofworkinvolved.

A3OverviewofWebApplicationFirewall(WAF)features

A3.1WhereWAFsfitintotheWebApplicationSecurityfieldasawhole

Thebasicprincipleisthateverywebapplicationshouldbedevelopedassecureaspossible.Thisisbecausethelatervulnerabilityisdetectedinthelifecycleofawebapplication,thegreatertheriskofasuccessfulattack,andoftenalsotheamountofworkinvolvedincorrectingtheissue.

Inadditiontoappropriatetrainingmeasures,e.g.onthebasisoftheOWASPguidelinestheapplicationdevelopmentcanbesupportedeffectivelybytheusevarioustools.ToolssuchasStingerarenormallybasedonaframeworkJ2EEinthisexampletheyarepartoftheapplication(eveniftheycanbeaddedtocompletedapplicationsconformingtoJ2EE)and,froman



organisationalpointofview,arethusgenerallysubjecttothenormalapplicationreleasecycle.Attheircore,theyeffectivehelpdevelopersinmakingtheirapplicationmoresecure.UnlikeWAFs,theywillalwaysbepartoftheapplication,however.Thesetoolsarementionedinthisdocumentatvariouspoints,inparticularinrelationtothecomparativeamountofworkforvarioussecuritymeasures,buttheythemselvesarenotthefocusofthisdocument.

Inthedevelopmentphase,methodssuchasstaticsourcecodeanalysishelptopromptlydetectandrectifyvulnerabilitiesinthecode.Thisadditionallyincludespenetrationtests,ideallycarriedoutbyexperts,whichcoverthevulnerabilitiesintheexternalbehaviourofthewebapplicationinproductiveoperationaswell.

Inthiscontext,itistheprimaryfunctionofaWAFtosecurewebapplicationsagainstdetectedvulnerabilities,withaslittleeffortaspossible,sothattheycannotbeexploitedbyattackers.Thisisalreadyaverychallengingtaskduetothehighdegreeofcomplexityofthetypicalwebapplicationinfrastructure:webservers,applicationservers,frameworks,aswellasthetypicalcomponentsofawebapplicationsessionhandlingwithcookies,inputvalidation,etc.

ThemainaiminusingaWAFisthereforesecuringtheexisting,oftenproductivewebapplications,wheretherequiredchangeswithintheapplicationcannolongerbeimplementedorcanonlybeimplementedwithadisproportionatelylargeamountofwork.Thisappliestovulnerabilitiesinparticularwhichhavebeenrevealedviaapenetrationtestorevenviaanalysisofthesourcecode,,andespeciallyintheshorttermcannotbefixedwithintheapplication.BesidesthebasicprotectionviablacklistinginotherwordsthedescriptionofknownattackpatternsthebasicfeatureoftheWAFistheoptionofwhitelistingwhichcanbeconfiguredappropriately.Withactivewhitelisting,therulesetoftheWAFdescribestheexactbehaviouroftheapplicationtheconfigurationofsuitablewhitelistsisoftensupportedviaalearningmode.

Inaddition,severalWAFsalsoofferfunctionalitieswhichextendbeyondapurelyprotectivenatureandwhichcanthereforealsobeusedinthedesignprocessinordertoavoidunnecessarywork.TheWAFthereforebecomesacentralservicepointforcompletingtaskswhichshouldotherwisebeontheapplicationside,butwhichcanandshouldbeaddressedinthesamewayforallapplications.Examplesofthisincludesecuresessionmanagementforallapplicationsbasedoncookiestores,centralauthenticationandauthorisation,thecollectionofallrelevanterrormessagesandlogfilesortheoptionforproactivesecuritymechanismssuchasURLencryption.

ThetablebelowuseswhatarecurrentlythemostwellknownvulnerabilitiesormethodsofattackonwebapplicationstoindicatetheprotectionofferedbyWAFs.TheusualfunctionalityofaWAFisassumed,althoughnotallWAFsavailableonthemarketnecessarilyofferallthefunctionalitydescribedhere.

A3.2TypicalsecuritymechanismsofWAFsusingspecificvulnerabilitiesasexample

Thetablebelowgivespossiblesecuritymeasures(Countermeasurecolumn)fortypicalthreats,vulnerabilitiesandattacks(Problemcolumn),andintheWAFcolumn,evaluateshowwellaWAFcanprotecttheapplication.Thesymbolsindicate:

+verywellcoveredbyaWAFcannotbecovered(oronlytoasmalldegree)byaWAF



!dependentontheWAF/application/requirements=canpartiallybecoveredbyaWAF

Problem WAF Countermeasure

Cookieprotection

++!!

Cookiescanbesigned.

Cookiescanbeencrypted.

Cookiescanbecompletelyhiddenorreplaced(CookieStore)CookiescanbelinkedtotheclientIP.

Informationleakage + Cloakingfilter,outgoingpagescanbecleaned(errormessages,comments,undesirableinformation).Sessionriding(CSRF) + URLencryption/token.

Sessiontimeout !

Timeoutforactiveandinactive(idle)sessionscanbespecified(iftheWAFcanmanagethesessionsitself).

Evenifthesessionsaremanagedbytheapplication,theWAFcandetecttheseandterminatethemwiththeappropriateconfiguration.

Sessionfixation = CanbepreventediftheWAFmanagesthesessionsitself

Sessionhijacking Difficulttoprevent,althoughtheWAFcanissueanalarmintheeventofirregularities(e.g.changingIP)orterminateasessionwithchangingIP.

Fileupload + Viruscheck(generallyviaexternalsystems)viaICAPlinkedtotheWAF.

