QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Application Firewall
Upcoming SlideShare
Loading in...5

QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Application Firewall






Total Views
Views on SlideShare
Embed Views



4 Embeds 48

http://www.rac.cz 35
http://www.slideee.com 10
http://www.iso27000.cz 2
http://www.qualys.cz 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Application Firewall QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Application Firewall Presentation Transcript

  •           Will  Bechtel   Director  of  Product  Management  -­‐  WAS   Steve  McBride   Director  of  Product  Management  –  WAF   Qualys  Inc.,                                                                                                                                          April  2014   QualysGuard  Web  Applica@on  Security   Transforming  IT  Security  &  Compliance  
  • DETECTION PREVENTION REMEDIATION FORENSICS WebAppScanning MalwareDetection WebApplicationFirewall Exploits BURPSuiteSourceCode Log Analysis WEB APPS Qualys  Strategy  for  Web  App  Security   •  Detec@on   –  WAS,  MDS   •  Protec@on   –  WAF  (GA  3/2014)   •  Monitoring/Forensics   –  Log  Analysis  (Beta  Q4/2014)   •  Remedia@on   –  Interac>ve  Tes>ng  Tools*   –  Remedia>on  Workflow*   –  SCA  Correla>on*   2   *Services in development
  • DETECT ANALYZE PROTECT COMPLY Discovery Catolog VulnAppScanningMalwareDetection WebAppFirewall PCI OWASP WEB APPS Benefits  of  QG  WAS  Approach   QualysGuard  plaHorm  delivers  integrated  soluJons   •  Distributed  Scanning   –  Cloud/Internal/Virtual   •  Highly  Automated   –  Integrated  Browser   •  Accurate   –  Low  False-­‐PosiJve  Rate   •  Integrated   –  Reuse  QA  Selenium     FuncJonal  TesJng  Scripts   3  
  • Uses  the  Extensible  QG  Cloud  PlaHorm     4   Expanding  to  Real-­‐Time  Big  Data  and  CorrelaJon  
  • QG  WAS  SoluJon   QG  WAS  does  for  Web  Apps  what  QG  VM  does  for  devices   5   Automated  and  conJnuous  cycle     Web  Applica@ons   MiJgate   Discover  and  Catalog   Remediate   and  Audit   RI  SK   IdenJfy   VulnerabiliJes  
  • QG  WAS  Today   Best  PracJces  Scanning  SoluJon     •  Collabora@on   –  Involve  all  the  ApplicaJon   Stakeholders   •  Ease  of  Use   –  Dashboard/Wizards/Context   sensiJve   •  Vulnerability  Metrics   –  Tag  based  reporJng   –  Configurable  Formats   6  
  • QG  WAS  +  MDS     Integrated  Website  Malware  Monitoring  –  Completed!   •  Malware  Protec@on   –  Safeguard  your  website   users  and  brand   reputaJon   •  4  Detec@on  Techniques   –  AnJvirus  –  for  documents   –  HeurisJc   –  ReputaJon   –  Behavioral   •  Addresses   –  Zero  Day  Risk   7  
  • QG  WAS     A_ack  Proxy  IntegraJon  –  Phase  1  –Completed!   •  Store  and  manage   –  Burp  scan  data     –  Share  safely   •  Act  on  Burp  scan  findings   –  Associate  with  web  app   –  Mark  as  risk  accepted,  etc   –  Filter  based  on  a_ributes     8  
  • QG  WAS     Sitemap  implementaJon  –  Completed!   •  Visually  Navigate  Site   –  Drill  in/Drill  Out   –  Issue  counts  at  each  level   –  Filter     •  Ac@ons   –  Create  new  web  app   –  Black  list   –  White  list     9  
  • QG  WAS  DirecJons  in  2014   Full  Web  App  TesJng  SoluJon       •  Addi@onal  Interac@ve  Tools   Support  (Burp/ZAP)   –  Store  Manual  Findings   –  Trend/Report  with  Automated   findings   –  Complete  Web  App  TesJng   Picture   –  Send  WAS  A_ack  Requests  to   a_ack  proxies     •  Remedia@on  Workflow     •  SCA  Correla@on   10  
  • WAS  Roadmap   WAS 3.3 Q2 2014 •  Bulk Update •  Update info across multiple web apps •  Easy to make partitioned or global changes •  Supports changing one or many attributes •  Ignore sensitive content findings •  Cancel scans in schedule status •  Check report quotas WAS 3.4 Q3 2014 •  Multi Scan/Schedule •  Manages large scale scan jobs •  Scan jobs batched by tags •  Groups scan data by job WAS 3.5 Q4 2014 •  Scheduled Reporting •  Send on scheduled basis •  Users sent link to report •  Report Templates •  Save report options as report template.
