How to Operationalize Web Application Security Persistent Threat Management is an operational model that eliminates the man-in-the-middle bottleneck that prevents the scalability of web application security solutions vital to preventing todays pervasive attacks from succeeding.

by Lori MacVittie

Sr. Technical Marketing Manager

White Paper

2Contents

The Threat from the Outside 3

The Threat from the Inside 4

The Persistent Threat Management Model 5

F5 and Persistent Threat Management 7

Dynamic Application Security Testing Solutions 7

F5 BIG-IP Application Security Manager (ASM) 8

Persistent Threat Management Solutions 8

Conclusion 9

White PaperHow to Operationalize Web Application Security

3White PaperHow to Operationalize Web Application Security

The Threat from the Outside 2011 continued the shift towards external agents involvement in a high percentage

of data breaches. Though we have always seen an external majority, never before

has any year been so one-sided.1

In 2011, attacks by external agents grew 6 percent over previous years, comprising

98 percent of all breaches documented by the Verizon Business 2011 Data Breach

Investigations Report (DBIR). While many attacks continue to focus on network and

systems security, DBIR data points to web application security as an area of increasing

concern, with nearly 40 percent of breaches being due to web application issues.

More than half of the most frequent attacks cited by organizations in a September

2011 Applied Research2 survey were against web applications. Half of those attacks

are on the well-known OWASP Top Ten list: cross-site scripting (XSS), SQL injection

(SQLi), and cross-site request forgery (CSRF). These attacks are well-understood as

are respective proven methods of prevention.

Likelihood of site to have vulnerability

Frequency seen

Web transactions per day

Percentage change of a breach (daily)

Cross-site scripting (XSS) 64% 43% 2873 27%

SQL injection 14% 42% 2873 6%

Information leakage 64% 41% 2873 26%

WhiteHat Website Security Statistics Report

Applied Research September 2011

Google Analytics Benchmarks 2011

Possibility = (TX * V% * F%) / TX

Figure 1: If a vulnerability exists, there is a chance it will be exploited. The higher the volume of a site, the higher the risk.

Such attacks are persistent and frequent, fueled by massive botnets and automation.

Organizations cannot prevent these attacks from being launched in the first place.

While advice abounds on preventing an attack by hactivists for reasons other than

profit or fame, nothing short of cutting the hardline to the Internet can definitively

stop external agents from launching attacks.

The responsibility of security operations is to prevent those attacks from succeeding.

This, too, unfortunately, is an increasingly difficult task. While the benefits of using

1 Verizon 2012 Data Breach Investigations Report (DBIR).

2 Study finds traditional security safeguards failing, Application Delivery Controllers viewed as an effective alternative. November 8, 2011.

3

4White PaperHow to Operationalize Web Application Security

web application security solutions to detect and prevent the success of attacks is

now well understood and accepted, it is still widely underutilized due to the inability

to operationalize the processes required to continually scan, discover, and put into

place the policies required to do so.

The Threat from the Inside Conventional wisdom holds that employees are the greatest risk to the security of

an organization. This remains truenot necessarily because of intentional malice on

the part of employees, but rather due to the inability of operations to scale at a rate

equal to that of external threats.

While attackers are able to scale out thanks to scripting, automation, and a plethora

of services at their command, security operations continue to struggle with processes

involving manual codification and configuration. This impedes agility and degrades

the security posture of an organization such that its web application presence is, on

average, free from vulnerabilities for only 30 days during the year.3

Coupling an inability to scale with the tendency for IT to simply turn off or disable

security services that interfere with its ability to meet demanding business

requirements for application performance puts the entire organization at a much

higher risk of experiencing firsthand the direct and indirect consequences of an

attack succeeding.

The biggest disconnect for security operations lies between discovery of

vulnerabilitiesparticularly those most likely to lead to a breachand remediation.

Vulnerability scanning services have proven that discovery can be easily automated.

Web application firewalls (WAFs) can mitigate across the entire application

deployment domain. But it is often the case that the policies required to mitigate

discovered vulnerabilities take as much time to create, test, and deploy as it would

for developers to address in application code.