Parametertampering ++

Inadditionto/insteadofdatavalidation(seebelow),parametermanipulationcanbepreventedviaURLencryption(GET)andparameterencryption(GETandPOST).

Siteusageenforcement,meaningthepossiblesequenceofURLscanbefixedorcanbedetected

Forcedbrowsing ++

CanbepreventedviaURLencryption.

Siteusageenforcement.

Pathtraversal(URL)linkvalidation

++

CanbepreventedviaURLencryption.

Siteusageenforcement.

Pathtraversal(parameter),path + Seeparametertamperinganddatavalidation.



manipulation

Logging + Alloronlyspecific/permittedpartsofthedataofarequestandoftheconnectedtestscanbelogged.

Priv.escalation Privilegeescalationcannotbechecked,orcanonlybecheckedtoalimiteddegree,forexampleviacookie/parameterencryption.

Logicallevel ApplicationlogicgoingbeyondthevalidityofURLsandformfields,cannotnormallybecheckedbyaWAF.

Antiautomation = Automaticattackscanbepartiallydetectedandblocked(e.g.numberofrequests/timeinterval,identicalrequests,etc.).

ApplicationDoS(moderate)

==

Transactions,IPs,and/oruserscanbeblocked.

Connections,and/orsessionscanbeended.

SSL+++

WAFcanforceSSLwithpredefinedencryptionstrength(dependingontheinfrastructurescenario).

SSLterminationontheWAF,forwardingoftheSSLdata(e.g.clientcertificate)toapplication.

SSLconnectionpossiblefromWAFtoapplication.

Datavalidation(relatingtofield/content/context/appl)

+

+!

Canbetestedtoverydetaileddegree(length,constantvalue/rangeofvalues,e.g.forSELECT,characterarea)validationpossiblewithwhitelistand/orblacklist(signature).

Rulescaninpartbegeneratedautomatically.

Highdependencyonapplication,specificfields(hiddenform)orpredefinedparametersintheURLcanbeautomaticallyverifiedbytheWAFhowever.

Riskduetofalsepositives,problematicwithbusinesscriticalapplicationsinparticular.

Datavalidation(general/global) +

HTTP(w3c)conformity,aWAFconductsacanonalisationofthedatasothatitisavailabletotheapplicationinastandardisedform.

Bufferoverflow + Seedatavalidation[1]

Formatstringattack =

Canbedetectedusingdatavalidationifthecorrespondingcharactersorstringsarefiltered(difficultinpractice,aspreciseknowledgeoftheapplicationisrequiredtodothis).

Forthemajorityofthehiddeninputfields,thiscanbecarriedoutwithoutknowledgeoftheapplication.

Usingdatavalidation,onlyreflectedXSScanbedetectedand



Crosssitescripting = prevented,persistentXSScannotbedetected,DOMbasedXSSonlytobelimiteddegreeifpartoftheattackissentinparametersoftherequest.

Crosssitetracing + RestrictionoftheHTTPmethodto,forexampleGETorPOST.WebDAV + RestrictiontoonlyreadingWebDAVmethodspossibleCodeinjection(PHP,perl,java) + Seedatavalidation[1]

Commandinjection + Seedatavalidation[1]SQLinjection + Seedatavalidation[1]LDAPinjection + Seedatavalidation[1]XML/Xpathinjection + Seedatavalidation[1]

Justintimepatching(hotfixpatching) +

Usingdatavalidation(seeabove),theWAFcanprotectagainstnewlydetectedvulnerabilitiesand/orattacks(ZeroDayExploit).

HTTPresponsesplitting(HTTPsplitting) !

CanonlybedetectedusingdatavalidationinURLand/orparametersif%0d%0aisfilteredhoweverthiscanbecarriedoutonvirtuallyanyinputfieldwithoutimpairingthefunctionalityoftheapplication.

HTTPrequestsmuggling + Ispreventedviastricttestingoftheconformitytostandardsofeachrequest.

1Basicprotectionwithblacklistinggenerallysufficient,otheroptionsbecombiningblacklistingandwhitelisting

A4OverviewofbenefitsandrisksofWebApplicationFirewalls

ThespecificpotentialbenefitsofaWAFdescribedhereareexplainedindetailintheindepthoverviewinthenextchapter.Thischapterisusedprimarilyasasummaryfordecisionmakerswhoonlywanttoworkthroughthenextchapterasanoverview.

A4.1MainbenefitsofWAFs

ThemainbenefitofaWAFisthesubsequentprotectionofcompleted,productivewebapplicationsontheapplicationlevelwithareasonableamountofeffortandwithouthavingtochangetheapplicationitself.

Ontheonehand,theWAFoffersabasicprotectionagainstknownattacksorvulnerabilitiesbasedonblacklists:Thedatasecuritystandardofthecreditcardindustry(PCIDSSv.1.1)forexample,initscurrentversionprescribestheuseofaWAFasanalternativetoregularcodereviewsbyaspecialistasanadequatemeasuretoprotectwebapplications.TheWAFisthereforeasuitabletoolforattainingindustrialstandardsaswellasfulfillinglegalrequirements.



TheuseofaWAFbecomesespeciallyrelevantinthecaseofconcretevulnerabilities,forexampleuncoveredviapenetrationtestsorsourcecodereviews.Evenifitwerepossibletofixthevulnerabilityintheapplicationpromptlyandwithareasonableamountofeffort,themodifiedversioncangenerallyonlybedeployedatthenextmaintenanceinterval,often24weekslater(patchdilemma).ForaWAFwithwhitelisting,thevulnerabilitycanbefixedpromptly(hotfix),sothatitcannotbeexploitedbeforethenextscheduledmaintenance.WAFsareespeciallyfastinthisaspect,meaningtheycancollaboratewithsourcecodeanalysistools,sothatdetectedexternalvulnerabilitiescanautomaticallyresultinarecommendedrulesetfortheWAF.

