Web Application Firewall - Web Application & Web Services Security integrated in Global Application Offering

  • Published on
    24-May-2015

  • View
    153

  • Download
    4

Embed Size (px)

DESCRIPTION

Web Application & Web Services Security integrated in Global Application Offering. Drivers and issues for choosing an application firewall.

Transcript

  • 1. Web Application & Web Services Security integrated in Global Application Offering- Problems? No, no problems at all. - Yes. We're using WAF too.3.11.2011 Thomas Malmberg

2. 11.9.2014(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]2AgendaSecurity and its many facesDrivers and issues for choosing an application firewallMinutes to learn, a lifetime to masterQuestions may be asked at any given timeWeb Application & Web Services Security integrated in Global Application Offering 3. 11.9.2014(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]3Security and its many facesSecurity has to be applied on many levels in an organizationProcessesUser managementFirewallsKeycardsDoorsSSLPenetration testingTraining...Can security be enforced by applying Magnum Force? 4. 11.9.2014(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]4Security and its many facesCarrot and stick approachGive some and get someDesign and enforce policies, not "magnum force"Involve the right people You need to "sell your agenda"Make sure you "enable business" (but what does that really mean?)In certain cases, deploying a new technology is the right solution 5. 11.9.2014(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]5Drivers and issues for choosing an application firewall..but wait - let's recap what REALLY happened(or what should have happened)The StickPCI-DSSThe CarrotCut costs on expensive application re-testing and re-coding and re- inventing and re- everything 6. 11.9.2014(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]6Drivers and issues for choosing an application firewallPCI-DSS was "the drop that spilled the cup"Before PCI-DSS we had at least this:National LegislationFinancial Supervisory Authority DirectivesEU Legislation & DirectivesFinanssivalvonta, FinansinspektionenCommon SenseThen we woke up and realized that...Security had many facesSecurity cannot be bought (but neat firewalls can!)Security is a mindsetSecurity is a way of lifeFinancial Supervisory Authority: Finanssivalvonta (FI) Finansinspektionen (SE) 7. 11.9.2014(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]7Drivers and issues for choosing an application firewallToday we understand thatCredit-card numbers are not everythingThere are a lot of different input sources to definitive compliancyIt is not wise to pursue different directives or legislations separatelyEverything we do in this field increases the overall security 8. 11.9.2014(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]8Drivers and issues for choosing an application firewall 9. 11.9.2014(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]9Case HBGaryHBGary and HBGary Federal position themselves as experts in computer security. The companies offer both software and services to both the public and private sectors.HBGary Federal CEO Aaron Barr thought he had unmasked the hacker hordes of Anonymous and was preparing to name and shame those responsible for co-ordinating the group's actions, including the denial-of-service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last yearAnonymous is a diverse bunch: though they tend to be younger rather than older, their age group spans decades. Some may still be in school, but many others are gainfully employed office-workers, software developers, or IT support technicians, among other things.Source: http://arstechnica.com/tech- policy/news/2011/02/anonymous-speaks-the-inside- story-of-the-hbgary-hack.ars/ 10. 11.9.2014(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]10Case HBGary1.The CMS-system had an SQL-injection vulnerability2.Usernames were stolen from the user-database3.Passwords were hashed using simple MD5 w/o salting4.Passwords were weak5.Same passwords were used for public SSH- access6.The SSH-server was not patched, root access could be gained7.Same passwords were used for email accounts, Google apps and for gmail-administrators8.Using admin-rights, many email accounts were scavenged for information9.Emailing was used for social engineering to gain even more access to other sites 11. 11.9.2014(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]11Drivers and issues for choosing an application firewall 12. 11.9.2014(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]12Drivers and issues for choosing an application firewallAn application firewall (WAF) would not make us PCI-DSS compliantIt would only partially answer one of the requirements set by the PCI- councilBUT - depending on the product we choose we couldincrease the overall security level of all of our public internet servicesaccelerate our websitesapply quick fixes to 0-day vulnerabilities when we most need itsafely deploy applications with known issues to the public while investigating the root causepossibly protect our web-services0-day vulnerabilities must be fixed IMMEDIATELY. 13. 11.9.2014(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]13Minutes to learn, a lifetime to masterA few do's and don't along the wayDon't expect the application firewall to be a generic solution to issues in your software developmentDon't ditch external security auditsDon't expect everything to be up and running smoothly day 1Don't expect that the application firewall never requires attentionMake sure you have a process to monitor discrepancies and (major) changes in your traffic profile 14. 11.9.2014(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]14Minutes to learn, a lifetime to masterA few do's and don't along the wayIt does add security where you need it the mostIt does fix issues with your applications programmers can't (at least not fast enough)It gives you a good idea of what is going on with your applications 15. 11.9.2014(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]15Minutes to learn, a lifetime to masterPlan the implementation beforehandInform your stakeholders about possible issues when rolling outTreat the application firewall rollout as any major software update in your systemDon't try to solve everything at once Think big, start smallA WAF-project is like any other IT-project it fails of not conducted properly 16. Thank You! Kiitos! Tack!Questions?Kysymyksi?Frgor?Hopefully at least a few...Contact:thomas.malmberg@aktia.fihttp://fi.linkedin.com/in/thomasmalmberg

Recommended

View more >