Codifying the policies necessary to mitigate even the most common vulnerabilities

takes time. It is a manual process and the larger the attack surface of an application,

the more time it takes. The process does not scale any better than hand-to-hand

passing of buckets of water scaled to put out serious fires. Even adding people to

such processes often has the inverse effect.

3 4 Years and 4 Thousand Websites Worth of Vulnerability Assessments: What Have We Learned?White Hat Security video, 2012.

5White PaperHow to Operationalize Web Application Security

A better means of addressing this serious gap between discovery and deployment

of policies is required: an automated system that eliminates the man in the middle

that is slowing it down today and putting the entire organization at risk.

The Persistent Threat Management Model Persistent Threat Management (PTM) is a new operational model that takes

advantage of integration and automation capabilities between vulnerability

scanning services and web application firewalls.

In the past, virtual patching has provided the ability to automatically deploy web

application firewall policies appropriate to specific vulnerabilities from within

vulnerability scanning services. This process has been largely manual, requiring

operations to deploy the policies necessary to protect web applications from attack.

The time investment in reviewing and deploying policies led to decisions on the

part of IT and business stakeholders to scan only periodically and deploy policies

to protect only those applications critical to the business.

But in recent years, the increasing persistence and rapid evolution of attacks and

attack methods have created an environment in which vulnerability scanning

services are an invaluable resource in managing web application security for all

applications, all the time. Scan continuously, mitigate promptly is an apropos

mantra for those professionals now fully focused on web application security.

To meet this need, vulnerability scanning services can now scale to provide

continuous scanning of all organizational domains. A disconnect has remained

with the requirement to manually deploy policies to a web application firewall to

promptly mitigate those vulnerabilities discovered.

This disconnect is fueled in part by a lack of confidence in operators to properly

configure and deploy the appropriate policies based on discovered vulnerabilities.

Based on years of experience, WhiteHat Security has found that 80 percent of the

most common vulnerabilities in web applications can be mitigated promptly with

the same basic rule. Those variables specific to a web application and organization

can be automatically adjusted by the vulnerability scanning service, and thus enable

the emergence of a new operational model: PTM.

6White PaperHow to Operationalize Web Application Security

PTM automates the process of scanning and mitigating 80 percent of the most

commonly discovered vulnerabilities. These include those most likely to lead to a

breach: SQLi, XSS, and CSRF. PTM enables discovery of vulnerabilities, codification

of the appropriate policy (tailored to the application and organizational domain),

and automated deployment of that policy for prompt mitigation.

Users Servers Web AppsBIG-IP

Application Security Manager

Servers Web Apps

Persistent Threat Management

DEP

LOY PROTECT

CODIFY S

CA

N

Persistent Threat Management

Vulnerability ScanCenzicQualysIBMWhiteHat

Figure 2: Persistent Threat Management enables continuous scan and discovery of vulnerabilities followed by automatic codification and deployment of appropriate policies to a web application firewall for prompt mitigation of threats.

By automating protection against 80 percent of the most common vulnerabilities,

organizations can refocus security operations on mitigating the remaining 20

percent, confident in the ability of the web application firewall to detect and

protect against common persistent threats.

PTM benefits organizations by:

Improving operational efficiency by shifting burdens from people to technology.

Decreasing risk by ensuring prompt mitigation of discovered vulnerabilities.

Reducing impact on application lifecycle management by enabling organizations to focus development resources only where absolutely

necessary to redress a vulnerability.

Improving security posture.

Increasing the days in a year that applications are secure by eliminating threats that might otherwise have emerged between scheduled scans

through continuous scanning.

7White PaperHow to Operationalize Web Application Security

PTM is an evolutionary operational model building upon successful techniques like

automation and virtual patching to create a more consistent, efficient process for

protecting all web applications under an organizations control.

F5 and Persistent Threat ManagementF5 has partnered with WhiteHat Security and Cenzic to jointly execute on this

innovative security model by integrating Dynamic Application Security Testing

(DAST) solutions with F5 BIG-IP Application Security Manager (ASM). This

integration enables the continuous, automated deployment of best practice security

solutions to combat the increasingly hostile environment to which web applications

are exposed.