AWAFisparticularlyimportantinsecuringproductivewebapplicationswhichthemselvesinturnconsistofmultiplecomponentsandwhichcannotbequicklychangedbytheoperatore.g.inthecaseofpoorlydocumentedapplicationsorregardingthirdpartyproductswithoutsufficientmaintenancecycles.AWAFistheonlyoptionforpromptlyclosingexternalvulnerabilities.

A4.2AdditionalbenefitsofWAFsdependingontheactualfunctionalityoftheproduct

ThereareotherconsiderablepotentialbenefitswhichareduetothecentralroleoftheWAF.TheerrorlocationprocessissimplifiedconsiderablyiftheWAFsupportscentralerrormessagesincontrasttoindividuallygeneratederrormessagesbyseveralapplications.ErrormessagescanthenbecentrallyevaluatedattheWAF.Thesameappliestoallaspectsofmonitoringandreporting.Asacentralservicepoint,theWAFcanimplementtaskswhichcanbesolvedinthesamewayforeveryapplication.Agoodexampleofthisissecuresessionmanagementforallapplicationsbasedoncookiestores.

ManyWAFsalsoprovideproactivesecuritymechanismssuchasURLencryptionorsiteusageenforcement,inordertominimisetheareaofattackwithaslittleeffortaspossible.Inaddition,theuseofaWAFincreasestherobustnessofawebapplicationtoexternalattacks.

WAFsofferotheradditionalbenefitsdependingonthetypeofimplementation.AhardwareapplianceinfrontofthewebserverscanoftenterminateSSLconnectionsandalsosometimeshasloadbalancercapabilities.Thiscanbedesirable,butcanalsobeprovidedbysuitablewebapplicationsecurityaddonsforproductsalreadyinuse.InhighsecurityenvironmentsDafrgibtseinenbesserenBegriff,however,theexistingsecurityguidelinesfrequentlyprohibittheterminationofSSLconnectionsinfrontofthewebserver.Inthiscase,WAFswhichareimplementedasapluginforthewebserverareespeciallywellsuited.

TheWAFcanalsoprovideaSSLterminationiftheapplicationtobeprotectedoritswebserverorapplicationserverdoesnothavethiscapability.

A4.3RisksintheuseofWAFs

NotethatchangesintheexistingIT,webandanyapplicationinfrastructurearerequiredwhenusingaWAF.DependingontheWAFsimplementatione.g.hardwareappliancevs.embeddedWAFtherearealsoadditionaltasksandrisks:

Yetanotherproxyargument(increasedcomplexityoftheITinfrastructure)Organisationaltasks(seeA8.2RolemodelwhenoperatingWAFs)



TrainingtheWAFOneachnewreleaseofthewebapplicationTesting

Falsepositives(whichmayhaveasignificantbusinessimpact)Morecomplextroubleshooting

WAFsalsohave/generateerrorsResponsibilityforsystemwideerrorsituations

AnypotentialeffectonthewebapplicationiftheWAFterminatestheapplicationsession,forexampleCosteffectiveness

A5SecurityversusOWASPTOP10acomparisonofWAFsandothermethods

ThischaptercoversthevarioussecurityoptionsforwhatisknownastheOWASPTop10vulnerabilities.Threedifferentclassesofwebapplicationsareusedasexamples:

T1:awebapplicationinthedesignphase,newapplicationT2:analreadyproductiveapplication(withMVCarchitecture),whichcanbeeasilyadaptedT3:aproductiveapplicationwhichcannotoronlywithdifficultybemodified.

Securitymeasureswithintheapplicationortheapplicationarchitectureitselfaredescribedindetailandareevaluated,basedonthesethreeclasses,eitherwiththeuseofaWAFor,alternativelybydefinitionofanappropriatesecuritypolicyThesecuritymeasuresarealsoassessedinregardtotheamountofworkrequiredfortheirimplementation.Insomeinstances,therearenotesonspecialfunctionalitiesofWAFsorassumptionsontheapplicationinfrastructureused,asthesedonotapplyglobally.

Asthetablebelowclearlyshows,especiallyinthecaseofapplicationswhichareinproduction,theuseofWAFsveryoftenrequirestheleastamountofwork..Inthecaseofapplicationswhichcannotbemodifiedorwhicharedifficulttomodify,insomeinstancestheuseofWAFsisactuallytheonlyfeasiblesecuritymeasure.

Inthetablebelow,theWorkvolumecolumnliststheestimatedamountofworkrequiredfortheapplicationtypes(T1,T2,T3),aWAForasecuritypolicy(P)inregardtothethreat(Top10column)CommentsandnotesforeachtyperegardingtheimplementationofsecuritymeasurescanbefoundintheCommentcolumn.Thecategoriesfortheworkvolumeare:

1littleworkrequired2moderateamountofworkrequired3considerableamountofworkrequirednotnormallyimplemented

Top10 Type Comment Workvolume



A1 Crosssitescripting(XSS)

T1E.g.bytheconsistentuseoftaglibs(Java),orcontrols(ASP.NET),oradditionalframeworks(PHPIDS).

1

T2

Inputencodingisdifficulttointegrate(e.g.usingOWASPStinger),usinganupstreamWAFisabettersolutionhere.For.NETapplicationsXSSfilterscanbeactivated.

