SlideShare una empresa de Scribd logo

Web Application Firewall - Web Application & Web Services Security integrated in Global Application Offering

Thomas Malmberg
Thomas Malmberg

Web Application & Web Services Security integrated in Global Application Offering. Drivers and issues for choosing an application firewall.

Presentaciones y charlas públicas
1 de 17
Descargar para leer sin conexión
Web Application & Web Services Security integrated in Global Application Offering - Problems? No, no problems at all. - Yes. We're using WAF too. 3.11.2011 Thomas Malmberg
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 2 Agenda •Security and its many faces •Drivers and issues for choosing an application firewall •Minutes to learn, a lifetime to master ”Questions may be asked at any given time” Web Application & Web Services Security integrated in Global Application Offering
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 3 Security and its many faces •Security has to be applied on many levels in an organization –Processes –User management –Firewalls –Keycards –Doors –SSL –Penetration testing –Training –... •Can security be enforced by applying Magnum Force?
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 4 Security and its many faces •Carrot and stick – approach –Give some and get some –Design and enforce policies, not "magnum force" –Involve the right people – You need to "sell your agenda" –Make sure you "enable business" (but what does that really mean?) –In certain cases, deploying a new technology is the right solution
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 5 Drivers and issues for choosing an application firewall ..but wait - let's recap what REALLY happened (or what should have happened) The Stick PCI-DSS The Carrot Cut costs on expensive application re-testing and re-coding and re- inventing and re- everything
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 6 Drivers and issues for choosing an application firewall •PCI-DSS was "the drop that spilled the cup" •Before PCI-DSS we had at least this: –National Legislation –Financial Supervisory Authority Directives –EU Legislation & Directives –Finanssivalvonta, Finansinspektionen –Common Sense •Then we woke up and realized that... –Security had many faces –Security cannot be bought (but neat firewalls can!) –Security is a mindset –Security is a way of life Financial Supervisory Authority: • Finanssivalvonta (FI) • Finansinspektionen (SE)
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 7 Drivers and issues for choosing an application firewall •Today we understand that –Credit-card numbers are not everything –There are a lot of different input sources to definitive compliancy –It is not wise to pursue different directives or legislations separately –Everything we do in this field increases the overall security
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 8 Drivers and issues for choosing an application firewall
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 9 Case HBGary •HBGary and HBGary Federal position themselves as experts in computer security. The companies offer both software and services to both the public and private sectors. •HBGary Federal CEO Aaron Barr thought he had unmasked the hacker hordes of Anonymous and was preparing to name and shame those responsible for co-ordinating the group's actions, including the denial-of-service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last year •Anonymous is a diverse bunch: though they tend to be younger rather than older, their age group spans decades. Some may still be in school, but many others are gainfully employed office-workers, software developers, or IT support technicians, among other things. •Source: http://arstechnica.com/tech- policy/news/2011/02/anonymous-speaks-the-inside- story-of-the-hbgary-hack.ars/
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 10 Case HBGary 1.The CMS-system had an SQL-injection vulnerability 2.Usernames were stolen from the user-database 3.Passwords were hashed using simple MD5 w/o salting 4.Passwords were weak 5.Same passwords were used for public SSH- access 6.The SSH-server was not patched, root access could be gained 7.Same passwords were used for email accounts, Google apps and for gmail-administrators 8.Using admin-rights, many email accounts were scavenged for information 9.Emailing was used for social engineering to gain even more access to other sites
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 11 Drivers and issues for choosing an application firewall
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 12 Drivers and issues for choosing an application firewall •An application firewall (WAF) would not make us PCI-DSS compliant •It would only partially answer one of the requirements set by the PCI- council •BUT - depending on the product we choose we could –increase the overall security level of all of our public internet services –accelerate our websites –apply quick fixes to 0-day vulnerabilities when we most need it –safely deploy applications with known issues to the public while investigating the root cause –possibly protect our web-services ”0-day vulnerabilities must be fixed IMMEDIATELY.”
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 13 Minutes to learn, a lifetime to master •A few do's and don't along the way –Don't expect the application firewall to be a generic solution to issues in your software development –Don't ditch external security audits –Don't expect everything to be up and running smoothly day 1 –Don't expect that the application firewall never requires attention –Make sure you have a process to monitor discrepancies and (major) changes in your traffic profile
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 14 Minutes to learn, a lifetime to master •A few do's and don't along the way –It does add security where you need it the most –It does fix issues with your applications programmers can't (at least not fast enough) –It gives you a good idea of what is going on with your applications
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 15 Minutes to learn, a lifetime to master •Plan the implementation beforehand •Inform your stakeholders about possible issues when rolling out •Treat the application firewall rollout as any major software update in your system •Don't try to solve everything at once – Think big, start small ”A WAF-project is like any other IT-project – it fails of not conducted properly”
Thank You! Kiitos! Tack! Questions? Kysymyksiä? Frågor? Hopefully at least a few... Contact: thomas.malmberg@aktia.fi http://fi.linkedin.com/in/thomasmalmberg
Web Application Firewall - Web Application & Web Services Security integrated in Global Application Offering

