SlideShare a Scribd company logo

WAFEC

Download as PPT, PDF
Conferencias FIST
Conferencias FIST
Technology
1 of 32
WAFEC, or how to choose WAF technology RAFAEL SAN MIGUEL CARRASCO
Why I am here Honestly, I got no I like to play with better plan for WAF technology Friday afternoon WAFEC 1.0 has I actually belong been recently to the WAFEC published Working Group Let’s talk about WAFEC!
What will we talk about? Introduction and concepts Why WAF devices are not so fun? How to make them be fun WAFEC sections WAFEC and common sense together
So, what is a WAF device? Cross-site scripting SQL Injection WAF devices protect web applications from specific LDAP vulnerabilities that IDS/IPS/FW technology can’t beat Injection WAF devices address the most attack-prone subsystem XPath within a technology infrastructure: the webserver Injection Parameter WAF devices are complex devices with sophisticated features: tampering actually, they have to be as complex as web applications Cookie poisoning HTTP Request Smuggling HTTP Cross-site Cross-site Stealth Buffer Response Request . . . Tracing Commanding overflows Splitting Forgery
Some background about WAF Negative Security Model Positive Security Model Concept The WAF knows what traffic is an The WAF learns what traffic profile is attack, and allows any other traffic to legitimate, and blocks anything else go through • No need for customization • Accurate detection Advantages • Protection out-of-the-box • Unknown attacks • Simple, straight-forward • Not dependant on updates • Highly dependant on updates • Need for learning process Disadvantages • Not very accurate • More prone to false positives
Some background about WAF How are unknown attacks identified with PSM? http://<site>/get/default.ida?<240chars>%9090<…>%u00=a Illegal entry point into the site to the .ida file (/get) Illegal parameter tampering of the .ida file Buffer overflow attempt on the parameter (240 characters) Illegal characters within parameter (%) Nimda was blocked by several WAF devices without a custom signature
Some background about WAF How is the learning process in PSM? This looks to be an attack! http://a.com/showarticle?id=278 WAF Webserver http://a.com/showarticle?id=345 http://a.com/showarticle?id=12 id parameter in showarticle is a number http://a.com/showarticle?id=1’%20OR%201=1--
So, what is WAFEC? WAFEC is an ongoing project and stands for Web Application Firewall Evaluation Criteria WAFEC is promoted by WASC, which in turn stands for Web Application Security Consortium WAFEC is a document describing WAF capabilities, as an structured checklist of features WAFEC allows technicians to evaluate WAF devices and decide which one best fits in their environment
So, what is not WAFEC? WAFEC is not an specification of minimum requirements that a WAF device must comply with WAFEC is not a tutorial or compendium about WAF technology or web security WAFEC is not for managers, but for reasonably skilled technicians
Why we think WAFEC is necessary? There is not much Marketing and sales knowledge about this forces are creating emerging market confusion WAF devices and manufacturers are proliferating
Why WAF devices are not son fun? If not properly configured, they can trigger false positives and stop business If not properly administered and integrated, they won’t adapt to application changes If not properly deployed, they can slow down your transactions and make business staff unhappy The solution: do it properly! … and make sure the product you choose does support the features you need … and do it using WAFEC!
How to make them be fun About false positives and other nightmares Take your time to refine policies Define detection rules that will alert you of suspicious events without the risk of stopping business Teach the WAF device in the development phase; that will let you define more accurate policies in production environment
How to make them be fun About application changes Web applications change very quickly, which means that the WAF behaviour has to change as well Let the WAF device learn from developers in order to enable policy adjustment in production environment Define granular policies so that the WAF can rebuild policies for updated sections or areas with no impact in those that haven’t changed
How to make them be fun About application changes 2 1 3 4
How to make them be fun About performance, latency and SLA Use SSL accelerators Define simpler policies for areas or sections subject to SLAs Use webcache integrated features Compress HTML content between the WAF and the browser
WAFEC sections Deployment and architecture Modes of operation Bridge, router, proxy or plugin … there is no rule of thumb: it depends on your network! SSL operation Active, passive or not required (case of plugins) Technology delivery Appliance or software-only Support for non-HTTP traffic Clear trend: the integration of WAF/IPS capabilities in one device
WAFEC sections HTML and HTTP support A rather long and boring checklist of features related to support for protocol and extensions … but this can drive the decission as well! Includes length restrictions for every HTTP component … I have never seen them in place because they can’t be accurately defined Response filtering or Intellectual Property Firewalling … this will let you add an extra layer of security if everything else fails