3(.NET:

2)

T3 For.NETapplications,activateXSSfilters.

(.NET:2)

WAF

WAFdoesnotpermitoutputvalidationinthiscase,asitdoesnotrecognisethecontextofthedata.Thevalidationmustbecarriedoutduringtheinputphase,andmaybecorrelatedwiththeoutput

2

P

A2 Injectionflaws T1

CanbeavoidedbyusinganORmapper(e.g.Hibernate)orconsistentparameterisationofallinputs(e.g.storedproceduresorideally:preparedstatements).Otherinjectionflaws(e.g.withXML)canonlybeavoidedwithdedicatedoutputcoding,wherenecessary.

1

T2 Complicated,asprogrammodificationsarerequired. 3T3

WAF

WAFwithblacklisting:

Inprinciplecanonlysearchforspecificcharactersorcharacterstringsandpreventprocessing.Essentiallythereareproblemswiththisapproachinthedegreeofcoverageaswellaswithpossiblefilterevasionattacks(e.g.withmultiplecoding)ifnoinputnormalisationiscarriedout.Thisworksverywellwithknownattacks(e.g.SQLinjection),butcertainlylesswellwithprotocolsnotknowntotheWAForwithproprietaryprotocols.Inaddition,injectionattacksonsometypesofinputdatacanbeeffectivelypreventedusingURLencryptionandhiddenformparameterprotection.Anexampleofthisistheitemnumberinanonlineshop,whichtraditionallywouldoftenbeusedforSQLinjectionattacks,butitshouldneveractuallybepossibleforuserstomanipulatethesedirectly.

WAFwithwhitelisting:

2



Forallotherinputfields,thereisawhitelistapproach.HeretheWAFcanmakesuggestionsfortheindividualfieldsfollowingalearningphase.Thismeansthatnotall,butthemajorityoftheinputfieldscanbeprotectedagainstalltypesofinjectionattacks.

PInthecaseofSQLinjection:Specificationsfordatabaseaccesspermissions,otherwiselittleornooptions.

A3 MaliciousFileExecution

T1 Integratinguploadscannersorwhitelistingofthepermittedremoteinclusions. 2

T2 3T3

WAF

WhitelistingoftheparametersforthepermittedinclusionofURLsexternaltothesystem

inclusionofuploadscannersviaICAPprotocol

responseanalysistopreventthedisplayofcriticaldata(partiallyalsoerrormessages).

12

P Specificationsfordeploymentplatform,specificationsforaccesspermissions. 2

A4InsecureDirectObjectReference

T1

Implementationofanobjectvirtualisationisverytimeconsuming,asdatabaseobjectsarefrequentlymappedtoparametersbytheframeworksinuse(ORmapper).Protectionrequiresintensivetesting.

3

T2 PreventionofIDmanipulationgenerallynecessitatescodemodifications.Protectionrequiresintensivetesting. 3

T3

WAF ProtectionagainstIDmanipulationusingIDvirtualisationorhiddenparameterprotection. 1

P Useofimpersonationanddelegation. 3

T1 Canbesolvedusingspecificapplicationarchitecture. 1

T2 Significantamountofwork.Programchangesgenerallyrequired. 3



A5 CrosssiteRequestForgery(CSRF)

T3 WAF CanbepreventedusingpagetokenorURLencryption. 1P

A6.1 InformationLeakage

T1 Toolsupportedtestingwithhightestcoverageandrelevantfocus. 2

T2 Toolsupportedtestingwithhightestcoverageandrelevantfocus. 2

T3

WAF

Automaticfilteringofcommentspossible.Siteusageenforcementcanpreventaccesstoexistingbutunpublished(unlinked)documents.TraditionalexamplesarebackupfilesonthewebserverwhichcontaindatabasepasswordsinplaintextandwhoseURLcanbeguessedbytheattacker

12

PRequirementforprogrammersandauthorsnottoenteranycomments.Specificationsforthedesignoferrormessages.

2

A6.2 ImproperErrorHandling

T1 Canbeconfigureddeclarativelydependingontheplatform. 1

T2 Canbeconfigureddeclarativelydependingontheplatform. 1

T3 Canbeconfigureddeclarativelydependingontheplatform.1/

WAF Difficulttodetect. 2P

A7.1Broken

T1 Linkuptoacentralaccessmanagementsystemwithappropriatesecuritystandards 1

T2Linkuptoacentralaccessmanagementsystemwithappropriatesecuritystandards.Programmodificationsmayberequired.

2

T3 DependsontheabilitiesoftheWAF.AWAFcancarry



Authentication WAF outauthenticationindependentoftheapplicationandthuspermitalinkuptoacentralauthenticationinfrastructurewithoutchangingtheapplication.

2

P Specificationswithregardtopasswordcomplexity. 2

A7.2 SessionManagement

T1

Onthedesignlevel,e.g.usingsessionmanagerdesignpattern,otherwisenumerousoptions.Amountofimplementationworkpartiallydependentonapplicationserver,seealsoA7.1,ifthesessionmanagementiscarriedoutbytheaccessmanagementsystem.

2

T2

Canbeintegratedcentrallytoalargeextent(usingfilters,listenersorhardenedserverconfiguration)nevertheless,alargeamountofworkinsomeplacesseealsoA7.1,ifthesessionmanagementiscarriedoutbytheaccessmanagementsystem.

