Are you fighting new threats with old weapons? Secure your Web applications with Web Application Firewalls.

Size: px
Start display at page:

Download "Are you fighting new threats with old weapons? Secure your Web applications with Web Application Firewalls."

Transcription

1 White paper Cyberoam Application Visibility and Control Anti-Spam Bandwidth Management VPN Web Application Firewall Firewall Intrusion Prevention System Anti-Virus & Anti-Spyware On-Appliance Reporting Web Filtering Are you fighting new threats with old weapons? Secure your Web applications with Web Application Firewalls.

2 Introduction Web applications have increased the speed and accessibility to business information for an organization s customers, partners and employees. And at the same time, delivering tangible savings. Business applications for accounting, collaboration, customer relationship Management (CRM), Enterprise Resource Management (ERP), content management, online banking, E-commerce, and many more, are all available on the Web and all of them house valuable, sensitive data! Unfortunately, hackers realized this much before organizations could. Today, Web applications are the most common target for attack by hackers because they are ubiquitous and provide easy entry to virtually any organization s lucrative data. SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), OS command injection, session hijacking and buffer overflows are the most commonly used attacks targeting Web applications hosted within an organization s local network or in private data centers. Risk! Theft of Intellectual property! Identity and information theft! Loss of revenue, brand, customers! Fines and lawsuits from failure in regulatory compliance! Threat to National security Web Applications Benefits! E-commerce! Information delivery vehicle for partners, employees, customers! Accelerated pace of business! Reduced business costs A study done by Ponemon Institute in 2011 reveals that 73 percent of organizations have been hacked in the last 24 months as a result of weakness in their web applications! Sadly, 69% of organizations surveyed relied on the security of their traditional network firewalls to protect web applications. This whitepaper will examine the variety of web application attacks hitting organizations today and discuss why traditional network firewalls are not capable of defending against them. A new breed of Web Application Firewalls is the solution to protect corporate data, observe regulatory compliance like the PCI DSS, and safeguard their brand, reputation and customers.

3 Web Application Security should not be ignored! Montana-based broker-dealer D.A. Davidson & Co. had to cough out $375,000 after the Financial Industry Regulatory Agency (FINRA) found it to be neglectful in protecting the personal data of 192,000 of its clients. The data, which resided in a database on a Web server, was compromised as the result of a SQL Injection attack launched by Latvian cyber criminals. The Company s web facing applications were left wide open to the point that the database was never encrypted nor was the default password changed, leaving it blank. Vulnerabilities in Web Applications Rising with their Numbers Organizations continuously develop new web-based applications to meet their product or service promotional needs. The high-pressure environment this creates for programmers is less than ideal for developing never-ending enhancements and new functionality. Without rigid secure software development practices, inserting even the smallest piece of code on the website can lead to serious vulnerabilities. Besides, logic flaws, forgotten backup files, debug code, and other production-related vulnerabilities are a regular challenge to the security of websites and other Web applications in organizations. Securing the bigger picture around Web Applications There are many Web application attacks that have nothing to do with developers and coding errors. Many times the threat comes from the language, protocol or the platform that supports the delivery of these applications. In other words, the environment surrounding the web applications. The main reason the majority of Web application attacks are successful today is due to the fact that the attackers come in the same way any legitimate user would all without disturbing the sanctity of RFC s or W3C standards. WEB APPLICATION DATA APPLICATION(HTTP) OSI Layer 5-7 TRANSPORT(TCP/UDP) OSI Layer 4 NETWORK(IP) OSI Layer 3 HARDWARE OSI Layer 1-2 Web applications reside at the top of the OSI stack and are practically cutoff from the rest of the network and application layers in the stack. They have no control or visibility in the layers underneath them. When attackers exploit the HTTP/TCP behavior, like in the case of Layer 7 DoS attack, neither the Web application nor the developer has no knowledge of the exploit. This is where Web Application Firewalls help to add an extra layer of security to secure Web applications. Web Application Firewalls have the ability to understand the bigger picture surrounding the applications. They look at every request and response within the HTTP/HTTPS/ Web Service layers and understand the context in which to evaluate the behavior of requests, thereby blocking Web application attacks.

