SlideShare una empresa de Scribd logo

2009: Securing Applications With Web Application Firewalls and Vulnerability Assessments

Descargar como PPT, PDF
Neil Matatall
Neil Matatall

The document discusses securing campus web applications with vulnerability assessments (VAs) and web application firewalls (WAFs). It describes implementing WAFs in stages, including using the open-source ModSecurity module initially and then commercial products. It also discusses performing regular VAs and how their results can be integrated with WAFs for a layered security approach. Various WAF deployment options, features, and ongoing management considerations are outlined.

EducaciónTecnología
1 de 58
Securing Campus Web Applications with Vulnerability Assessments (VA) and Web Application Firewalls (WAFs) Neil Matatall | November 5, 2009 University of California, Irvine OWASP Orange County Chapter Lead Educause Effective Practices WG Member
Glossary ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Let’s Make It Clear ,[object Object],[object Object],[object Object],[object Object],[object Object]
About UCI ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Security Is All About The Layers ,[object Object],[object Object],This is commonly known as the “Defense in Depth” Strategy
Commonly Overheard Misconceptions of Application Security ,[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Visual Representation of WAFs
What a WAF is: ,[object Object],[object Object],[object Object],[object Object]
The OSI Stack The Application Set is handled by Web Application Firewalls The transport set is handle by traditional network firewalls
What a WAF is (Cont’d) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
What a WAF is not ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
XKCD – Missing the Point http://xkcd.com/538
Why You Need A WAF ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],1 White Hat - statistic for initial examination; 2 Gartner Research;
The Most Widespread Vulnerabilities in Web Applications WASC - Web Application Security Statistics
Why WAFs Are Attractive in Higher ED ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Example Attack: What the WAF Sees ,[object Object],[object Object],[object Object],[object Object],[object Object],OWASP Top 10: #3 Malicious File Execution (RFI)
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Step One: ModSecurity ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Before ModSecurity
After ModSecurity
Step Two: Taking the Dive…Vendors ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Downside of Negative Security Model ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],1. Methods to Bypass a Web Application Firewall
Step 1.5 ,[object Object],[object Object],[object Object],[object Object]
Common Features of Commercial Products ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Positive Security Model Examples ,[object Object],[object Object],[object Object],[object Object],[object Object]
 
Tips & Tricks ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
WAF Lifecycle ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
WAF Options ,[object Object],[object Object],[object Object],[object Object]
Deployment Options Matrix WEB APPLICATION FIREWALL DEPLOYMENT MODE CONSIDERATIONS: INLINE VS. OUT-OF-LINE
[object Object],[object Object],[object Object],Deployment Options ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Switch SecureSphere Data Center SecureSphere INTERNET SecureSphere Slides For Customer
Which WAF is Right for You? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Bonus: Database Monitoring ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Vulnerability Assessments ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Vulnerability Assessment Strategies ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Scan When ,[object Object],[object Object],[object Object],[object Object],[object Object]
Scan What ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Synergy Bliss ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Synergy Bliss Continued ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
New Form of Social Engineering? ,[object Object],[object Object],[object Object]
WAF Weakening Flavors ,[object Object],[object Object],[object Object],[object Object]
Bypassing WAFs ,[object Object],[object Object],[object Object],[object Object],Methods to Bypass a Web Application Firewall
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Lessons Learned ,[object Object],[object Object]
WAF Issues Encountered ,[object Object],[object Object]
Because the WAF Says So ,[object Object],[object Object],[object Object],[object Object],[object Object]
WAF Wins ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Side Benefits ,[object Object],[object Object],[object Object],[object Object],[object Object]
Leaving Thoughts… ,[object Object],[object Object],[object Object],[object Object],[object Object]
References ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
References Cont’d ,[object Object],[object Object],[object Object],[object Object]
References Cont’d ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object]

Recomendados

Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
WAFFLE - A Web Application Firewall that defies rules
WAFFLE - A Web Application Firewall that defies rulesWAFFLE - A Web Application Firewall that defies rules
WAFFLE - A Web Application Firewall that defies rules
Dimitris Gkizanis
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
Imaginea
 
WAFEC
WAFECWAFEC
WAFEC
Conferencias FIST
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application Firewall
Port80 Software
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
Muhammad Shehata
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
TechWell
 

