The document discusses securing campus web applications with vulnerability assessments (VAs) and web application firewalls (WAFs). It describes implementing WAFs in stages, including using the open-source ModSecurity module initially and then commercial products. It also discusses performing regular VAs and how their results can be integrated with WAFs for a layered security approach. Various WAF deployment options, features, and ongoing management considerations are outlined.
2009: Securing Applications With Web Application Firewalls and Vulnerability Assessments
1. Securing Campus Web Applications with Vulnerability Assessments (VA) and Web Application Firewalls (WAFs) Neil Matatall | November 5, 2009 University of California, Irvine OWASP Orange County Chapter Lead Educause Effective Practices WG Member
32. Deployment Options Matrix WEB APPLICATION FIREWALL DEPLOYMENT MODE CONSIDERATIONS: INLINE VS. OUT-OF-LINE
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
51.
52.
53.
54.
55.
56.
57.
58.
Notas del editor
11/04/09 Mention that this talk will be focused mostly on WAFs, ask if anyone is thoroughly disappointed
11/04/09
11/04/09
11/04/09
11/04/09 (Figures from 2009)
11/04/09
11/04/09
11/04/09
11/04/09 The smoking guy was the “boss” from the lovelycharts.com Notice that the intranet does not bypass the waf
11/04/09
11/04/09
11/04/09 Scope Creep!
11/04/09 WAFs take a LOT of time Too often I hear, if we have a WAF, why do we need to write secure code? One of the biggest surprises to us was how much time and effort is involved
11/04/09
11/04/09 Same goes for open source…
11/04/09 WAFs handle 4 out of 5 of these gracefully, RFI
11/04/09 AppScan/ Static analysis is difficult with a large number of small purpose apps.
11/04/09 This left us open when our device failed.
11/04/09
11/04/09
11/04/09
11/04/09
11/04/09 It’s no good if you can’t spend the time tuning after every alert Mention the “strict profile” versus normal profile Mention profiling reports!
11/04/09
11/04/09
11/04/09 SecureSphere Web Application Firewall Presentation May 21, 2007 Imperva Mentiond the hidden slide matrix
11/04/09
11/04/09
11/04/09
11/04/09
11/04/09
11/04/09
11/04/09 Outside scans may get blocked for other reasons.
11/04/09
11/04/09 Much more accurate for XSS protection. Correllation rules are sad, virtual patches are accurate
11/04/09
11/04/09
11/04/09 Inattentive? That just sounds weird
11/04/09 Note the single and double quote at the end of the name If a signature is detected, then the WAF doesn’t request
11/04/09
11/04/09
11/04/09
11/04/09 Connection resets instead of error pages for certain classes
11/04/09
11/04/09 Fixed DWH, Library problem, caught
11/04/09 Having DB on same host as web server forces us to install an agent Messed up parameters caused unknown param alertss: &variable
11/04/09 -1.02 is not considered “numeric”
11/04/09 Fortify will do static analysis on your code if it is open source