Upload
publiwil
View
222
Download
2
Embed Size (px)
DESCRIPTION
Web
Citation preview
How to Operationalize Web Application Security Persistent Threat Management is an operational model that eliminates the man-in-the-middle bottleneck that prevents the scalability of web application security solutions vital to preventing todays pervasive attacks from succeeding.
by Lori MacVittie
Sr. Technical Marketing Manager
White Paper
2Contents
The Threat from the Outside 3
The Threat from the Inside 4
The Persistent Threat Management Model 5
F5 and Persistent Threat Management 7
Dynamic Application Security Testing Solutions 7
F5 BIG-IP Application Security Manager (ASM) 8
Persistent Threat Management Solutions 8
Conclusion 9
White PaperHow to Operationalize Web Application Security
3White PaperHow to Operationalize Web Application Security
The Threat from the Outside 2011 continued the shift towards external agents involvement in a high percentage
of data breaches. Though we have always seen an external majority, never before
has any year been so one-sided.1
In 2011, attacks by external agents grew 6 percent over previous years, comprising
98 percent of all breaches documented by the Verizon Business 2011 Data Breach
Investigations Report (DBIR). While many attacks continue to focus on network and
systems security, DBIR data points to web application security as an area of increasing
concern, with nearly 40 percent of breaches being due to web application issues.
More than half of the most frequent attacks cited by organizations in a September
2011 Applied Research2 survey were against web applications. Half of those attacks
are on the well-known OWASP Top Ten list: cross-site scripting (XSS), SQL injection
(SQLi), and cross-site request forgery (CSRF). These attacks are well-understood as
are respective proven methods of prevention.
Likelihood of site to have vulnerability
Frequency seen
Web transactions per day
Percentage change of a breach (daily)
Cross-site scripting (XSS) 64% 43% 2873 27%
SQL injection 14% 42% 2873 6%
Information leakage 64% 41% 2873 26%
WhiteHat Website Security Statistics Report
Applied Research September 2011
Google Analytics Benchmarks 2011
Possibility = (TX * V% * F%) / TX
Figure 1: If a vulnerability exists, there is a chance it will be exploited. The higher the volume of a site, the higher the risk.
Such attacks are persistent and frequent, fueled by massive botnets and automation.
Organizations cannot prevent these attacks from being launched in the first place.
While advice abounds on preventing an attack by hactivists for reasons other than
profit or fame, nothing short of cutting the hardline to the Internet can definitively
stop external agents from launching attacks.
The responsibility of security operations is to prevent those attacks from succeeding.
This, too, unfortunately, is an increasingly difficult task. While the benefits of using
1 Verizon 2012 Data Breach Investigations Report (DBIR).
2 Study finds traditional security safeguards failing, Application Delivery Controllers viewed as an effective alternative. November 8, 2011.
3
4White PaperHow to Operationalize Web Application Security
web application security solutions to detect and prevent the success of attacks is
now well understood and accepted, it is still widely underutilized due to the inability
to operationalize the processes required to continually scan, discover, and put into
place the policies required to do so.
The Threat from the Inside Conventional wisdom holds that employees are the greatest risk to the security of
an organization. This remains truenot necessarily because of intentional malice on
the part of employees, but rather due to the inability of operations to scale at a rate
equal to that of external threats.
While attackers are able to scale out thanks to scripting, automation, and a plethora
of services at their command, security operations continue to struggle with processes
involving manual codification and configuration. This impedes agility and degrades
the security posture of an organization such that its web application presence is, on
average, free from vulnerabilities for only 30 days during the year.3
Coupling an inability to scale with the tendency for IT to simply turn off or disable
security services that interfere with its ability to meet demanding business
requirements for application performance puts the entire organization at a much
higher risk of experiencing firsthand the direct and indirect consequences of an
attack succeeding.
The biggest disconnect for security operations lies between discovery of
vulnerabilitiesparticularly those most likely to lead to a breachand remediation.
Vulnerability scanning services have proven that discovery can be easily automated.