4 Common Web Application Attacks SQL Injection In an SQL injection attack, the attacker gains access to the entire contents of a backend database including identity information by bypassing authentication to gain unauthorized access. Here, the input validation vulnerabilities are exploited in the application code to send unauthorized SQL commands to a back-end database. Common Web Application Attacks! SQL Injection! Cross-site Scripting! Worms! URL Parameter Tampering! Cross-site Request Forgery (CSRF)! OS command injection! Session Hijacking Cross-site Scripting Cross-site scripting attacks the application code by exploiting script injection vulnerabilities where malicious HTML tags or client-side scripting code is injected into HTML form fields and a customer s login credentials redirected to an attacker. Worms Worms take advantage of vulnerabilities in commercial software platforms and operating systems. Code Red, Nimda, and MSBlaster are some examples of worm infections that spread at an astounding rate, sometimes affecting hundreds of thousands of servers within minutes. URL Parameter Tampering This type of attack involves manipulation of parameters exchanged between client and server. The attacker alters the URL query string parameter values in the browser s address bar to change application data such as user credentials, permissions, and other information. Cross-site Request Forgery (CSRF) CSRF forces the authenticated user of an application to send an HTTP request to a target destination, desired by the attacker, without the user s knowledge or intent. This results into data theft and in case of a full-blown attack, it can compromise the entire web application. OS command injection OS Command Injection exploits vulnerabilities that occur during the design and development of applications. In this, the attacker takes advantage of an application vulnerability that results in execution of system-level commands. Session Hijacking Session Hijacking exploits a valid computer session by stealing or predicting a valid session token and gains unauthorized access to information or services on the Web server.

5 Traditional Network Security Solutions Prove Inadequate for Securing Web Applications Effective web application security requires understanding of a user s interaction with web applications session IDs, cookies, URLs, HTTP methods, and more. Many organizations rely on their network firewalls and intrusion prevention system to overcome web application threats. But this is how traditional security solutions fall short: Many organizations rely on their network firewalls and intrusion prevention system to overcome web application threats. But traditional security solutions fall short of protecting against Web application attacks. Network Firewalls Part of the reason why we need Web Application Firewalls today is the network firewalls! Although network firewalls protect against network layer attacks, they ought to allow HTTP and HTTPS traffic to the Web servers. Hackers have been using this fact to embed attacks like SQL injection and Cross-Site Scripting (XSS) into Web traffic using allowed application protocols, which are ignored by network firewalls and pass through them, uninterrupted.besides, network firewalls work over the third and fourth of the seven layers of the OSI network model and do not understand protocols and languages like, HTML and XML, have no means of controlling/filtering sensitive data included in server responses, lack ways to detect tampering of parameters in a URL request, cannot validate user inputs to an HTML application and most importantly, they lack awareness about session data, limiting their effectiveness against web application attacks. Intrusion Prevention System Intrusion Prevention System can look into a packet s payload and compare it with a list of known signatures/attacks. Hence, they are effective against worms and other attacks based on known software vulnerabilities but are largely ineffective against web application attacks targeting unknown vulnerabilities in application code or vulnerabilities arising out of poor coding. Web Application Firewalls the only Answer to Web Application Security Web Application Firewalls sit between the web client and a web server to analyze OSI Layer 7 messages for violations in the programmed security policy to protect websites and web applications from attacks. They function bi-directionally by intercepting incoming Layer 7 attacks before reaching the Web server. In addition, they also analyze Web server responses to protect against potential risks of information leakage in organizations. Placed right in front of the Web server, it becomes the last and first stop for information requests to be entertained, as well as the information delivery process. PCI-DSS and Web Application Security Web applications have been declared as the initial point of attack on cardholder data. Requirement 6.6 of the Payment Card Industry Data Security Standard requires organizations to ensure that web facing applications should be protected by installing an application-layer firewall in front of them, or by having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security. With the Code review technique turning out to be expensive and tedious, Web application firewall comes out to be the only option left with organizations. Web application firewalls perform a deep packet inspection of incoming traffic to detect threats, thereby creating a security layer in