23

T3 Dependsonapplicationserver,partiallyconfigurable

WAF Hardeningofinsecuresessionmanagementpossibleviavarioustechniques(e.g.pagetokens). 1

P

A8InsecureCryptographicStorage

T1 UseofcryptoAPIs. 1

T2 UseofcryptoAPIs.Subsequentimplementationrequiresnumerousprogrammodifications. 3

T3 WAF P Specificationsforsavingsensitivedata.

T1 Canbeconfigureddeclarativelyintheapplicationorwebserver. 1



A9 InsecureCommunications

T2Canbeconfigureddeclarativelyintheapplicationorwebserver.VeryhighamountofworkifURLschema(HTTP)hasbeenhardcoded.

1/

T3Canbeconfigureddeclarativelyintheapplicationorwebserver(ifthereisaccess).NotpossibleifURLschema(HTTP)hasbeenhardcoded.

1/

WAF CansecureHTTPapplicationsusingHTTPS. 1P

A10FailuretoRestrictURLAccess

T1Useofafrontcontrollerwithgateway.Codemuststillcheckuserassignmentviatheprogramatvariouspoints(e.g.intheservice).Gapspossible.

12

T2

Differsdependingontheapplication.URLaccesspermissionscanbeconfigureddeclarativelywithJ2EEand.NET.PreventionofIDmanipulationgenerallynecessitatescodemodifications.

23

T3Differsdependingontheapplication.URLaccesspermissionscanbeconfigureddeclarativelywithJ2EEand.NET.

3

WAF

PagetokensorURLencryptioncanbeusedtorestrictuserstopagesreceivedfromtheapplicationaslinks.Theapplicationmustnotdisplayprotectedlinks,however(limitedaccesspattern).Withsiteusageenforcement,theusercanonlyaccesslinkedcontent.SpecificURLs/subtreescanalsobeexcludedviawhitelist/blacklistapproaches(e.g.onlyallowaccessfor*.html,*.php,*.gif,*.jpgbutnotfor*.bakorotherextensions).

1

A6CriteriafordecidingwhetherornottouseaWAF

A6.1Organizationwidecriteria

Corecriteriainthisareaare:



Importanceofthewebapplication(s)forthesuccessoftheorganization(proportionalturnover,reputation)Importanceofthelossofdataofthewebapplication(customerdata,confidentialinformation,reputation)NumberofwebapplicationsBasiclegalconditionsorindustrialstandardsComplexityOperatingcostsPerformanceScalability

A6.2Criteriawithregardtoawebapplication

Thetermofaccesstothewebapplicationisintroducedandexplainedbelow.ThechecklistinappendixA8.1isusedtodeterminethedegreeofaccessindividuallyforeachwebapplication,usingapointssystem.

Theaccesstoawebapplicationcanbeusedasameasureoftheextenttowhichtheorganizationinpossessionoftheapplicationcanpromptlycarryoutorinitiateandimplementthenecessarychangestothewebapplication,inotherwordshasaccesstothesourcecodeoftheapplication.

Awebapplicationinthedesignphase(seeT1inA5)canbeconsideredasaspecialcaseofawebapplicationwithoptimumaccess.

Theotherextreme,awebapplicationwithoutaccessisanapplicationconsistingofmanyundocumentedcomponents,forexample,whosedevelopercannotbecontacted,andwhichusesthirdpartysoftwareproducts,whicharenolongermaintainedbythemanufacturer,orincaseofopensourceprojectsbythecommunity(seeT3inA5).

Importantcriteriafordeterminingthedegreeofaccesstoawebapplicationare:

CompletedocumentationofthearchitectureandthesourcecodeoravailabilityofthedevelopersofthewebapplicationMaintenancecontractsforallcomponentsoftheapplicationarchitectureShorterrorrectificationtimesbythemanufacturerforallthirdpartyproductsused(portals,frameworks,SAP,etc.).

Otherimportantcriteriaforeachwebapplicationaregiveninthechecklistwhichcanbefoundintheappendix.

A6.3Evaluationandsummary

ThedegreeofaccesscanbedeterminedforeverywebapplicationusingthechecklistinappendixA8.1.Thisalsoallowstodetermineameanvalueofaccessforallthewebapplicationsofanorganizationitisimportanttonotethatapplicationswhicharecriticaltothesuccessortheimageoftheorganizationneedtoberatedaccordingly.

TheillustrationgivenbelowmaybeusefulasaguideinthedecisionmakingprocessregardingthebenefitsofusingaWAF:



http://www.owasp.org/Image:Best_Practice_WAFchartEN.png

Ifanorganizationhasfullaccesstotheirwebapplications,theuseofaWAFprimarilyprovidesareductionofthecostofoperationespeciallyduetotheadditionalbenefitsofaWAFgiveninA3asacentralservicepoint,aswellassomecomparativelyeasytoimplementsecuritymechanisms,seeA4.

Ifthereisvirtuallynoaccesstothewebapplications,theuseofaWAFisdefinitelyappropriateasthisistheonlywaythattherelevantsecuritymeasurescanbeimplemented.

WithdecreasingaccesstothewebapplicationanddependingonitsimportanceandcomplexitythebenefitsstemmingfromtheuseofaWAFgrowrapidly:fromasecondlineofdefencetotruefullprotectionofthewebapplicationfromoutsideinfluence,attainedbytheuseofwhitelisting.UsingaWAFoftenresultsintheleastadditionalworkfortherequiredsecuritylevel.