WAFEC sections Response filtering We have the following datafile that can be remotely retrieved by means of an OsCommerce’s vulnerability: Imagine that every security mechanism implemented in the WAF device fails!
WAFEC sections Response filtering ModSecurity’s response filtering capabilities can be configured this way to prevent the previous datafile to be effectively retrieved: Which results in forbiden access to the malicious URL … with no previous knowledge about OsCommerce’s vulnerability!
WAFEC sections Detection techniques Two main groups: positive model and negative model … my best bet is to properly combine both Negative model: what parameters are important? update frequency, number of products included, customized selection of signatures Positive model: what parameters are important? basically, effectiveness; if it works, nobody cares about what the core technology is
WAFEC sections Protection techniques Brute force attacks mitigation and Automated clients detecion … helpful for websites that track users’ activity Strict request flow enforcement … nice in theory but difficult to effectively implement if the application changes often Cryptographic URL and parameter protection … this feature really annoys malicious users
WAFEC sections Logging It enumerates support for typical event log and notification mechanisms, found in most widely-accepted technologies … e-mail, syslog, SNMP traps, OPSEC, etc. Criteria for log selection and retention … interesting when legal or regulatory requirements have to be satisfied Mechanisms to handle sensitive data … manual or automatic configuration to rewrite sensitive data that would be included in logs
WAFEC sections Reporting Report formats Scheduled reports Customized reports Flexible reports … definitively, reports makes management happy! But, what else can reports be used for? Trend analysis Risks priorization Attackers’ behaviour
WAFEC sections Some leftovers: Performance and XML Support for Web Services, WDSL and XML inspection … this can also drive the final decission if Web Services need to be protected as well Maximum number of simultaneous connections, sessions, SSL resumptions, requests, etc. … this greatly depends on the underlying technology, mainly ASIC (faster) or Linux (slower) Performance under load
WAFEC sections Management is a key element of WAF devices This is mainly because policies become complex and have to quickly evolve in order to adapt to application changes Any suggestions about We have thought of the following features that you would sections: miss? POLICY MANAGEMENT PROFILE LEARNING CONFIGURATION MANAGEMENT LOGS AND MONITORIN LEFTOVERS
WAFEC sections Simplicity to manually accept false positives … think of it: how would you refine policies otherwise? This is a false positive. Tick to remove it.
WAFEC sections Ability to define different policies for different applications … why could this be helpful? Senior HIGH Management LEVEL MID Webmail LEVEL users System HIGH administrators LEVEL Webserver WAF Potential LOW customers LEVEL
WAFEC sections Support for trusted hosts … this feature enables ethical hackers to work with no impact in the Incident Management team Automated signature download and deployment … otherwise, the protection can arrive too late Policy rollback mechanism … otherwise, the WAF device might stop business Ability to create custom signatures or events … this way I can address custom vulnerabilities that exist in my particular environment
WAFEC sections Ability to combine detection and prevention … guess what can this be interesting for? Ability to manage several devices from one central location … otherwise, management can’t be centralized and policy adjustment becomes a nightmare! Simplicity to relax default policies
Let me ask you some questions ¿Cuanto tiempo se tarda en aplicar las ¿Existe server side ¿ Quién audita el código actualizaciones criticas validation para todos los proveniente de terceros? de seguridad desde que formularios? surgen? ¿Quien y cuando aplica ¿Existe correlación entre ¿Se cumple en todo el las actualizaciones de los logs y los sucesivos código la política de logs? seguridad de software upgrades de la aplicación? funcional/aplicativo? ¿Se eliminan en los pasos ¿Se hacen ¿Cual es el camino critico a producción las porciones pruebas/ataques de de código que accede a de código para pruebas seguridad a las los datos de backend? parciales de desarrollo? evoluciones del software?
Want to know more? More info: www.rafaelsanmiguel.com www.webappsec.org/wafec Contact info: rafael.sanmiguel@dvc.es Interesting info: www.empleoenseguridad.com
Creative Commons Attribution-NoDerivs 2.0 You are free: •to copy, distribute, display, and perform this work •to make commercial use of this work Under the following conditions: Attribution. You must give the original author credit. No Derivative Works. You may not alter, transform, or build upon this work. For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the author. Your fair use and other rights are in no way affected by the above. This work is licensed under the Creative Commons Attribution-NoDerivs License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Recommended

Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application FrewallAbhishek Singh
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection Abhishek Singh
 
Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practicessyrinxtech
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationSandro Gauci
 
Building Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireBuilding Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireGlobal Knowledge Training
 
CCNP Security-IPS
CCNP Security-IPSCCNP Security-IPS
CCNP Security-IPSmohannadalhanahnah
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsjasonhaddix
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 

Recommended

Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application FrewallAbhishek Singh
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection Abhishek Singh
 
Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practicessyrinxtech
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationSandro Gauci
 
Building Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireBuilding Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireGlobal Knowledge Training
 
CCNP Security-IPS
CCNP Security-IPSCCNP Security-IPS
CCNP Security-IPSmohannadalhanahnah
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsjasonhaddix
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafIMMUNIO
 
Altitude San Francisco 2018: WAF Workshop
Altitude San Francisco 2018: WAF WorkshopAltitude San Francisco 2018: WAF Workshop
Altitude San Francisco 2018: WAF WorkshopFastly
 
CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2Zero Science Lab
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewallmohannadalhanahnah
 
Presentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesPresentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesOscar Romano
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Emerging Threats - The State of Cyber Security
Emerging Threats - The State of Cyber SecurityEmerging Threats - The State of Cyber Security
Emerging Threats - The State of Cyber SecurityCisco Canada
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application securityRogue Wave Software
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
Mod Security
Mod SecurityMod Security
Mod SecurityAbhishek Singh
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP TechnologyPriyanka Aash
 
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabNSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabCisco Canada
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10Robert MacLean
 
Building a low cost hack lab
Building a low cost hack labBuilding a low cost hack lab
Building a low cost hack labJoe McCray
 
Sasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionSasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionDejan Jeremic
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPJoe McCray
 
Check point response to Cisco NGFW competitive
Check point response to Cisco NGFW competitiveCheck point response to Cisco NGFW competitive
Check point response to Cisco NGFW competitiveMoti Sagey מוטי שגיא
 
WAFFLE - A Web Application Firewall that defies rules
WAFFLE - A Web Application Firewall that defies rulesWAFFLE - A Web Application Firewall that defies rules
WAFFLE - A Web Application Firewall that defies rulesDimitris Gkizanis
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...Neil Matatall
 

More Related Content

What's hot

HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafIMMUNIO
 
Altitude San Francisco 2018: WAF Workshop
Altitude San Francisco 2018: WAF WorkshopAltitude San Francisco 2018: WAF Workshop
Altitude San Francisco 2018: WAF WorkshopFastly
 
CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2Zero Science Lab
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 
Presentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesPresentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesOscar Romano
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Emerging Threats - The State of Cyber Security
Emerging Threats - The State of Cyber SecurityEmerging Threats - The State of Cyber Security
Emerging Threats - The State of Cyber SecurityCisco Canada
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application securityRogue Wave Software
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP TechnologyPriyanka Aash
 
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabNSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabCisco Canada
 
Building a low cost hack lab
Building a low cost hack labBuilding a low cost hack lab
Building a low cost hack labJoe McCray
 
Sasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionSasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionDejan Jeremic
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPJoe McCray
 

What's hot (20)

HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs waf
 
Altitude San Francisco 2018: WAF Workshop
Altitude San Francisco 2018: WAF WorkshopAltitude San Francisco 2018: WAF Workshop
Altitude San Francisco 2018: WAF Workshop
 
CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewall
 
Presentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesPresentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER Services
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
Emerging Threats - The State of Cyber Security
Emerging Threats - The State of Cyber SecurityEmerging Threats - The State of Cyber Security
Emerging Threats - The State of Cyber Security
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA Firepower
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
 
Mod Security
Mod SecurityMod Security
Mod Security
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
 
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabNSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
 
Building a low cost hack lab
Building a low cost hack labBuilding a low cost hack lab
Building a low cost hack lab
 
Sasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionSasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protection
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEP
 
Check point response to Cisco NGFW competitive
Check point response to Cisco NGFW competitiveCheck point response to Cisco NGFW competitive
Check point response to Cisco NGFW competitive
 

Similar to WAFEC

WAFFLE - A Web Application Firewall that defies rules
WAFFLE - A Web Application Firewall that defies rulesWAFFLE - A Web Application Firewall that defies rules
WAFFLE - A Web Application Firewall that defies rulesDimitris Gkizanis
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...Neil Matatall
 
