Download pdf - Web Application Firewall - Web Application & Web Services Security integrated in Global Application Offering

Web Application & Web Services Security

integrated in Global Application Offering

- Problems? No, no

problems at all.

- Yes. We're using WAF

too.

3.11.2011

Thomas Malmberg

11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 2

Agenda

• Security and its many faces

• Drivers and issues for choosing an application firewall

• Minutes to learn, a lifetime to master

”Questions may be

asked at any given

time”

Web Application & Web Services Security integrated in Global Application Offering


Security and its many faces

• Security has to be applied on many levels in an organization

– Processes

– User management

– Firewalls

– Keycards

– Doors

– SSL

– Penetration testing

– Training

– ...

• Can security be enforced by applying Magnum Force?


Security and its many faces

• Carrot and stick – approach

– Give some and get some

– Design and enforce policies, not "magnum force"

– Involve the right people – You need to "sell your agenda"

– Make sure you "enable business" (but what does that really mean?)

– In certain cases, deploying a new technology is the right solution


Drivers and issues for choosing an application firewall

..but wait - let's recap what REALLY happened (or what should have happened)

The Stick

PCI-DSS

The Carrot

Cut costs on expensive application re-testing and re-coding and re-

inventing and re-everything



• PCI-DSS was "the drop that spilled the cup"

• Before PCI-DSS we had at least this: – National Legislation

– Financial Supervisory Authority Directives

– EU Legislation & Directives

– Finanssivalvonta, Finansinspektionen

– Common Sense

• Then we woke up and realized that... – Security had many faces

– Security cannot be bought (but neat firewalls can!)

– Security is a mindset

– Security is a way of life

Financial Supervisory Authority:

• Finanssivalvonta (FI)

• Finansinspektionen (SE)



• Today we understand that

– Credit-card numbers are not everything

– There are a lot of different input sources to definitive compliancy

– It is not wise to pursue different directives or legislations separately

– Everything we do in this field increases the overall security




Case HBGary

• HBGary and HBGary Federal position themselves as experts in computer security. The companies offer both software and services to both the public and private sectors.

• HBGary Federal CEO Aaron Barr thought he had unmasked the hacker hordes of Anonymous and was preparing to name and shame those responsible for co-ordinating the group's actions, including the denial-of-service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last year

• Anonymous is a diverse bunch: though they tend to be younger rather than older, their age group spans decades. Some may still be in school, but many others are gainfully employed office-workers, software developers, or IT support technicians, among other things.

• Source: http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/


Case HBGary

1. The CMS-system had an SQL-injection vulnerability

2. Usernames were stolen from the user-database

3. Passwords were hashed using simple MD5 w/o salting

4. Passwords were weak

5. Same passwords were used for public SSH-access

6. The SSH-server was not patched, root access could be gained

7. Same passwords were used for email accounts, Google apps and for gmail-administrators

8. Using admin-rights, many email accounts were scavenged for information

9. Emailing was used for social engineering to gain even more access to other sites





• An application firewall (WAF) would not make us PCI-DSS compliant

• It would only partially answer one of the requirements set by the PCI-council

• BUT - depending on the product we choose we could – increase the overall security level of all

of our public internet services

– accelerate our websites

– apply quick fixes to 0-day vulnerabilities when we most need it

– safely deploy applications with known issues to the public while investigating the root cause

– possibly protect our web-services

”0-day

vulnerabilities must

be fixed

IMMEDIATELY.”


Minutes to learn, a lifetime to master

• A few do's and don't along the way

– Don't expect the application firewall to be a generic solution to issues in your software development

– Don't ditch external security audits

– Don't expect everything to be up and running smoothly day 1

– Don't expect that the application firewall never requires attention

– Make sure you have a process to monitor discrepancies and (major) changes in your traffic profile



• A few do's and don't along the way

– It does add security where you need it the most

– It does fix issues with your applications programmers can't (at least not fast enough)

– It gives you a good idea of what is going on with your applications



• Plan the implementation beforehand

• Inform your stakeholders about possible issues when rolling out

• Treat the application firewall rollout as any major software update in your system

• Don't try to solve everything at once – Think big, start small

”A WAF-project is like any

other IT-project – it fails

of not conducted

properly”

Thank You!

Kiitos!

Tack!

Questions?

Kysymyksiä?

Frågor?

Hopefully at least a few...

Contact:

[email protected]

http://fi.linkedin.com/in/thomasmalmberg

mailto:[email protected]