dss itsec conference 2012 - radware waf
TRANSCRIPT
Web Applications are Easy to Exploit
• Whole system open to attack
• Thousands of Web security
vulnerabilities
• Can target different layers
• Minimal attention to security during
development, especially when
outsourced
• Traditional defences inadequate
All they need
is a browser
Slide 3
Data Security Breaches
Jan 31, 2011:
“Online dating Web site PlentyOfFish.com
has been hacked, exposing the personal
information and passwords associated
with almost 30 million accounts“
Slide 6
Lost Record Cost Rises
The average total cost of a data breach rose
to $6.75 million in 2009
Slide 8
Millions of Records Breached
Slide 9
Records of sensitive information (CCN, SSN,
etc.) were breached by hacking attempts only
in the USA.
Payment Card Industry (PCI) – Definition
• Payment Card Industry (PCI) Data Security
Standard (DSS) was developed by the major credit
card companies as a guideline for organizations
that process card payments to prevent credit card
fraud, hacking and other security issues
Slide 12
PCI v2.0: Requirement 6.6
• 6.6 For public-facing web applications, address new
threats and vulnerabilities on an ongoing basis and ensure
these applications are protected against known attacks by
either of the following methods:
– Reviewing public-facing web applications via manual or
automated application vulnerability security assessment
tools or methods, at least annually and after any
changes
– Installing a web-application firewall in front of public-
facing web applications
45% of orgs experience Data Breach !!!
Slide 14
• 670 US and multinational IT security practitioners who are
involved in their companies’ PCI compliance efforts were
surveyed in April 2011
Introducing AppWall
• AppWallTM is a WAF that secures Web applications
and enables PCI compliance by:
– Blocking attacks on Web application
– Preventing data theft and manipulation of sensitive data
• Available either as Physical or Virtual Appliance.
Slide 16
• Cross site scripting (XSS)
• SQL injection, LDAP injection, OS commanding
Signature & Rule
Protection
• Evasions
• HTTP response splitting (HRS)
Terminate TCP,
Normalize, HTTP RFC
• Credit card number (CCN) / Social Security (SSN)
• Regular Expression
Data Leak Prevention
Complete Web Application Protection
• Buffer overflow (BO)
• Zero-day attacks
Parameters Inspection
• Cross site request forgery
• Cookie poisoning, session hijacking
User Behavior
• Folder / file level access control
• White listing or black listing Layer 7 ACL
• XML Validity and schema enforcement
XML & Web Services
• Authentication
• User Tracking
Role Based Policy
Complete Web Application Protection
Reservations.com
/config/
/hotels/
/register/
/info/
/reserve/
Adaptive Auto Policy Generation (1 of 4)
App
Mapping
/admin/
Slide 20
Reservations.com
/config/
/hotels/
/register/
/info/
/reserve/
SQL Injection
CCN breach
Buffer Overflow
Directory Traversal
Adaptive Auto Policy Generation (2 of 4)
App
Mapping
Information leakage
Gain root access control
Unexpected application
behavior, system crash, full
system compromise
Threat
Analysis
Risk analysis per “ application-path”
/admin/
Spoof identity, steal user
information, data tampering
Slide 21
Reservations.com
/config/
/hotels/
/admin/
/register/
/info/
/reserve/
SQL Injection
CCN breach
Buffer Overflow
Directory Traversal
***********9459
P
Adaptive Auto Policy Generation (3 of 4)
App
Mapping
Policy
Generation
Prevent access to
sensitive app sections
Mask CCN, SSN, etc. in
responses.
Parameters inspection
Threat
Analysis
Traffic normalization &
HTTP RFC validation
Slide 22
Reservations.com
/config/
/hotels/
/admin/
/register/
/info/
/reserve/
SQL Injection
CCN breach
Buffer Overflow
Directory Traversal
Adaptive Auto Policy Generation (4 of 4)
Time to protect
App
Mapping
Policy
Activation
Add
tailored
application
rules
Optimize
rules for
best
accuracy
Policy
Generation Threat
Analysis
***********9459
Virtually zero false positive
Best Security coverage Slide 23
P
Best Security & Compliance Reports
• Network and application security correlation
reports
• Dozens of predefined security reports
• Learning reports detailing learned app resources
• Audit and access reports
• PCI Compliance reports
Slide 25