6 front of the application itself that ensures security of the web server that secures credit card and other sensitive data, which needs to be protected under the PCI DSS requirements. Cyberoam Web Application Firewall Cyberoam Web Application Firewall is available as a subscription on Cyberoam Network Security appliances (UTM, NGFW). It follows the positive security model based on its Intuitive Website Flow Detector to secure websites and Web-based applications against attacks like SQL injection, cross-site scripting (XSS), URL parameter tampering, session hijacking, buffer overflows, and more-- including the OWASP Top 10 Web application vulnerabilities. Web User Client /Partner SQL Injection, cookie poisoning, XSS,... Web & Application Cyberoam Server Web Application Firewall Database Server Hacker Cyberoam Web Application Firewall Protection against Web-based Application Attacks Cyberoam Web Application Firewall is deployed to intercept the traffic to and from the Web servers to provide an added layer of security against attacks before they can reach the Web applications. Its Intuitive Website Flow Detector intelligently self-learns the legitimate behavior and response of Web applications. Based on the Intuitive Website Flow Detector, the Web Application Firewall ensures the sanctity of Web applications in response to server requests, protecting them against Web application attacks. Cyberoam Web Application Firewall looks at every request and response within the HTTP/HTTPS/Web Service layers. It is effective at repelling attacks from a wide range of commercial and open-source automated vulnerability scanners (e.g. Nessus, WebInspect), as well as hand-crafted attacks. Conforms to HTTP specification? Matches a user-defined policy? Adheres to Intuitive Website Flow Detector? PS HTTP/HTT HTTP Protocol Specification I Intuitive Website Flow Detector User-defined policies Request is legitimate and adheres to the Intuitive Website Flow Detector s selflearning in the past, when such a request was last made to the Web server. The server request was not found valid under the Intuitive Website Flow Detector s knowledge from the past the requested URL cannot be the entry point and it is, hence, blocked from reaching the Web server and the browser receives an HTTP 403 Forbidden response code. No other information is exposed as decided under the User Defined Policy. sales@cyberoam.com The request doesn t pass any of the 3 validation steps. Web server is thus protected from present/future URL-based HTTP attacks.