Web application firewalls (WAFs) can mitigate across the entire application
deployment domain. But it is often the case that the policies required to mitigate
discovered vulnerabilities take as much time to create, test, and deploy as it would
for developers to address in application code.
Codifying the policies necessary to mitigate even the most common vulnerabilities
takes time. It is a manual process and the larger the attack surface of an application,
the more time it takes. The process does not scale any better than hand-to-hand
passing of buckets of water scaled to put out serious fires. Even adding people to
such processes often has the inverse effect.
3 4 Years and 4 Thousand Websites Worth of Vulnerability Assessments: What Have We Learned?White Hat Security video, 2012.
5White PaperHow to Operationalize Web Application Security
A better means of addressing this serious gap between discovery and deployment
of policies is required: an automated system that eliminates the man in the middle
that is slowing it down today and putting the entire organization at risk.
The Persistent Threat Management Model Persistent Threat Management (PTM) is a new operational model that takes
advantage of integration and automation capabilities between vulnerability
scanning services and web application firewalls.
In the past, virtual patching has provided the ability to automatically deploy web
application firewall policies appropriate to specific vulnerabilities from within
vulnerability scanning services. This process has been largely manual, requiring
operations to deploy the policies necessary to protect web applications from attack.
The time investment in reviewing and deploying policies led to decisions on the
part of IT and business stakeholders to scan only periodically and deploy policies
to protect only those applications critical to the business.
But in recent years, the increasing persistence and rapid evolution of attacks and
attack methods have created an environment in which vulnerability scanning
services are an invaluable resource in managing web application security for all
applications, all the time. Scan continuously, mitigate promptly is an apropos
mantra for those professionals now fully focused on web application security.
To meet this need, vulnerability scanning services can now scale to provide
continuous scanning of all organizational domains. A disconnect has remained
with the requirement to manually deploy policies to a web application firewall to
promptly mitigate those vulnerabilities discovered.
This disconnect is fueled in part by a lack of confidence in operators to properly
configure and deploy the appropriate policies based on discovered vulnerabilities.
Based on years of experience, WhiteHat Security has found that 80 percent of the
most common vulnerabilities in web applications can be mitigated promptly with
the same basic rule. Those variables specific to a web application and organization
can be automatically adjusted by the vulnerability scanning service, and thus enable
the emergence of a new operational model: PTM.
6White PaperHow to Operationalize Web Application Security
PTM automates the process of scanning and mitigating 80 percent of the most
commonly discovered vulnerabilities. These include those most likely to lead to a
breach: SQLi, XSS, and CSRF. PTM enables discovery of vulnerabilities, codification
of the appropriate policy (tailored to the application and organizational domain),
and automated deployment of that policy for prompt mitigation.
Users Servers Web AppsBIG-IP
Application Security Manager
Servers Web Apps
Persistent Threat Management
DEP
LOY PROTECT
CODIFY S
CA
N
Persistent Threat Management
Vulnerability ScanCenzicQualysIBMWhiteHat
Figure 2: Persistent Threat Management enables continuous scan and discovery of vulnerabilities followed by automatic codification and deployment of appropriate policies to a web application firewall for prompt mitigation of threats.
By automating protection against 80 percent of the most common vulnerabilities,
organizations can refocus security operations on mitigating the remaining 20
percent, confident in the ability of the web application firewall to detect and
protect against common persistent threats.
PTM benefits organizations by:
Improving operational efficiency by shifting burdens from people to technology.
Decreasing risk by ensuring prompt mitigation of discovered vulnerabilities.
Reducing impact on application lifecycle management by enabling organizations to focus development resources only where absolutely
necessary to redress a vulnerability.
Improving security posture.
Increasing the days in a year that applications are secure by eliminating threats that might otherwise have emerged between scheduled scans
through continuous scanning.
7White PaperHow to Operationalize Web Application Security
PTM is an evolutionary operational model building upon successful techniques like
automation and virtual patching to create a more consistent, efficient process for
protecting all web applications under an organizations control.
