Web Application Firewall (WAF) DAST/SAST combination


Published on

In this presentation we analyze benefits of applied innovative WAF that have callback connection with DAST security tools and allow very quickly detect security defects in critical SaaS or e-commerce application

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • For any application there is the moment when application stop being perfect and ideal. This could be due to different reasons:Technology renewalGovernment regulationsHardware evolution,Business factors. And other
  • The real world example is the Chinees wall. A huge amount of tourists visit this building every day. And every one wants to take a piece of the wall with his as a souvenir. This is a typical example of scalability. With such popularity, the wall could be destroyed in a couple of years. For that reason government decided to bring bricks to the wall every night, so tourists can take them as a souvenirs instead of real rocks. In such way they resolved scalability issues in very specific way. It means that Big application has very specific issue and need specific solution.
  • Websites – The New BattlegroundThe average website is targeted anywhere from twice to 200 times a day by miscellaneous worms and crawlers that attempt a slew of diverse attacks – some for well known exploits, others for recently discovered, and as a result unpatched, faults. Since these attacks are automated, their numbers only grow, and the attackers never tire. 
  • When adding a new feature costs a lot or it causes performance degradation you need application assessment
  • Web application firewalls are your first line of defense against new and existing web application threats. They are generally capable of preventing even emerging attacks, and are quickly updated when new threats are discovered. Those deployed in conjunction with or on an extensible application delivery platform provide additional value in the capability to dynamically create policies to address emerging threats or custom threats against your application.They can CYA (cover your apps) while you find and fix the vulnerabilities, a process that requires development, testing, and redeployment. And while you're going through that process - what's going on with your application? Have you taken it offline because it's vulnerable? Were you aware of the specific attack vector when you developed the application?No, you probably haven't, especially not if you're in the retail business because if your application is down then you are losing revenue and that's not acceptable. And no, you probably weren't aware of that attack when the app was developed because it hadn't been discovered yet.But if you've got a WAF you are likely able to continue running your application, secure in the knowledge that the WAF is going to be able to thwart a wide variety of known attacks while you scan, find, and fix the vulnerabilities in your application whether those are emerging threats or existing ones.
  • block traffic from malicious sources before an attack can even be attempted
  • Web Application Firewall (WAF) DAST/SAST combination

    1. 1. New generation Web Application Firewall: Shield for your apps Nazar Tymoshyk Ph.D, Security Consultant, R&D at SoftServe
    2. 2. Even best applications get challenges
    3. 3. Big applications get bigger challenges
    4. 4. Security is important factor for your app
    5. 5. Consequences Reputation loss Penalties Data loss
    6. 6. Breaching organizational perimeters Threats IP Theft Taking over high-value accounts Modify Victims website to deploy MALWARE to website visitors
    7. 7. Hackers motives Previously, attackers used application vulnerabilities to cause embarrassment and disruption. But now these attackers are exploiting vulnerabilities to steal data and much more
    8. 8. Problematic Vulnerability Distribution on First Submission by Language Veracode State of Software Security Report 2012
    9. 9. Percentage of Affected Vendor Supplied Web Application Builds Veracode State of Software Security Report 2012
    10. 10. How much time you need to fix security issues in app?
    11. 11. We have a solution for your application!
    12. 12. Web application firewall Microsoft IIS Apache Nginx
    13. 13. CYA (cover your apps) Time-to-Fix vs. Time-to-Hack Automated Temporary Patches
    14. 14. and do your business Brute Force protection DDoS protection Mitigate them immediately without waiting weeks for code changes.
    15. 15. Protection Against Zero-day Exploits Protection Against OWASP Top 10
    16. 16. Stops Data Leakage Protect your IP Detects disclosure and unauthorized content in outbound reply messages, such as source code, Credit-card and Social Security numbers.
    17. 17. Who need WAF? Mature ISV Immature ISV Financial organizations Healthcare organizations Reta il Educatio n PCIDSS 6.6 Ecommerce
    18. 18. DEMO Let’s test vulnerable web application with popular security tools
    19. 19. It really works! Applications Secured -
    20. 20. Our IP is: combination of Dynamic Application Security Testing (DAST) with Web Application Firewall (WAF) that’s empower security and allow dynamically identify and patch unknown vulnerabilities
    21. 21. Would you like to try? Europe Headquarters 52 V. Velykoho Str. Lviv 79053, Ukraine Tel: +380-32-240-9090 Fax: +380-32-240-9080 E-mail: info@softserveinc.com US Headquarters 12800 University Drive, Suite 410 Fort Myers, FL 33966, USA Tel: 239-690-3111 Fax: 239-690-3116 E-mail: info@softserveinc.com www.softserveinc.com Copyright © 2012 SoftServe, Inc. Thank You!