7 Features: Positive protection model without Signature Tables The Cyberoam Web Application Firewall enforces a positive security model through Intuitive Website Flow Detector to automatically identify and block all applicationlayer attacks without relying on signature tables or patternmatching techniques. The Web Application Firewall considers defined Web application behavior as good. Any deviation is considered bad, or malicious, and is blocked accordingly. This provides security against zeroday attacks and eliminates the need to manually populate and update signature tables. The Intuitive Website Flow Detector automatically adapts to changes in the website. Comprehensive business logic protection The Cyberoam WAF protects against attacks like SQL injection,cross-site scripting (XSS),and cookie-poisoning that seek to exploit business logic behind Web applications, ensuring they are used exactly as intended. HTTPS () encryption Offloading Attackers cannot bypass the Cyberoam WAF protection measures through an HTTPS () connection, mostly used in the financial services, healthcare, e-commerce, and other industries that process sensitive data. The WAF not only secures encrypted connections, but also reduces latency of traffic with its offloading capabilities. Instant Web server hardening The Cyberoam WAF instantly shields any Web environment (IIS, Apache, WebSphere, etc.) against the more than 14,000 common server mis-configurations and an ever-expanding universe of known 3rd-party software vulnerabilities. Reverse proxy for incoming HTTP/HTTPS traffic The Cyberoam WAF follows a reverse proxy model for all incoming HTTP and HTTPS traffic which provides an added level of security by virtualizing the application infrastructure. All incoming Web application requests from the Web client terminate at the WAF. Valid requests are submitted to the back-end Web server, hiding the existence and characteristics of originating servers. URL, Cookie, and Form hardening Application-defined URL query string parameters, cookies, and HTML form field values (including hidden fields, radio buttons, checkboxes, and select options) are protected by the Cyberoam WAF. Attempts to escalate user privileges through cookie-poisoning, gain access to other accounts through URL query string parameter tampering, and other types of browser data manipulation are automatically identified and blocked. Monitoring and reporting Cyberoam Web Application Firewall provides alerts and logs that help organizations with information on types of attacks, source of attacks, action taken on them, and more that help comply with the PCI DSS requirements. Additional Features: Block/alert known bad IP addresses Customizable user messages for blocked requests Rate-based connection safeguards Business Benefits! Offers instant protection without requiring changes to existing Web applications when deployed.! Prevents intruders from manipulating web content! Protects data inside the organization from being hacked by exploiting Web application vulnerabilities! Secures corporate brands, trade secrets, and Intellectual Property! Maintains customer confidence in your website s security, especially for banks, e-commerce, and more.! Ensures sensitive information about the environment doesn t go out to hackers by sending customizable error messages to users.! Easy to use with no special training required for administrators! Low maintenance as it automatically adapts to website / web-application changes! Promotes integrity and availability of Web applications! Helps comply with mandatory PCI requirements Cyberoam Awards & Certifications VPNC CERTIFIED Portal Exchange Firefox JavaScript Basic Network Extension Advanced Network Extension VPNC CERTIFIED Basic Interop AES Interop BEST BUY PC PRO RECOMMENDED EDITOR S C H O I C E RECOMMENDS Toll Free Numbers USA : India : APAC/MEA : Europe : C o p y r i g h t Cyberoam Te c h n o l o g i e s Pvt. L t d. A l l R i g h t s R e s e r v e d. Cyberoam & Cyberoam logo are registered trademarks of Cyberoam Technologies Pvt. Ltd. Ltd. /TM: Registered trade marks of Cyberoam Technologies Pvt. Ltd. Technologies or of the owners of the Respective Products/Technologies. Although Cyberoam attempted to provide accurate information, Cyberoam assumes no responsibility for accuracy or completeness of information neither is this a legally binding representation. Cyberoam has the right to change, modify, transfer or otherwise revise the publication without notice. I sales@cyberoam.com

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

Achieving PCI-Compliance through Cyberoam

Achieving PCI-Compliance through Cyberoam White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit

More information

Guidelines for Web applications protection with dedicated Web Application Firewall

Guidelines for Web applications protection with dedicated Web Application Firewall Guidelines for Web applications protection with dedicated Web Application Firewall Prepared by: dr inŝ. Mariusz Stawowski, CISSP Bartosz Kryński, Imperva Certified Security Engineer INTRODUCTION Security

More information

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Barracuda Web Site Firewall Ensures PCI DSS Compliance Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online

More information

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

WEB APPLICATION FIREWALLS: DO WE NEED THEM? DISTRIBUTING EMERGING TECHNOLOGIES, REGION-WIDE WEB APPLICATION FIREWALLS: DO WE NEED THEM? SHAIKH SURMED Sr. Solutions Engineer info@fvc.com www.fvc.com HAVE YOU BEEN HACKED????? WHAT IS THE PROBLEM?