Recomendados

Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewallsEnclaveSecurity
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWSAlert Logic
 
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security ModelAlert Logic
 
BitSensor Webwinkel Vakdagen
BitSensor Webwinkel VakdagenBitSensor Webwinkel Vakdagen
BitSensor Webwinkel Vakdagenwebwinkelvakdag
 
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...Alert Logic
 
CSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterCSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterAlert Logic
 
Waratek ISACA Webinar
Waratek ISACA WebinarWaratek ISACA Webinar
Waratek ISACA WebinarWaratek Ltd
 

Recomendados

Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewallsEnclaveSecurity
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWSAlert Logic
 
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security ModelAlert Logic
 
BitSensor Webwinkel Vakdagen
BitSensor Webwinkel VakdagenBitSensor Webwinkel Vakdagen
BitSensor Webwinkel Vakdagenwebwinkelvakdag
 
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...Alert Logic
 
CSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterCSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterAlert Logic
 
Waratek ISACA Webinar
Waratek ISACA WebinarWaratek ISACA Webinar
Waratek ISACA WebinarWaratek Ltd
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
 
Waratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside OutWaratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside OutWaratek Ltd
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016Waratek Ltd
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudAlert Logic
 
DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017kieranjacobsen
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresSBWebinars
 
DevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and UglyDevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and Ugly4ndersonLin
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsCloudPassage
 
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-MelhaouiCSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-MelhaouiNCCOMMS
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
The Cloud - What's different
The Cloud - What's differentThe Cloud - What's different
The Cloud - What's differentChen-Tien Tsai
 
Zero trust server management - lightning
Zero trust server management - lightningZero trust server management - lightning
Zero trust server management - lightningKevin Gilpin
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgileNetwork
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to executionAlgoSec
 
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Trish McGinity, CCSK
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDevSecCon
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloudPassage
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 
Stephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloudStephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloudDevSecCon
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudCloudPassage
 
Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Deivid Toledo
 
Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014Sophos Benelux
 

Más contenido relacionado

La actualidad más candente

SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
 
Waratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside OutWaratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside OutWaratek Ltd
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016Waratek Ltd
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudAlert Logic
 
DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017kieranjacobsen
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresSBWebinars
 
DevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and UglyDevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and Ugly4ndersonLin
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsCloudPassage
 
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-MelhaouiCSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-MelhaouiNCCOMMS
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
The Cloud - What's different
The Cloud - What's differentThe Cloud - What's different
The Cloud - What's differentChen-Tien Tsai
 
Zero trust server management - lightning
Zero trust server management - lightningZero trust server management - lightning
Zero trust server management - lightningKevin Gilpin
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgileNetwork
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to executionAlgoSec
 
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Trish McGinity, CCSK
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDevSecCon
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloudPassage
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 
Stephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloudStephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloudDevSecCon
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudCloudPassage
 

La actualidad más candente (20)

SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Army
 
Waratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside OutWaratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside Out
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the Cloud
 
DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
 
DevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and UglyDevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and Ugly
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOps
 
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-MelhaouiCSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
The Cloud - What's different
The Cloud - What's differentThe Cloud - What's different
The Cloud - What's different
 
Zero trust server management - lightning
Zero trust server management - lightningZero trust server management - lightning
Zero trust server management - lightning
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to execution
 
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment security
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO Successful
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
 
Stephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloudStephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloud
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the Cloud
 