A6.4Aconsiderationofthefinancialaspects

ThecosteffectivenessoftheprocurementandtheoperationofaWAFcanbeconsideredfrommultiplepointsofview:

Avoidanceprevention?offinancialdamageresultingfromsuccessfulattacksonthewebapplicationLowercostsforreachingthenecessaryprotectionlevelforthewebapplicationincomparisontootheroptionsSavingsviatheuseofcentralserviceswhicharemadeavailablebyaWAFformultiplewebapplications,andthereforenolongerhavetobeimplementedorconfiguredinevery



application.

Whenprotectingapplicationswithinsufficientaccess(seeA6.2),butwhichstillneedtobeprotected,thecostsofaWAFcaneitherbeviewedasastrategicinvestment,orwhererealistic,setagainstthecostsofreplacingtheapplicationinquestion.

ThecostsofusingaWAFnormallyconsistofthefollowingcomponents:

LicencecostsLicenceupdates/softwaresupportProjectcostsforevaluatingandintroducingaWAF(Partial)costsforoperatingthenecessaryplatformPersonnelcostsfortheWAFapplicationmanager(s)TimerequiredinprojectsforcoordinationwiththeWAFapplicationmanager.

A7BestpracticesforintroducingandoperatingaWAF

A7.1Aspectsoftheexistingwebinfrastructure

A7.1.1Centralordecentralinfrastructurepredictablechanges

ItisessentialtonotethatitstheWAFthatneedstobeintegratedintotheexistingWebinfrastructureanditsplannedorforeseeablechangesandnottheinfrastructurewhichneedstobefundamentallychangedduetotheimplementationofaWAF.

Accordingly,aWAFcanbeinstalledinacentralinfrastructurewhichisnotpredictedtochange,asacentralinfrastructurecomponent,e.g.asahardwareappliancewhereaswithaninfrastructurewhichisstilldecentral,butwhichmaybegrowingquicklyforexamplealargeonlineshopadistributedWAFapproach,e.g.asapluginintotheexistingwebservers,ismoreappropriate.Withregardtotheinfrastructureaspects,thoseWAFproductsareparticularlyflexible,whichcombineanessentiallydistributedimplementationapproachwithacentraladministrationpointandthereforeofferthebenefitsofbothscenarios.

Whatisworthmentioningandbecomingincreasinglyimportantwithregardtoprobablefuturedevelopmentsistheoptionofhardenedinfrastructuresusingvirtualisation.WhenselectingtheWAF,itisparticularlyimportantthattheWAFcanalsobeintegratedseamlesslyintoavirtualisedapproach.

A7.1.2Performancecriteria

Withregardtotechnicalperformance,itisnecessarytoensurethattherequiredWAFinfrastructuresupportsthemainkeyperformanceindicatorsoftheexistingwebinfrastructure.StatementswhichpurelyrefertotheGBthroughputofhardwareshouldnotbetakenatfacevalue,asthegivennumbersareoftennotachievableinpractice.Whatismoreimportantarethetypicalkeyperformanceindicatorsofawebapplicationsuchasthenumberofsimultaneoususersoftheapplicationandonthatbasis,thenumberofHTTPrequestspertimeunitonaverageandatpeakloadtimes.Itshouldbenotedthatmanyapplicationshavehighloadphaseswhichoccuronlyrarely,e.g.duringtheChristmasseasonforanonlineshop.



A7.2Organisationalaspects

A7.2.1Conformingtoexistingsecuritypolicies

Asfaraspossible,existingsecuritypoliciesshouldnothavetobechangedduetotheimplementationofaWAF.

AtypicalexampleisSSLterminationinfrontofthewebservers.Thisisoftendenied,inparticularinhighsecurityAndersWortinfrastructures,bytheexistingsecurityguidelinesThispolicycanbemaintainedbytheuseofasuitableWAF,asapluginonthewebserverwiththeSSLterminationstillsubsequentlybeingcarriedoutinthewebserver.

A7.2.2Newrolemodel:WAFapplicationmanager

Aftertheoneofftaskofcommissioning,thesubsequentsuccessfuluseofaWAFessentiallydependsontheseamlessinteractionoftheWAFwithallothercomponentsoftheapplicationinfrastructure.TheseincludebothobviousissuessuchasunderstandingofandappropriateresponsetoerrorandalarmmessagesoriginatingfromtheWAF,aswellasaspectssuchasthemodificationoftheWAFrulesetinconjunctionwithchangestotheapplicationsbeingprotected.TofullyexploittheopportunitypresentedbyaWAFasacentralservicepointforinstanceforsecuresessionmanagement,positivecollaborationwithapplicationdevelopmentisrequired.

Inotherwords:InordertofullyexploitthepotentialofaWAF,itisnotsufficienttoviewtheWAFsolelyasaninfrastructurecomponent.

Forthisreason,weproposethenewroleofaWAFapplicationmanagerinadditiontotheroleofaWAFplatformmanager,whoinasimilarwaytoanetworkfirewallplatformmanagerisresponsiblefortheinfrastructurerelatedaspectsoftheWAFforeachapplicationDerSatzisterstnachdemdrittemlesenhalbwegsverstandlichwhichmetaphoricallyspeakingrepresentsthebridgebetweentheWAFandthespecialistapplication.ThispersonmusthaveexcellentknowledgeoftheWAFinordertobeabletoconfigureandmonitoritforeachindividualapplication.HeorshemustknowtheapplicationwelltobeabletoclassifyandinterpretmessagescomingfromtheWAF.AWAFapplicationmanagerwillnormallymaintaintheWAFconfigurationformultipleapplications.AnexamplewouldbemanagingtheWAFforallwebbasedSAPsystems,whilsttheshopsystemismanagedbyanotherWAFapplicationmanager.