Recomendados

Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
WAFFLE - A Web Application Firewall that defies rules
WAFFLE - A Web Application Firewall that defies rulesWAFFLE - A Web Application Firewall that defies rules
WAFFLE - A Web Application Firewall that defies rules
Dimitris Gkizanis
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
Imaginea
 
WAFEC
WAFECWAFEC
WAFEC
Conferencias FIST
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application Firewall
Port80 Software
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
Muhammad Shehata
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
TechWell
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
Rich Helton
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing Services
Bulent Buyukkahraman
 
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @BratislavaGubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Peter Gubarevich
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
Vishal Kumar
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
Web Access Firewall
Web Access FirewallWeb Access Firewall
Web Access Firewall
BalaBhaskaraRao CEH,CCNA Security,CHFI,Qualys Specialist
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspect
rohit_ta
 
Owasp
Owasp Owasp
Owasp
penetration Tester
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabs
jasonhaddix
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
Ishan Girdhar
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing Tools
Eric Lai
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
Alan Kan
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assurance
Tjylen Veselyj
 
Analyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application FirewallsAnalyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application Firewalls
Larry Suto
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
Ted Husted
 
t r
t rt r
t r
electronicmingle01
 
WAF Deployment proposal
WAF Deployment proposalWAF Deployment proposal
WAF Deployment proposal
Jeremy Quadri
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
gbud7
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentation
Ezhilan Elangovan (Eril)
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And Exploitation
Sandro Gauci
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application Frewall
Abhishek Singh
 

Más contenido relacionado

La actualidad más candente

Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
Rich Helton
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabs
jasonhaddix
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing Tools
Eric Lai
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assurance
Tjylen Veselyj
 
Analyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application FirewallsAnalyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application Firewalls
Larry Suto
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
gbud7
 

La actualidad más candente (20)

Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing Services
 
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @BratislavaGubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
Web Access Firewall
Web Access FirewallWeb Access Firewall
Web Access Firewall
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspect
 
Owasp
Owasp Owasp
Owasp
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabs
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing Tools
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assurance
 
Analyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application FirewallsAnalyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application Firewalls
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
 
t r
t rt r
t r
 
WAF Deployment proposal
WAF Deployment proposalWAF Deployment proposal
WAF Deployment proposal
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentation
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 

Destacado

Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application Frewall
Abhishek Singh
 
Modbus Data Communication Systems
Modbus Data Communication SystemsModbus Data Communication Systems
Modbus Data Communication Systems
Living Online
 
Security in Cloud Computing
Security in Cloud ComputingSecurity in Cloud Computing
Security in Cloud Computing
Rohit Buddabathina
 
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
Mirantis
 

Destacado (10)

Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And Exploitation
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application Frewall
 
[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)
[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)
[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)
 
Modbus
ModbusModbus
Modbus
 
Modbus Data Communication Systems
Modbus Data Communication SystemsModbus Data Communication Systems
Modbus Data Communication Systems
 
Security in Cloud Computing
Security in Cloud ComputingSecurity in Cloud Computing
Security in Cloud Computing
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 

Similar a 2009: Securing Applications With Web Application Firewalls and Vulnerability Assessments

Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
EnclaveSecurity
 
Security Operations
Security OperationsSecurity Operations
Security Operations
ankitmehta21
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
SBWebinars
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
IBM Security
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 

Similar a 2009: Securing Applications With Web Application Firewalls and Vulnerability Assessments (20)

The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
 
Security Operations
Security OperationsSecurity Operations
Security Operations
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applications
 
OWASP: Building Secure Web Apps
OWASP: Building Secure Web AppsOWASP: Building Secure Web Apps
OWASP: Building Secure Web Apps
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing raj
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 

Más de Neil Matatall

Educause Annual 2007
Educause Annual 2007Educause Annual 2007
Educause Annual 2007
Neil Matatall
 

Más de Neil Matatall (8)

Twubhubbook - it's like appsec, but for startups
Twubhubbook - it's like appsec, but for startupsTwubhubbook - it's like appsec, but for startups
Twubhubbook - it's like appsec, but for startups
 
Owasp austin
Owasp austinOwasp austin
Owasp austin
 
Putting to your Robots to Work V1.1
Putting to your Robots to Work V1.1Putting to your Robots to Work V1.1
Putting to your Robots to Work V1.1
 
2013: OC Rails Jan - SecureHeaders library and content security policy
2013: OC Rails Jan - SecureHeaders library and content security policy2013: OC Rails Jan - SecureHeaders library and content security policy
2013: OC Rails Jan - SecureHeaders library and content security policy
 