Destacado

Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Deivid Toledo
 
Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014Sophos Benelux
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
Most In Demand Information Security Skills
Most In Demand Information Security SkillsMost In Demand Information Security Skills
Most In Demand Information Security SkillsInterQuest Group
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
Session Hijacking ppt
Session Hijacking pptSession Hijacking ppt
Session Hijacking pptHarsh Kevadia
 
{{more}} Kibana4
{{more}} Kibana4{{more}} Kibana4
{{more}} Kibana4琛琳 饶
 
Apache安装配置mod security
Apache安装配置mod securityApache安装配置mod security
Apache安装配置mod securityHuang Toby
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseNoaman Aziz
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityRonan Dunne, CEH, SSCP
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationSandro Gauci
 

Destacado (20)

Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)
 
Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
Most In Demand Information Security Skills
Most In Demand Information Security SkillsMost In Demand Information Security Skills
Most In Demand Information Security Skills
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
 
Session Hijacking ppt
Session Hijacking pptSession Hijacking ppt
Session Hijacking ppt
 
AWS WAF - A Web App Firewall
AWS WAF - A Web App FirewallAWS WAF - A Web App Firewall
AWS WAF - A Web App Firewall
 
{{more}} Kibana4
{{more}} Kibana4{{more}} Kibana4
{{more}} Kibana4
 
Apache安装配置mod security
Apache安装配置mod securityApache安装配置mod security
Apache安装配置mod security
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And Exploitation
 
XPath Injection
XPath InjectionXPath Injection
XPath Injection
 

Similar a Web Application Firewall - Web Application & Web Services Security integrated in Global Application Offering

Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Rightpvanwoud
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration RecommendationsMeg Weber
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTechWell
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldiMIS
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldiMIS
 
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...IBM Security
 
dataProtection_p3.ppt
dataProtection_p3.pptdataProtection_p3.ppt
dataProtection_p3.pptssusera76ea9
 
Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'
Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'
Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'Chris Hails
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
APAC Partner Update: SolarWinds Security
APAC Partner Update: SolarWinds SecurityAPAC Partner Update: SolarWinds Security
APAC Partner Update: SolarWinds SecuritySolarWinds
 
Information Assurance And Security - Chapter 2 - Lesson 4
Information Assurance And Security - Chapter 2 - Lesson 4Information Assurance And Security - Chapter 2 - Lesson 4
Information Assurance And Security - Chapter 2 - Lesson 4MLG College of Learning, Inc
 

Similar a Web Application Firewall - Web Application & Web Services Security integrated in Global Application Offering (20)

Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration Recommendations
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
 
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
 
dataProtection_p3.ppt
dataProtection_p3.pptdataProtection_p3.ppt
dataProtection_p3.ppt
 
Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'
Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'
Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
APAC Partner Update: SolarWinds Security
APAC Partner Update: SolarWinds SecurityAPAC Partner Update: SolarWinds Security
APAC Partner Update: SolarWinds Security
 
Information Assurance And Security - Chapter 2 - Lesson 4
Information Assurance And Security - Chapter 2 - Lesson 4Information Assurance And Security - Chapter 2 - Lesson 4
Information Assurance And Security - Chapter 2 - Lesson 4
 

Último

Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar TrainingKylaCullinane
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Kayode Fayemi
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lodhisaajjda
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfSenaatti-kiinteistöt
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatmentnswingard
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyPooja Nehwal
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfSkillCertProExams
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIINhPhngng3
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxmohammadalnahdi22
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Chameera Dedduwage
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxraffaeleoman
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsaqsarehman5055
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubssamaasim06
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCamilleBoulbin1
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Hasting Chen
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Baileyhlharris
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 

Último (20)

Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animals
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptx
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 

Web Application Firewall - Web Application & Web Services Security integrated in Global Application Offering