Cloud Web Application Firewall - GlobalDots
Cloud Web Application Firewall - GlobalDotsCloud Web Application Firewall - GlobalDots
Cloud Web Application Firewall - GlobalDotsGlobalDots
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
 
WAF Deployment proposal
WAF Deployment proposalWAF Deployment proposal
WAF Deployment proposalJeremy Quadri
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewallsEnclaveSecurity
 
Best practices waf_v105.en
Best practices waf_v105.enBest practices waf_v105.en
Best practices waf_v105.enRodrigo Varas
 
Best practices waf_v105.en
Best practices waf_v105.enBest practices waf_v105.en
Best practices waf_v105.enMir Asu
 
Virtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudVirtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudTjylen Veselyj
 
040711 webcast securing vmachine
040711 webcast securing vmachine 040711 webcast securing vmachine
040711 webcast securing vmachine Erin Banks
 
WebAppSec: Assessment and Defense
WebAppSec: Assessment and DefenseWebAppSec: Assessment and Defense
WebAppSec: Assessment and Defenseajitdhumale
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
VirtSec, and the Open Source impact
VirtSec, and the Open Source impactVirtSec, and the Open Source impact
VirtSec, and the Open Source impactKris Buytaert
 

Similar to WAFEC (20)

WAFFLE - A Web Application Firewall that defies rules
WAFFLE - A Web Application Firewall that defies rulesWAFFLE - A Web Application Firewall that defies rules
WAFFLE - A Web Application Firewall that defies rules
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
 
Web Access Firewall
Web Access FirewallWeb Access Firewall
Web Access Firewall
 
Cloud Web Application Firewall - GlobalDots
Cloud Web Application Firewall - GlobalDotsCloud Web Application Firewall - GlobalDots
Cloud Web Application Firewall - GlobalDots
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
 
QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application Firewall
 
WAF Deployment proposal
WAF Deployment proposalWAF Deployment proposal
WAF Deployment proposal
 
WAFs.pptx
WAFs.pptxWAFs.pptx
WAFs.pptx
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
 
Best practices waf_v105.en
Best practices waf_v105.enBest practices waf_v105.en
Best practices waf_v105.en
 
Best practices waf_v105.en
Best practices waf_v105.enBest practices waf_v105.en
Best practices waf_v105.en
 
Virtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudVirtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the Cloud
 
040711 webcast securing vmachine
040711 webcast securing vmachine 040711 webcast securing vmachine
040711 webcast securing vmachine
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Forti web
Forti webForti web
Forti web
 
Forti web
Forti webForti web
Forti web
 
WebAppSec: Assessment and Defense
WebAppSec: Assessment and DefenseWebAppSec: Assessment and Defense
WebAppSec: Assessment and Defense
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
 
VirtSec, and the Open Source impact
VirtSec, and the Open Source impactVirtSec, and the Open Source impact
VirtSec, and the Open Source impact
 

More from Conferencias FIST

Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceConferencias FIST
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseConferencias FIST
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiConferencias FIST
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security ForumConferencias FIST
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes WirelessConferencias FIST
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la ConcienciaciónConferencias FIST
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloConferencias FIST
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseConferencias FIST
 

More from Conferencias FIST (20)

Seguridad en Open Solaris
Seguridad en Open SolarisSeguridad en Open Solaris
Seguridad en Open Solaris
 
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open Source
 
Spanish Honeynet Project
Spanish Honeynet ProjectSpanish Honeynet Project
Spanish Honeynet Project
 
Seguridad en Windows Mobile
Seguridad en Windows MobileSeguridad en Windows Mobile
Seguridad en Windows Mobile
 
SAP Security
SAP SecuritySAP Security
SAP Security
 
Que es Seguridad
Que es SeguridadQue es Seguridad
Que es Seguridad
 
Network Access Protection
Network Access ProtectionNetwork Access Protection
Network Access Protection
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática Forense
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFi
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security Forum
 
Criptografia Cuántica
Criptografia CuánticaCriptografia Cuántica
Criptografia Cuántica
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes Wireless
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la Concienciación
 
Security Metrics
Security MetricsSecurity Metrics
Security Metrics
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
Wifislax 3.1
Wifislax 3.1Wifislax 3.1
Wifislax 3.1
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el Desarrollo
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis Forense
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
 

Recently uploaded

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 

Recently uploaded (20)

