SlideShare a Scribd company logo
1 of 6
Download to read offline
IMMUNIO vs. Incapsula vs.
CloudFlare
RASP vs. WAF
Complete Test Results are available in the Case Study: “Selecting a Web Protection Solution”
The Project
Dojo College is a leading online provider of a multi tenant hosted Learning
Management System. This software product written in Ruby on Rails is designed to
allow other educational and corporate customers the ability to host their own Learning
Management systems within the larger Dojo College system. The software is all
developed in house with a small team of developers that make use of the AGILE
methodology. The development team is really focused on getting functionality out to
their customers, and would rather security be something that they can entrust to a 3rd
party solution.
While the project itself was dealing with a fictitious company, the scenario itself
was based off a real life problem that resonates with companies everywhere.
Client and Expectations
● Online provider of a multi tenant hosted
LMS (Learning Management System)
● Ruby on Rails
● Limited resources, looking for outside
help to armoring the application
About the client
● CloudFlare
● Incapsula
● IMMUNIO
Solutions Selected for Evaluation
● Must not impact normal operation
● Functionality and performance must say
well below standard response times
● Must provide actionable near real-time
intelligence and reports to allow to
respond to threats
● Must address runtime portion of OWASP
Top 10
● Does not require specialized skills for
installation and maintenance in regular
operation
Requirements
Test Setup and Methodology
The Network
CloudFlare and
Incapsula operate
through Content Delivery
Networks (CDN)
Baseline testing
Conclusions / Takeaways:
● 55ms response is within the “norm”
● CPU overhead at about 2%
● Memory footprint ~300MB
Test Results (Key Functional Areas)
IMMUNIO Incapsula CloudFlare
Ease of
Installation
“IMMUNIO: Installation was as simple as creating
an account and deploying a Gem file.”
“Incapsula: Arguably tied with IMMUNIO for
ease of install. After setting up an account a
wizard walks you through creating a DNS
record for the newly installed service. Though,
without administrator access to install DNS
records, you would have to rely on another
team to get the correct record installed.”
“CloudFlare: by far the most difficult of the 3.
This install required moving the entire DNS
infrastructure to CloudFlare’s servers.
Normally this is something that would require
a lot of planning and consideration within an
organization, and may be met with a lot of
resistance”
Reporting “Clear concise reporting that is actionable is the
backbone of a good security program. In this test
we wanted to see what kind of reporting was
available during an attack and was it easily
understandable.”
“Incapsula: This solution surprised us during
the tests, what we figured would be the clear
winner. Unfortunately, this solution could not
provide updates in real time.”
“CloudFlare: While not the most
comprehensive reporting at all, this solution
presented the information in an easy to
understand format.”
Attack Body of
Knowledge
“IMMUNIO: the only solution here that had a
component that was dynamic in nature. Certain
functions within the service required priming and
sending good traffic through, so IMMUNIO could
“learn”. This proved to be the one thing that set this
product heads and tails over the others in the final
tests.”
Incapsula: Has a wide array of signatures, and
detected most of them. Incapsula has extra
support for DDOS as well as IP reputation,
which we found, would be a bonus when going
into the product selection phase.
“CloudFlare: It almost seemed like security
was an afterthought. Very small amount of
configuration ability. Most of it is based on
Mod_Security rulesets, and not nearly as
comprehensive as any of the other two
solutions.”
Completeness of
the Solution
“IMMUNIO: Detection rates were interesting. The
solution found some items that the Dojo.College team
was not even expecting. During our testing we
uncovered a couple of bugs in some well known Gems
that were being used within the application, and
uncovered some design issues within the Dojo.College
application that needed to be addressed. Overall the
IMMUNIO service performed above and beyond our
expectations.”
Incapsula: Detection rates were very low.
When it did detect, it would block, but most
rules required explicit tuning, and would
require that tuning on each update. There is
also no way to know if the app was actually
vulnerable to an attack, or where it should be
fixed.
“CloudFlare: Is this thing on? Even at the
“highest” setting the solution could only
provide a very weak, to modest
implementation of Mod_Security and no way
to manually update rules or create new rules.”
Performance Measured response time: 5.47 ms
Measured Throughput: 614 rpm
Measured response time: 9.97 ms
Measured Throughput: 484 rpm
Measured response time: 14ms
Measured Throughput: 58rpm
Complete Test Results are available in the Case Study: “Selecting a Web Protection Solution”
Test Results (Runtime Portion of OWASP Top 10)
IMMUNIO Incapsula CloudFlare
Injection (SQL injection,
LDAP injection and
Command Injection)
100% 60% < 20%
Session Management 100% 100% 100%
Cross-Site Scripting
(Stored XSS, DOM XSS,
Script Execution, HTML
Injection)
100%, low FP rate > 90%, high FP rate < 10%, had to be turned
off due to noise
Direct Object Access
and Function Level
Access Control
RFI: 100%
LFI: 100%
RFI: 100%
LFI: 0%
RFI 100%
LFI: 0%
CSRF 100% 100% 100%
Complete Test Results are available in the Case Study: “Selecting a Web Protection Solution”