  • QG WAS Customers: •  Deploy  virtual  patches  to  WAF  using   the  vulnerabiliJes  idenJfied  in  WAS   –  WAS  already  supports  Imperva,  F5,   Citrix,  Beeware   •  Combine  WAS  and  MDS  scanning  of   sites   •  WAF  to  provide  WAS/MDS  with  site   resource  structure  to  ensure  complete   scanning  coverage   WAS VM QualysGuard  PlaHorm  SoluJons   Seamless  integraJon  with  other  Qualys  services   12   MDS WAF LM
  • How  OrganizaJons  Leverage  WAS   MicrosoY   •  BUSINESS  CHALLENGE   –  Assess  the  security  of  thousands  of  web  apps/  short  turn  around  @mes   –  h_p://www.qualys.com/customers/success-­‐stories/reigning-­‐in-­‐global-­‐ web-­‐applicaJon-­‐security-­‐risk-­‐at-­‐microsoi/     •  WHY  THEY  CHOSE  QUALYSGUARD   –  Proven  more  accurate  than  other  web  applica@on  scanners   –  Comprehensive  reports  -­‐  acJonable  informaJon     –  A  highly  accurate,  extensive  database  of  up  to  date  security  checks   –  Easiest  to  use   13  
  • 14  
  • Why  do  we  win?   •  Strengths   –  Scale  (We  can  easily  handle  about  10000  apps  in  a  subscrip@on)   – Most  are  seat  licensed  and  installed  in  the  enterprise  (High  TCO)   –  Data  Correla@on,  single  dashboard  for  DAST  ac@vi@es   – Not  one  at  a  Jme  events,  correlaJon  done  by  default   –  Cost,  per  app  pricing  beats  out  seat  licenses  for  most  compe@tors   – No  longer  have  to  make  the  choice  of  what  to  scan   –  TAM,  we  don’t  sell  and  walk  away!   – Our  people  make  a  huge  difference.    We  make  the  customer  successful!     15   WAS Benefits Integration with QualysGuard Platform Reduced TCO Scan Everything
  • Total  Cost  of  Ownership  (TCO)   •  Understanding  the  components  for  AppSec   –  People   – Keeping  it  simple,  $140,000  salary  +  benefits   – Able  to  complete  ~40  ApplicaJon  Assessments  per  year   –  Tools     – A_ack  Proxy   – Legacy  ApplicaJon  Scanner  with  maintenance  and  a  server  to  run  it  on   $10,000   •  TCO  =  Total  Cost/Total  Produc@vity   –  150,000/40=  $3750  Per  ApplicaJon     16  
  • Why  do  we  lose?   •  Improvement  Opportuni@es   –  Head  to  Head  comparisons  against  known  vulnerable  apps   – We  don’t  play  that  game.    Don’t  let  them.   –  Difficult  to  manage  at  scale   – Bulk  Edits  and  Scans  are  coming  soon.   –  Technologies  we  don’t  support   – Adobe  Flash,  Oracle  Java,  Silverlight  etc  …  (appx  3%  of  sites  on  the   Internet)   –  OTHERS???   17  
  • WAS  ASV  Growth  -­‐  Aggregate   18  
  • WAS  Subscriber  Growth  -­‐  Aggregate   19  
  • Summary   •  Most  scalable,  automated  and  cost  effecJve  DAST   soluJon  on  the  market  today.   •  QualysGuard  plaHorm  integrates  web  applicaJon   security  into  the  enterprise.     20  
  • 21   Web  Applica@on  Firewall   GA  announced  at  RSA  2014   3/2014  
  • Are  everywhere.     Web  ApplicaJons   HTTP  Powers  Your  Business   Do  everything.   HTTP  
  • Why  worry  about  web  applicaJons?     “99%  of  all  applicaJons  tested  in  2012  have  one  or  more   serious  security  vulnerabiliJes.    And  with  a  median  number  of  vulnerabili@es  per  app  of  13,     it’s  no  wonder  that  applicaJon-­‐level  a_acks  are  a  focus  for  hackers.”   “Only  13%  complied  [with  the  OWASP  Top  10]   on  first  submission.”    