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 

WAFEC

  • 1. WAFEC, or how to choose WAF technology RAFAEL SAN MIGUEL CARRASCO
  • 2. Why I am here Honestly, I got no I like to play with better plan for WAF technology Friday afternoon WAFEC 1.0 has I actually belong been recently to the WAFEC published Working Group Let’s talk about WAFEC!
  • 3. What will we talk about? Introduction and concepts Why WAF devices are not so fun? How to make them be fun WAFEC sections WAFEC and common sense together
  • 4. So, what is a WAF device? Cross-site scripting SQL Injection WAF devices protect web applications from specific LDAP vulnerabilities that IDS/IPS/FW technology can’t beat Injection WAF devices address the most attack-prone subsystem XPath within a technology infrastructure: the webserver Injection Parameter WAF devices are complex devices with sophisticated features: tampering actually, they have to be as complex as web applications Cookie poisoning HTTP Request Smuggling HTTP Cross-site Cross-site Stealth Buffer Response Request . . . Tracing Commanding overflows Splitting Forgery
  • 5. Some background about WAF Negative Security Model Positive Security Model Concept The WAF knows what traffic is an The WAF learns what traffic profile is attack, and allows any other traffic to legitimate, and blocks anything else go through • No need for customization • Accurate detection Advantages • Protection out-of-the-box • Unknown attacks • Simple, straight-forward • Not dependant on updates • Highly dependant on updates • Need for learning process Disadvantages • Not very accurate • More prone to false positives
  • 6. Some background about WAF How are unknown attacks identified with PSM? http://<site>/get/default.ida?<240chars>%9090<…>%u00=a Illegal entry point into the site to the .ida file (/get) Illegal parameter tampering of the .ida file Buffer overflow attempt on the parameter (240 characters) Illegal characters within parameter (%) Nimda was blocked by several WAF devices without a custom signature
  • 7. Some background about WAF How is the learning process in PSM? This looks to be an attack! http://a.com/showarticle?id=278 WAF Webserver http://a.com/showarticle?id=345 http://a.com/showarticle?id=12 id parameter in showarticle is a number http://a.com/showarticle?id=1’%20OR%201=1--
  • 8. So, what is WAFEC? WAFEC is an ongoing project and stands for Web Application Firewall Evaluation Criteria WAFEC is promoted by WASC, which in turn stands for Web Application Security Consortium WAFEC is a document describing WAF capabilities, as an structured checklist of features WAFEC allows technicians to evaluate WAF devices and decide which one best fits in their environment
  • 9. So, what is not WAFEC? WAFEC is not an specification of minimum requirements that a WAF device must comply with WAFEC is not a tutorial or compendium about WAF technology or web security WAFEC is not for managers, but for reasonably skilled technicians
  • 10. Why we think WAFEC is necessary? There is not much Marketing and sales knowledge about this forces are creating emerging market confusion WAF devices and manufacturers are proliferating
  • 11. Why WAF devices are not son fun? If not properly configured, they can trigger false positives and stop business If not properly administered and integrated, they won’t adapt to application changes If not properly deployed, they can slow down your transactions and make business staff unhappy The solution: do it properly! … and make sure the product you choose does support the features you need … and do it using WAFEC!
  • 12. How to make them be fun About false positives and other nightmares Take your time to refine policies Define detection rules that will alert you of suspicious events without the risk of stopping business Teach the WAF device in the development phase; that will let you define more accurate policies in production environment
  • 13. How to make them be fun About application changes Web applications change very quickly, which means that the WAF behaviour has to change as well Let the WAF device learn from developers in order to enable policy adjustment in production environment Define granular policies so that the WAF can rebuild policies for updated sections or areas with no impact in those that haven’t changed
  • 14. How to make them be fun About application changes 2 1 3 4
  • 15. How to make them be fun About performance, latency and SLA Use SSL accelerators Define simpler policies for areas or sections subject to SLAs Use webcache integrated features Compress HTML content between the WAF and the browser
  • 16. WAFEC sections Deployment and architecture Modes of operation Bridge, router, proxy or plugin … there is no rule of thumb: it depends on your network! SSL operation Active, passive or not required (case of plugins) Technology delivery Appliance or software-only Support for non-HTTP traffic Clear trend: the integration of WAF/IPS capabilities in one device
  • 17. WAFEC sections HTML and HTTP support A rather long and boring checklist of features related to support for protocol and extensions … but this can drive the decission as well! Includes length restrictions for every HTTP component … I have never seen them in place because they can’t be accurately defined Response filtering or Intellectual Property Firewalling … this will let you add an extra layer of security if everything else fails