  • 1. Web Application & Web Services Security integrated in Global Application Offering - Problems? No, no problems at all. - Yes. We're using WAF too. 3.11.2011 Thomas Malmberg
  • 2. 11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 2 Agenda •Security and its many faces •Drivers and issues for choosing an application firewall •Minutes to learn, a lifetime to master ”Questions may be asked at any given time” Web Application & Web Services Security integrated in Global Application Offering
  • 3. 11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 3 Security and its many faces •Security has to be applied on many levels in an organization –Processes –User management –Firewalls –Keycards –Doors –SSL –Penetration testing –Training –... •Can security be enforced by applying Magnum Force?
  • 4. 11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 4 Security and its many faces •Carrot and stick – approach –Give some and get some –Design and enforce policies, not "magnum force" –Involve the right people – You need to "sell your agenda" –Make sure you "enable business" (but what does that really mean?) –In certain cases, deploying a new technology is the right solution
  • 5. 11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 5 Drivers and issues for choosing an application firewall ..but wait - let's recap what REALLY happened (or what should have happened) The Stick PCI-DSS The Carrot Cut costs on expensive application re-testing and re-coding and re- inventing and re- everything
  • 6. 11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 6 Drivers and issues for choosing an application firewall •PCI-DSS was "the drop that spilled the cup" •Before PCI-DSS we had at least this: –National Legislation –Financial Supervisory Authority Directives –EU Legislation & Directives –Finanssivalvonta, Finansinspektionen –Common Sense •Then we woke up and realized that... –Security had many faces –Security cannot be bought (but neat firewalls can!) –Security is a mindset –Security is a way of life Financial Supervisory Authority: • Finanssivalvonta (FI) • Finansinspektionen (SE)
  • 7. 11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 7 Drivers and issues for choosing an application firewall •Today we understand that –Credit-card numbers are not everything –There are a lot of different input sources to definitive compliancy –It is not wise to pursue different directives or legislations separately –Everything we do in this field increases the overall security
  • 8. 11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 8 Drivers and issues for choosing an application firewall
  • 9. 11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 9 Case HBGary •HBGary and HBGary Federal position themselves as experts in computer security. The companies offer both software and services to both the public and private sectors. •HBGary Federal CEO Aaron Barr thought he had unmasked the hacker hordes of Anonymous and was preparing to name and shame those responsible for co-ordinating the group's actions, including the denial-of-service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last year •Anonymous is a diverse bunch: though they tend to be younger rather than older, their age group spans decades. Some may still be in school, but many others are gainfully employed office-workers, software developers, or IT support technicians, among other things. •Source: http://arstechnica.com/tech- policy/news/2011/02/anonymous-speaks-the-inside- story-of-the-hbgary-hack.ars/
  • 10. 11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 10 Case HBGary 1.The CMS-system had an SQL-injection vulnerability 2.Usernames were stolen from the user-database 3.Passwords were hashed using simple MD5 w/o salting 4.Passwords were weak 5.Same passwords were used for public SSH- access 6.The SSH-server was not patched, root access could be gained 7.Same passwords were used for email accounts, Google apps and for gmail-administrators 8.Using admin-rights, many email accounts were scavenged for information 9.Emailing was used for social engineering to gain even more access to other sites
  • 11. 11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 11 Drivers and issues for choosing an application firewall
  • 12. 11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 12 Drivers and issues for choosing an application firewall •An application firewall (WAF) would not make us PCI-DSS compliant •It would only partially answer one of the requirements set by the PCI- council •BUT - depending on the product we choose we could –increase the overall security level of all of our public internet services –accelerate our websites –apply quick fixes to 0-day vulnerabilities when we most need it –safely deploy applications with known issues to the public while investigating the root cause –possibly protect our web-services ”0-day vulnerabilities must be fixed IMMEDIATELY.”
  • 13. 11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 13 Minutes to learn, a lifetime to master •A few do's and don't along the way –Don't expect the application firewall to be a generic solution to issues in your software development –Don't ditch external security audits –Don't expect everything to be up and running smoothly day 1 –Don't expect that the application firewall never requires attention –Make sure you have a process to monitor discrepancies and (major) changes in your traffic profile
  • 14. 11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 14 Minutes to learn, a lifetime to master •A few do's and don't along the way –It does add security where you need it the most –It does fix issues with your applications programmers can't (at least not fast enough) –It gives you a good idea of what is going on with your applications
  • 15. 11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 15 Minutes to learn, a lifetime to master •Plan the implementation beforehand •Inform your stakeholders about possible issues when rolling out •Treat the application firewall rollout as any major software update in your system •Don't try to solve everything at once – Think big, start small ”A WAF-project is like any other IT-project – it fails of not conducted properly”
  • 16. Thank You! Kiitos! Tack! Questions? Kysymyksiä? Frågor? Hopefully at least a few... Contact: thomas.malmberg@aktia.fi http://fi.linkedin.com/in/thomasmalmberg