  • We’re  vulnerable.    Now  what?   Suto,  Larry,  Analyzing  the  EffecJveness  of  Web  ApplicaJon  Firewalls,  Nov.  2011.  h_p://www.slideshare.net/lbsuto/analyzing-­‐ the-­‐effecJvess-­‐of-­‐web-­‐applicaJon-­‐firewalls   TEKSystems  Network  Services.  h_p://www.teksystems.com/resources/pressroom/2013/teksystems-­‐cyber-­‐security-­‐month.   “WAF  solu@ons  must  be  tuned  by  a  trained  professional.”    (Suto,  4)   “Only  15%  were  very  confident  they  have   security-­‐related  skill  sets…”     “Half  of  respondents  believe  the  lack  of   qualified  security  talent...”  
  • what  if  I  had…   •  Adap@ve,  responsive  security  that  updates   itself   •  Near-­‐immediate  deployment   •  Minimal  administra@ve  overhead   •  No  security  exper@se  required   •  Mul@ple  architectures  
  • Qualys  Approach   Always  the  best  protec@on   Qualys  WAF  expert  security  ruleset  is  built  and   maintained  by  dedicated  security  researchers   based  upon  the  latest  intel  and  trends  across   the  Qualys  customer  base.    WAF  sensors  self-­‐ update  with  latest  soiware  and  rules.   Scalable   Deploy  as  many  WAF  sensors  as  you  need,  on   mulJple  datacenter  and  Cloud  plaHorms   Manage  your  protected  sites,  WAF  clusters,   and  security  events  from  a  single  UI   26  
  • Integrated  in  QualysGuard   Automated  setup  from  WAS   QualysGuard  WAS  and  WAF  share   informaJon  about  web  sites  and  their   weaknesses,  speeding  deployment  of   personalized  security  policies.   Correlated  events   QualysGuard  WAS  and  VM  can  conJnuously   scan  your  sites  to  find  vulnerabiliJes   WAF  sensors  bring  visibility  to  live  threats   27  
  • Single  SaaS  Administra@on  Point   Enforcement  Points  As  Needed   Qualys’  Distributed  SoluJon   28   WAF   WAF   WAF   WAF   QualysGuard   Cloud  PlaHorm   WAF   WAF  
  • SoluJon  Architecture   29   WAF   WAF   WAF   WAF   “clean”  traffic  
  • Reverse  Proxy  OperaJon   •  Direct  traffic  to  WAF   –  DNS   –  Load  Balancer  ConfiguraJon   •  WAF  sensor  inspects  all  traffic   and  forwards  to  origin   •  Server  responses  are  inspected   upon  egress  
  • Security  Ruleset   31   SQL Injection Cross Site Scripting Information leakage Command Injection Remote File Inclusion LDAP Injection SSI Injection Xpath Injection Local File Inclusion
  • Three-­‐Step  ConfiguraJon   Define  your  Site   Shared  site  profile  with  WAS   Associate  a  WAF  (cluster)   Associate  a  Security  Policy     32  
  • Building  a  Security  Policy   Built  around  expert   rules  for  known  threats   User  adjusts  sensi@vity   according  to  their   business  context  and   tolerance     33  
  • Defining  and  Deploying  a  WAF  Cluster   Give  it  a  name   Copy  your  “personaliza@on   code”   Paste  the  code  when   deploying  your  appliances   34  
  • Available  for  mulJple  plaHorms   35   Amazon  EC2  -­‐  GA   VMware  vCenter  -­‐  Beta   Exchange  &  Sharepoint   Edi>on  (TBD)   MicrosoD  Hyper-­‐V   and  Azure  (H2  2014)   New  HW  Appliance  ?  
  • Pricing   •  Priced  per  Applica@on  protected   – Includes  2  virtual  appliances   •  Express  Lite   –   Starts  at  1,995  EUR  for  one  applicaJon   •  Express   –   Starts  at  2,995  EUR  for  one  applicaJon   •  Enterprise   – Starts  at  9,995  EUR  for  one  applicaJon  
  • WAF  Roadmap   WAF 1.1 (Portal 2.4) Q2 2014 •  VMware image provisioning •  Support for non-standard HTTP ports •  Workflow improvements (site and policy components) WAF 1.2 (Portal 2.5) Q3 2014 •  UI improvements •  Tab management on event pages •  Improved dashboard functionality •  Improved SSL certificate support •  Improved appliance support and support for additional virtualization platforms WAF 1.3 (Portal 2.6) Q4 2014 •  WAS Results influence WAF security engine •  Support for customized block pages •  Improved visibility into appliance networking and troubleshooting
  • Thank You wbechtel@qualys.com smcbride@qualys.com fcatucci@qualys.com ConJnuous  Security