Dynamic Application Security Testing Solutions

Dynamic Application Security Testing is a vulnerability assessment model focusing

on web applications currently deployed in production environments. Traditionally

performed by consultants using penetration testing tools, the explosive growth of

attacks has rendered manual methods ineffective.

Web application attacks comprise the majority of attacks on an organizations web

presence, and attacks are continuous around the clock. Compounding the risk

is agile development methodologies, which prescribe frequent web application

updates that must be tested for potential vulnerabilities. Organizations can no

longer afford to put off testing or rely on manual methods that take days or weeks,

leaving existing and new updates potentially vulnerable.

A model based on continuous testing and the automated deployment of defensive

policies to immediately mitigate the risk associated with discovered vulnerabilities

is vital to maintaining a healthy security posture for all web applications. DAST

solutions continuously scan for the most common vulnerabilities such as OWASP

Top 10 and WASC vulnerabilities. With potentially hundreds or thousands of web

application URLs to protect, however, manually addressing any vulnerability

discovered by the DAST solution would be a Sisyphean task.

Integrating DAST solutions with BIG-IP ASM can relieve operations of the burden

imposed by manually addressing vulnerabilities by automatically deploying standard

8White PaperHow to Operationalize Web Application Security

best practices that immediately protect applications from falling prey to persistent

attacks.

F5 BIG-IP Application Security Manager (ASM)

BIG-IP ASM is a web application firewall. As part of the BIG-IP product family, it is

based on F5s integrated platform, TMOS, and enabled with a standards-based

open API, iControl. Through this interface, BIG-IP ASM can be managed,

configured, and updated dynamically.

Additionally, the BIG-IP platform is programmable. Through iRules, F5s event-

driven scripting language, any BIG-IP deployed solution can intercept, inspect, and

transform the payload of any traffic crossing its data plane. iRules enables zero-day

mitigation of zero-day attacks in addition to implementing custom security and

processing of data to secure any IP-based application.

Persistent Threat Management Solutions

F5 and DAST solutions operationalize web application security by applying the same

agile principles associated with devops: lifecycle management with the goal of

continuous application delivery achieved through the discovery, refinement, and

optimization of repeatable processes. In this case, F5 and its partners are focusing

on those processes related to web application security.

WhiteHat Sentinel and Cenzic software can deploy BIG-IP ASM policies that

encapsulate best practice mitigations as well as vetted iRules-based mitigations

for 80 percent of discovered vulnerabilities. These mitigations are deployed

automatically, as part of the continuous scan and resolve process executed by

WhiteHat and Cenzic on a configurable basis against large numbers of web

applications and sites.

White PaperHow to Operationalize Web Application Security

F5 Networks, Inc.Corporate Headquartersinfo@f5.com

F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 www.f5.com

F5 NetworksAsia-Pacificapacinfo@f5.com

F5 Networks Ltd.Europe/Middle-East/Africaemeainfo@f5.com

F5 NetworksJapan K.K.f5j-info@f5.com

2012 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, and IT agility. Your way., are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. CS01-00120 1012

Conclusion The widespread use of vulnerability scans to detect potential vulnerabilities in web

applications and the constant attacks directed at organizations have resulted in a

silver lining: a set of nearly standardized attack patterns. Combining knowledge

from this set of attack patterns with best practices from OWASP and WASC has

netted a set of best practice defensive policies that protect against 80 percent of

the most common web application attacks.

The Persistent Threat Management model leverages modern integration and

automation principles to ensure the broadest coverage against attacks. Automation

through integration of DAST and BIG-IP ASM provides organizations with a

compelling, effective method of protecting web applications against exploitation of

common, well-understood attacks. An integrated, process-driven solution ensures

immediate and transparent mitigation of vulnerabilities that relieves pressure on

security and operational staff to prioritize and address the risks manually and

significantly improves the security posture of all protected web applications.