F5 and Persistent Threat ManagementF5 has partnered with WhiteHat Security and Cenzic to jointly execute on this
innovative security model by integrating Dynamic Application Security Testing
(DAST) solutions with F5 BIG-IP Application Security Manager (ASM). This
integration enables the continuous, automated deployment of best practice security
solutions to combat the increasingly hostile environment to which web applications
are exposed.
Dynamic Application Security Testing Solutions
Dynamic Application Security Testing is a vulnerability assessment model focusing
on web applications currently deployed in production environments. Traditionally
performed by consultants using penetration testing tools, the explosive growth of
attacks has rendered manual methods ineffective.
Web application attacks comprise the majority of attacks on an organizations web
presence, and attacks are continuous around the clock. Compounding the risk
is agile development methodologies, which prescribe frequent web application
updates that must be tested for potential vulnerabilities. Organizations can no
longer afford to put off testing or rely on manual methods that take days or weeks,
leaving existing and new updates potentially vulnerable.
A model based on continuous testing and the automated deployment of defensive
policies to immediately mitigate the risk associated with discovered vulnerabilities
is vital to maintaining a healthy security posture for all web applications. DAST
solutions continuously scan for the most common vulnerabilities such as OWASP
Top 10 and WASC vulnerabilities. With potentially hundreds or thousands of web
application URLs to protect, however, manually addressing any vulnerability
discovered by the DAST solution would be a Sisyphean task.
Integrating DAST solutions with BIG-IP ASM can relieve operations of the burden
imposed by manually addressing vulnerabilities by automatically deploying standard
8White PaperHow to Operationalize Web Application Security
best practices that immediately protect applications from falling prey to persistent
attacks.
F5 BIG-IP Application Security Manager (ASM)
BIG-IP ASM is a web application firewall. As part of the BIG-IP product family, it is
based on F5s integrated platform, TMOS, and enabled with a standards-based
open API, iControl. Through this interface, BIG-IP ASM can be managed,
configured, and updated dynamically.
Additionally, the BIG-IP platform is programmable. Through iRules, F5s event-
driven scripting language, any BIG-IP deployed solution can intercept, inspect, and
transform the payload of any traffic crossing its data plane. iRules enables zero-day
mitigation of zero-day attacks in addition to implementing custom security and
processing of data to secure any IP-based application.
Persistent Threat Management Solutions
F5 and DAST solutions operationalize web application security by applying the same
agile principles associated with devops: lifecycle management with the goal of
continuous application delivery achieved through the discovery, refinement, and
optimization of repeatable processes. In this case, F5 and its partners are focusing
on those processes related to web application security.
WhiteHat Sentinel and Cenzic software can deploy BIG-IP ASM policies that
encapsulate best practice mitigations as well as vetted iRules-based mitigations
for 80 percent of discovered vulnerabilities. These mitigations are deployed
automatically, as part of the continuous scan and resolve process executed by
WhiteHat and Cenzic on a configurable basis against large numbers of web
applications and sites.
White PaperHow to Operationalize Web Application Security
F5 Networks, Inc.Corporate [email protected]
F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 www.f5.com
F5 Networks Ltd.Europe/Middle-East/[email protected]
F5 NetworksJapan [email protected]
2012 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, and IT agility. Your way., are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. CS01-00120 1012
Conclusion The widespread use of vulnerability scans to detect potential vulnerabilities in web
applications and the constant attacks directed at organizations have resulted in a
silver lining: a set of nearly standardized attack patterns. Combining knowledge
from this set of attack patterns with best practices from OWASP and WASC has
netted a set of best practice defensive policies that protect against 80 percent of
the most common web application attacks.
The Persistent Threat Management model leverages modern integration and
automation principles to ensure the broadest coverage against attacks. Automation
through integration of DAST and BIG-IP ASM provides organizations with a
compelling, effective method of protecting web applications against exploitation of
common, well-understood attacks. An integrated, process-driven solution ensures
immediate and transparent mitigation of vulnerabilities that relieves pressure on
security and operational staff to prioritize and address the risks manually and
significantly improves the security posture of all protected web applications.