  • 18. WAFEC sections Response filtering We have the following datafile that can be remotely retrieved by means of an OsCommerce’s vulnerability: Imagine that every security mechanism implemented in the WAF device fails!
  • 19. WAFEC sections Response filtering ModSecurity’s response filtering capabilities can be configured this way to prevent the previous datafile to be effectively retrieved: Which results in forbiden access to the malicious URL … with no previous knowledge about OsCommerce’s vulnerability!
  • 20. WAFEC sections Detection techniques Two main groups: positive model and negative model … my best bet is to properly combine both Negative model: what parameters are important? update frequency, number of products included, customized selection of signatures Positive model: what parameters are important? basically, effectiveness; if it works, nobody cares about what the core technology is
  • 21. WAFEC sections Protection techniques Brute force attacks mitigation and Automated clients detecion … helpful for websites that track users’ activity Strict request flow enforcement … nice in theory but difficult to effectively implement if the application changes often Cryptographic URL and parameter protection … this feature really annoys malicious users
  • 22. WAFEC sections Logging It enumerates support for typical event log and notification mechanisms, found in most widely-accepted technologies … e-mail, syslog, SNMP traps, OPSEC, etc. Criteria for log selection and retention … interesting when legal or regulatory requirements have to be satisfied Mechanisms to handle sensitive data … manual or automatic configuration to rewrite sensitive data that would be included in logs
  • 23. WAFEC sections Reporting Report formats Scheduled reports Customized reports Flexible reports … definitively, reports makes management happy! But, what else can reports be used for? Trend analysis Risks priorization Attackers’ behaviour
  • 24. WAFEC sections Some leftovers: Performance and XML Support for Web Services, WDSL and XML inspection … this can also drive the final decission if Web Services need to be protected as well Maximum number of simultaneous connections, sessions, SSL resumptions, requests, etc. … this greatly depends on the underlying technology, mainly ASIC (faster) or Linux (slower) Performance under load
  • 25. WAFEC sections Management is a key element of WAF devices This is mainly because policies become complex and have to quickly evolve in order to adapt to application changes Any suggestions about We have thought of the following features that you would sections: miss? POLICY MANAGEMENT PROFILE LEARNING CONFIGURATION MANAGEMENT LOGS AND MONITORIN LEFTOVERS
  • 26. WAFEC sections Simplicity to manually accept false positives … think of it: how would you refine policies otherwise? This is a false positive. Tick to remove it.
  • 27. WAFEC sections Ability to define different policies for different applications … why could this be helpful? Senior HIGH Management LEVEL MID Webmail LEVEL users System HIGH administrators LEVEL Webserver WAF Potential LOW customers LEVEL
  • 28. WAFEC sections Support for trusted hosts … this feature enables ethical hackers to work with no impact in the Incident Management team Automated signature download and deployment … otherwise, the protection can arrive too late Policy rollback mechanism … otherwise, the WAF device might stop business Ability to create custom signatures or events … this way I can address custom vulnerabilities that exist in my particular environment
  • 29. WAFEC sections Ability to combine detection and prevention … guess what can this be interesting for? Ability to manage several devices from one central location … otherwise, management can’t be centralized and policy adjustment becomes a nightmare! Simplicity to relax default policies
  • 30. Let me ask you some questions ¿Cuanto tiempo se tarda en aplicar las ¿Existe server side ¿ Quién audita el código actualizaciones criticas validation para todos los proveniente de terceros? de seguridad desde que formularios? surgen? ¿Quien y cuando aplica ¿Existe correlación entre ¿Se cumple en todo el las actualizaciones de los logs y los sucesivos código la política de logs? seguridad de software upgrades de la aplicación? funcional/aplicativo? ¿Se eliminan en los pasos ¿Se hacen ¿Cual es el camino critico a producción las porciones pruebas/ataques de de código que accede a de código para pruebas seguridad a las los datos de backend? parciales de desarrollo? evoluciones del software?
  • 31. Want to know more? More info: www.rafaelsanmiguel.com www.webappsec.org/wafec Contact info: rafael.sanmiguel@dvc.es Interesting info: www.empleoenseguridad.com
  • 32. Creative Commons Attribution-NoDerivs 2.0 You are free: •to copy, distribute, display, and perform this work •to make commercial use of this work Under the following conditions: Attribution. You must give the original author credit. No Derivative Works. You may not alter, transform, or build upon this work. For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the author. Your fair use and other rights are in no way affected by the above. This work is licensed under the Creative Commons Attribution-NoDerivs License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.