2012: Putting your robots to work: security automation at Twitter
2012: Putting your robots to work: security automation at Twitter2012: Putting your robots to work: security automation at Twitter
2012: Putting your robots to work: security automation at Twitter
 
2012: Passw3rd
2012: Passw3rd2012: Passw3rd
2012: Passw3rd
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
 
Educause Annual 2007
Educause Annual 2007Educause Annual 2007
Educause Annual 2007
 

Último

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 

Último (20)

ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 

2009: Securing Applications With Web Application Firewalls and Vulnerability Assessments

  • 1. Securing Campus Web Applications with Vulnerability Assessments (VA) and Web Application Firewalls (WAFs) Neil Matatall | November 5, 2009 University of California, Irvine OWASP Orange County Chapter Lead Educause Effective Practices WG Member
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 10.
  • 11. The OSI Stack The Application Set is handled by Web Application Firewalls The transport set is handle by traditional network firewalls
  • 12.
  • 13.
  • 14. XKCD – Missing the Point http://xkcd.com/538
  • 15.
  • 16. The Most Widespread Vulnerabilities in Web Applications WASC - Web Application Security Statistics
  • 17.
  • 18.
  • 19.
  • 20.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.  
  • 29.
  • 30.
  • 31.
  • 32. Deployment Options Matrix WEB APPLICATION FIREWALL DEPLOYMENT MODE CONSIDERATIONS: INLINE VS. OUT-OF-LINE
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58.

Notas del editor

  1. 11/04/09 Mention that this talk will be focused mostly on WAFs, ask if anyone is thoroughly disappointed
  2. 11/04/09
  3. 11/04/09
  4. 11/04/09
  5. 11/04/09 (Figures from 2009)
  6. 11/04/09
  7. 11/04/09
  8. 11/04/09
  9. 11/04/09 The smoking guy was the “boss” from the lovelycharts.com Notice that the intranet does not bypass the waf
  10. 11/04/09
  11. 11/04/09
  12. 11/04/09 Scope Creep!
  13. 11/04/09 WAFs take a LOT of time Too often I hear, if we have a WAF, why do we need to write secure code? One of the biggest surprises to us was how much time and effort is involved
  14. 11/04/09
  15. 11/04/09 Same goes for open source…
  16. 11/04/09 WAFs handle 4 out of 5 of these gracefully, RFI
  17. 11/04/09 AppScan/ Static analysis is difficult with a large number of small purpose apps.
  18. 11/04/09
  19. 11/04/09
  20. 11/04/09
  21. 11/04/09 Mention IDS/IPS can’t inspect SSL traffic
  22. 11/04/09
  23. 11/04/09
  24. 11/04/09
  25. 11/04/09 This left us open when our device failed.
  26. 11/04/09
  27. 11/04/09
  28. 11/04/09
  29. 11/04/09
  30. 11/04/09 It’s no good if you can’t spend the time tuning after every alert Mention the “strict profile” versus normal profile Mention profiling reports!
  31. 11/04/09
  32. 11/04/09
  33. 11/04/09 SecureSphere Web Application Firewall Presentation May 21, 2007 Imperva Mentiond the hidden slide matrix
  34. 11/04/09
  35. 11/04/09
  36. 11/04/09
  37. 11/04/09
  38. 11/04/09
  39. 11/04/09
  40. 11/04/09 Outside scans may get blocked for other reasons.
  41. 11/04/09
  42. 11/04/09 Much more accurate for XSS protection. Correllation rules are sad, virtual patches are accurate
  43. 11/04/09
  44. 11/04/09
  45. 11/04/09 Inattentive? That just sounds weird
  46. 11/04/09 Note the single and double quote at the end of the name If a signature is detected, then the WAF doesn’t request
  47. 11/04/09
  48. 11/04/09
  49. 11/04/09
  50. 11/04/09 Connection resets instead of error pages for certain classes
  51. 11/04/09
  52. 11/04/09 Fixed DWH, Library problem, caught
  53. 11/04/09 Having DB on same host as web server forces us to install an agent Messed up parameters caused unknown param alertss: &variable
  54. 11/04/09 -1.02 is not considered “numeric”
  55. 11/04/09 Fortify will do static analysis on your code if it is open source
  56. 11/04/09
  57. 11/04/09
  58. 11/04/09