More Related Content

Viewers also liked

SSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPSSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPERPScan
 
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Lionel Briand
 
{{more}} Kibana4
{{more}} Kibana4{{more}} Kibana4
{{more}} Kibana4琛琳 饶
 
Apache安装配置mod security
Apache安装配置mod securityApache安装配置mod security
Apache安装配置mod securityHuang Toby
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseNoaman Aziz
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web VulnerabilityMiroslav Stampar
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityRonan Dunne, CEH, SSCP
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 

Viewers also liked (14)

SSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPSSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAP
 
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
 
{{more}} Kibana4
{{more}} Kibana4{{more}} Kibana4
{{more}} Kibana4
 
Apache安装配置mod security
Apache安装配置mod securityApache安装配置mod security
Apache安装配置mod security
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web Vulnerability
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 

More from IMMUNIO

The Quiet Rise of Account Takeover
The Quiet Rise of Account TakeoverThe Quiet Rise of Account Takeover
The Quiet Rise of Account TakeoverIMMUNIO
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016IMMUNIO
 
RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
RailsConf 2015 - Metasecurity: Beyond Patching VulnerabilitiesRailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
RailsConf 2015 - Metasecurity: Beyond Patching VulnerabilitiesIMMUNIO
 
GoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinGoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinIMMUNIO
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafIMMUNIO
 
PyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application securePyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application secureIMMUNIO
 

More from IMMUNIO (6)

The Quiet Rise of Account Takeover
The Quiet Rise of Account TakeoverThe Quiet Rise of Account Takeover
The Quiet Rise of Account Takeover
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016
 
RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
RailsConf 2015 - Metasecurity: Beyond Patching VulnerabilitiesRailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
 
GoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinGoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from within
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs waf
 
PyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application securePyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application secure
 

Recently uploaded

Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 

Recently uploaded (20)

Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 

IMMUNIO: RASP vs. WAF

  • 1. IMMUNIO vs. Incapsula vs. CloudFlare RASP vs. WAF Complete Test Results are available in the Case Study: “Selecting a Web Protection Solution”
  • 2. The Project Dojo College is a leading online provider of a multi tenant hosted Learning Management System. This software product written in Ruby on Rails is designed to allow other educational and corporate customers the ability to host their own Learning Management systems within the larger Dojo College system. The software is all developed in house with a small team of developers that make use of the AGILE methodology. The development team is really focused on getting functionality out to their customers, and would rather security be something that they can entrust to a 3rd party solution. While the project itself was dealing with a fictitious company, the scenario itself was based off a real life problem that resonates with companies everywhere.
  • 3. Client and Expectations ● Online provider of a multi tenant hosted LMS (Learning Management System) ● Ruby on Rails ● Limited resources, looking for outside help to armoring the application About the client ● CloudFlare ● Incapsula ● IMMUNIO Solutions Selected for Evaluation ● Must not impact normal operation ● Functionality and performance must say well below standard response times ● Must provide actionable near real-time intelligence and reports to allow to respond to threats ● Must address runtime portion of OWASP Top 10 ● Does not require specialized skills for installation and maintenance in regular operation Requirements
  • 4. Test Setup and Methodology The Network CloudFlare and Incapsula operate through Content Delivery Networks (CDN) Baseline testing Conclusions / Takeaways: ● 55ms response is within the “norm” ● CPU overhead at about 2% ● Memory footprint ~300MB
  • 5. Test Results (Key Functional Areas) IMMUNIO Incapsula CloudFlare Ease of Installation “IMMUNIO: Installation was as simple as creating an account and deploying a Gem file.” “Incapsula: Arguably tied with IMMUNIO for ease of install. After setting up an account a wizard walks you through creating a DNS record for the newly installed service. Though, without administrator access to install DNS records, you would have to rely on another team to get the correct record installed.” “CloudFlare: by far the most difficult of the 3. This install required moving the entire DNS infrastructure to CloudFlare’s servers. Normally this is something that would require a lot of planning and consideration within an organization, and may be met with a lot of resistance” Reporting “Clear concise reporting that is actionable is the backbone of a good security program. In this test we wanted to see what kind of reporting was available during an attack and was it easily understandable.” “Incapsula: This solution surprised us during the tests, what we figured would be the clear winner. Unfortunately, this solution could not provide updates in real time.” “CloudFlare: While not the most comprehensive reporting at all, this solution presented the information in an easy to understand format.” Attack Body of Knowledge “IMMUNIO: the only solution here that had a component that was dynamic in nature. Certain functions within the service required priming and sending good traffic through, so IMMUNIO could “learn”. This proved to be the one thing that set this product heads and tails over the others in the final tests.” Incapsula: Has a wide array of signatures, and detected most of them. Incapsula has extra support for DDOS as well as IP reputation, which we found, would be a bonus when going into the product selection phase. “CloudFlare: It almost seemed like security was an afterthought. Very small amount of configuration ability. Most of it is based on Mod_Security rulesets, and not nearly as comprehensive as any of the other two solutions.” Completeness of the Solution “IMMUNIO: Detection rates were interesting. The solution found some items that the Dojo.College team was not even expecting. During our testing we uncovered a couple of bugs in some well known Gems that were being used within the application, and uncovered some design issues within the Dojo.College application that needed to be addressed. Overall the IMMUNIO service performed above and beyond our expectations.” Incapsula: Detection rates were very low. When it did detect, it would block, but most rules required explicit tuning, and would require that tuning on each update. There is also no way to know if the app was actually vulnerable to an attack, or where it should be fixed. “CloudFlare: Is this thing on? Even at the “highest” setting the solution could only provide a very weak, to modest implementation of Mod_Security and no way to manually update rules or create new rules.” Performance Measured response time: 5.47 ms Measured Throughput: 614 rpm Measured response time: 9.97 ms Measured Throughput: 484 rpm Measured response time: 14ms Measured Throughput: 58rpm Complete Test Results are available in the Case Study: “Selecting a Web Protection Solution”
  • 6. Test Results (Runtime Portion of OWASP Top 10) IMMUNIO Incapsula CloudFlare Injection (SQL injection, LDAP injection and Command Injection) 100% 60% < 20% Session Management 100% 100% 100% Cross-Site Scripting (Stored XSS, DOM XSS, Script Execution, HTML Injection) 100%, low FP rate > 90%, high FP rate < 10%, had to be turned off due to noise Direct Object Access and Function Level Access Control RFI: 100% LFI: 100% RFI: 100% LFI: 0% RFI 100% LFI: 0% CSRF 100% 100% 100% Complete Test Results are available in the Case Study: “Selecting a Web Protection Solution”