AdetaileddescriptionoftheproposedrolemodelcanbefoundinappendixA8.3.

A7.3Iterativeprocedureforimplementationfrombasicsecuritytofullprotection

AniterativeprocedurehasbeentriedandtrustedasbestpracticeintheimplementationandoperationofWAFs.

A7.3.1Step1:Specificationofroledistribution/inclusionofapplicationdevelopment



Firsttheresponsibilitiesneedtobedefined,ideallyonthebasisoftheroleconceptpresentedabove.Ifthewebapplicationdevelopmentisbeingcarriedoutinhouse,thisneedstobeintegratedintotheprocessasearlyonaspossible.ThismeansthatallapplicationsnotyetinproductionusethecentralfunctionsoftheWAFassoonaspossible,whichincreasessecurityandsavestimeandmoney.Inaddition,possibleobstaclesonthepersonallevelcanalsobeovercomeatanearlystage.

A7.3.2Step2:Basicprotectionforallwebapplications

Regardlessofthecharacteristicsofthewebapplicationinquestion,basicprotection,normallyimplementedasblacklisting,isactivatedfirst.Initialevaluationsnormallyshowthefirstsuccessfulprotectionmeasures,orshowfalsepositivesi.e.rulesaresettoostrictlyAtthesametimethisphaseservesastrainingfortheorganisationalprocesses.

A7.3.3Step3:Creatingaprioritylistofallexistingwebapplications

TheprincipleforthislistofprioritiescanbethemeasureoftheaccesstothewebapplicationaccordingtothechecklistinappendixA8.1,inadditiontothehigherlevelcriteriasuchasalossofreputation,etc..

A7.3.4Furthersteps:Fullprotectionofthewebapplicationsaccordingtopriority

Webapplicationsarefullyprotectedfromoutsideattackwithwhitelistrulesetsinastepbystepprocessaccordingtotheprioritylist.ThisisnormallysupportedbyalearningmodeintheWAForasourcecodereview/penetrationtest.TheWAFapplicationmanager,incollaborationwiththespecialistapplicationmanager,ensuresthefullavailabilityoftheapplicationatalltimes,includingduringaconversionoftheruleset.

A8Appendices

A8.1Checklist:Accesstoawebapplicationfromasecuritystandpoint

Thefollowingchecklistcanbeusedtoevaluatetheaccessthatacompanyhastothewebapplication.Accesstoawebapplicationgetsbetter,asmorepointsareaccumulated.

Criterion Points Comment

DocumentationcompleteThedocumentationfortheapplicationiscompleteinsuchdetail,thatpotentialvulnerabilitiesrelatingtosecuritycanbedetectedandrectified.Thisespeciallypertainstothedocumentationofthearchitectureandthesourcecode

2

Especiallyimportantisadetaileddocumentationofthearchitecture,aswellasadescriptionoftheinterfacesbetweentheindividualcomponentsandadescriptionofthevalidationstakingplaceontheseinterfaces.Documentationonthislevelofdetailisnormallynotavailable.

Developersavailable



Thedeveloperswhooriginallydesignedandimplementedtheapplicationarestillavailableformodifications.

3

MaintenancecontractsforallcomponentsTherearecontractscoveringtherectificationoferrorsorwithopensourcecomponents,thereisanactivecommunitycontinuingthedevelopmentforallcomponentsoftheapplication(webserver,applicationserver,database,etc.)andtheapplicationitself.

5 Nomaintenancecontract,nopossibilityforbugfixes.

Errorrectificationtimesbythemanufacturerareshort.

Theresponsetimesfromthemanufacturerfromthereportingofanerrortodeliveryofapatcharelessthanaweekforcriticalerrors.Thesescaneitherbeerrorrectificationtimesbasedoncontractsorempiricalerrorrectificationtimes,e.g.foropensourceproducts.

3 Important,butonlyhelpstoalimitedextent.

AutomatedtestsexistThereareautomatedtestsforqualityassuranceoftheapplicationrepresentingahighdegreeoftestcoverageandtheyareusedwithnewreleases.

1

Teststendtocheckwhethertherequiredfunctionalityisavailable.Securityinthiscontextdoesmeanthattheundesirablefunctionalityisnotpresent>thisdoesnotnormallyaccomplishmuch.

Sourcecodeanalysishasbeencompletedinpastdevelopmentandongoingdevelopmentoftheapplication,anautomatedsourcecodeanalysis(whiteboxtest)iscarriedoutwiththefocusonapplicationsecurity.

3

Theanalysismustbecarriedoutbyaspecialist,regardlessofwhetheritisautomatedorcarriedoutbyexternalexperts.

Lowcomplexity

Fewerthan1000hourshavebeenspentpurelyonimplementingtheapplication(notincludingprojectmanagement)inthedevelopmentphase.

1

Basedonexperience,complexityisbestmeasuredusingthetimespentonimplementingtheapplication.Linesofcodeorfunctionpointsprovideverydifferentresults,dependingonwhoisdoingthecounting.Ideally,itwouldbebettertoconsiderthecomplexityofthearchitecture,notthetimespentonimplementation.

CentralcontrollerpresentThearchitectureoftheapplicationincludesacentralcontroller,whichprocessesalltheinputsandoutputsoftheapplication(MVC).

3

SecurityframeworkisusedTheapplication Thismeansmainlythatthedevelopers



usesasecurityframeworkthat,amongotherthings,providesvalidators/filtersforinputandoutput..

4 haveconsideredsecurityaspectsasimportant.Certainlyaverypositiveandimportantissue,seelastpoint.

SecurityaudithasbeencarriedoutAsecurityaudit/penetrationtesthasbeencarriedoutagainsttheapplicationandallvulnerabilitiesdetectedintheaudithavebeenrectified.

2

Developershavebeentrainedinsecureprogrammingandareexperienced. 5

Alwaysthemostimportantthingaretraineddevelopers!

A8.2RolemodelwhenoperatingaWAF

TherolemodeldescribedhereshouldbeimplementedprimarilywhentheWAFcarriesouttasksinthecontextofwhitelistingdescribedinthisdocument,inordertoprotectthewebapplications,inadditiontofunctioningasasecondlineofdefenceandbasicsecurity.Itshouldthereforebeconfiguredascloselyaspossibletothefunctionalityofthewebapplication.

TheintroductionofaWAFisnormallycarriedoutaspartofaproject.Thedecisivefactorforalongterm,successfuloperationofaWAF,however,isarolemodelinwhichtheresponsibilitiesofallpartiesinvolvedaredefinedintheoverallsoftwaredevelopmentcycle.AWAFhasbothcharacteristicsofaninfrastructurecomponent,anditsbehaviourisalsohighlyspecifictotheapplication.Itsconfigurationandbehaviourcanevenvaryconsiderablybetweendifferentreleasesofthesameapplication.TheconfigurationofaWAFismuchmorecomplexthanthatofatraditionalfirewall.Toputitsimply,itnolongersufficestoconfigureasingleIPforanapplication,insteadeachinputfieldofthatapplicationhastobeconfigured.

InlargerITorganisations,operationofthenetwork,towhichthefirewallbelongs,andoftheapplications,iscarriedoutbydifferentorganizationalunits,sometimesevenbydifferentcompanies.Mostoperatingconceptsfollowthisorganizationalseparationwitharoleconceptwhichmakesacleardistinctionbetweentasksontheinfrastructurelevel(networkandoperatingsystem)andontheapplicationlevel.

Aswithafirewall,theroleofaWAFplatformmanagerisrequired,whoisresponsiblefortheoperationalaspectsoftheWAF.WeareproposingthenewroleofaWAFapplicationmanagerwhoseresponsibilitiesliebetweentheWAFandtheindividualapplication.Anapplicationmanagerisstillrequired.ThismanagerisnotrequiredtohaveadeeperunderstandingoftheWAF,however

TheWAFapplicationmanageristhebridgebetweentheWAFandthespecialistapplication.ThispersonmusthaveexcellentknowledgeoftheWAFtobeabletoconfigureitandmonitoritfortheindividualapplication.HeorshemustknowtheapplicationwelltobeabletoclassifyandinterpretmessagescomingfromtheWAF.AWAFapplicationmanagerwillnormallymaintaintheWAFconfigurationformultipleapplications.AnexamplewouldbemaintainingtheWAFforallwebbasedSAPsystems,whilsttheshopsystemismaintainedbyanotherWAFapplicationmanager.

Thismeansthat,ontheonehandthespecificrequirementsforthesecureandefficientoperationofaWAFaretakenintoaccount,andontheotherhand,thetraditionalrolesofinfrastructureorplatformmanagerandapplicationmanagerremainunchangedwithinhighlystructuredorganisations.



Pagesincategory"OWASPBestPractices:UseofWebApplicationFirewalls"

A8.3Theindividualroles

8.3.1WAFplatformmanager

Tasks:

PlanningoftheoperationalarchitectureoftheWAFResponsibilityforoperationandsupportoftheWAF,includingcapacityplanningAllocationofURLstoindividualapplicationsPatchandversionmanagementoftheWAFManagementandadministrationoftheapplicationmanagerWAF

Knowledge:

KnowledgeoftheWAF,itsoperation,administrationandtheauthorisationconcept

8.3.2WAFapplicationmanager(perapplication)

Tasks:

ImplementationandmaintenanceoftheWAFconfigurationspecifictotheapplicationMonitoringandanalysisofthelogfiles(atleastonthesecondlevel)Contactforerrormessages,inparticularfalsepositivesanalysisincollaborationwiththeapplicationmanagerClosecooperationwiththeWAFapplicationmanagersandplatformmanagersTestofWAFfunctionalitiesfortheapplication,especiallywhendeployingnewversionsoftheapplication

Knowledge:

IndepthknowledgeoftheWAFconfigurationinrelationtoapplicationspecificsecuritymechanismVerygoodknowledgeofthebehaviouroftheapplication,inparticularinput,output,uploads,downloads,charactersets,etc.

8.3.3Applicationmanager

OperationordevelopmentoftheapplicationtobeprotectedKnowledgeoftheapplicationarchitectureandtheinputfields,providesthesetotheWAFapplicationmanager.



Thefollowing2pagesareinthiscategory,outof2total.

B

BestPractices:WebApplicationFirewalls

O

Projects/OWASPBestPractices:UseofWebApplicationFirewalls/Releases/UseofWebApplicationFirewallsv1.0.5/Assessment

Retrievedfrom"https://www.owasp.org/index.php?title=Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls&oldid=195425"Categories: OWASPProject OWASPBestPractices OWASPDocument OWASPDownloadOWASPWAF OWASPBuilders OWASPDefenders SAMMEH3 GermanyOWASPAlphaQualityDocument HowTo

Thispagewaslastmodifiedon28May2015,at09:34.Thispagehasbeenaccessed126,214times.ContentisavailableunderaCreativeCommons3.0Licenseunlessotherwisenoted.

Documents

Category_OWASP Best Practices_ Use of Web Application Firewalls - OWASP