More information

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA January 25, 2007 Contents Executive Summary...3 Introduction...4 Target Audience...4

More information

The New PCI Requirement: Application Firewall vs. Code Review

The New PCI Requirement: Application Firewall vs. Code Review The New PCI Requirement: Application Firewall vs. Code Review The Imperva SecureSphere Web Application Firewall meets the new PCI requirement for an application layer firewall. With the highest security

More information

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 WHITE PAPER FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 Ensuring compliance for PCI DSS 6.5 and 6.6 Page 2 Overview Web applications and the elements surrounding them

More information

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6 WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications

More information

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities

More information

How To Protect A Web Application From Attack From A Trusted Environment

How To Protect A Web Application From Attack From A Trusted Environment Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls

More information

Passing PCI Compliance How to Address the Application Security Mandates

Passing PCI Compliance How to Address the Application Security Mandates Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

More information

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that

More information

White paper. Cyberoam UTM. Cyberoam. 360 Protection. on a Shoe-String Budget. www.cyberoam.com I sales@cyberoam.com

White paper. Cyberoam UTM. Cyberoam. 360 Protection. on a Shoe-String Budget. www.cyberoam.com I sales@cyberoam.com Cyberoam o 360 Protection on a Shoe-String Budget Introduction Network security a few years ago was not a part of an organization's annual budget where traditional wired computers sent secure information

More information

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI

More information

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL AWF Series Web application firewalls provide industry-leading Web application attack protection, ensuring continuity

More information

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect STOPPING LAYER 7 ATTACKS with F5 ASM Sven Müller Security Solution Architect Agenda Who is targeted How do Layer 7 attacks look like How to protect against Layer 7 attacks Building a security policy Layer

More information

What is Web Security? Motivation

What is Web Security? Motivation brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

More information

Web Application Security 101

Web Application Security 101 dotdefender Web Application Security Web Application Security 101 1 Web Application Security 101 As the Internet has evolved over the years, it has become an integral part of virtually every aspect in

More information

Web Application Firewall on SonicWALL SSL VPN

Web Application Firewall on SonicWALL SSL VPN Web Application Firewall on SonicWALL SSL VPN Document Scope This document describes how to configure and use the Web Application Firewall feature in SonicWALL SSL VPN 5.0. This document contains the following

More information

Web Application Penetration Testing

Web Application Penetration Testing Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com

More information

Magento Security and Vulnerabilities. Roman Stepanov

Magento Security and Vulnerabilities. Roman Stepanov Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

IJMIE Volume 2, Issue 9 ISSN: 2249-0558

IJMIE Volume 2, Issue 9 ISSN: 2249-0558 Survey on Web Application Vulnerabilities Prevention Tools Student, Nilesh Khochare* Student,Satish Chalurkar* Professor, Dr.B.B.Meshram* Abstract There are many commercial software security assurance

More information

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0 Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual Document Version 1.0 Table of Contents 1 SWAF... 4 1.1 SWAF Features... 4 2 Operations and User Manual... 7 2.1 SWAF Administrator

More information

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development

More information

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction

More information

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks Whitepaper The security industry has extensively focused on protecting against malicious injection attacks like

More information

Cyberoam Perspective BFSI Security Guidelines. Overview

Cyberoam Perspective BFSI Security Guidelines. Overview Overview The term BFSI stands for Banking, Financial Services and Insurance (BFSI). This term is widely used to address those companies which provide an array of financial products or services. Financial

More information

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks r.gibala@f5.com

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks r.gibala@f5.com Web Application Security Radovan Gibala Senior Field Systems Engineer F5 Networks r.gibala@f5.com Security s Gaping Hole 64% of the 10 million security incidents tracked targeted port 80. Information Week

More information

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker www.quotium.com 1/14 Summary Abstract 3 PCI DSS Statistics 4 PCI DSS Application Security 5 How Seeker Helps You Achieve PCI DSS

More information

Web Application Firewall on SonicWALL SRA

Web Application Firewall on SonicWALL SRA Web Application Firewall on SonicWALL SRA Document Scope This document describes how to configure and use the Web Application Firewall feature in SonicWALL SRA 6.0. This document contains the following

More information

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not

More information

Using Free Tools To Test Web Application Security

Using Free Tools To Test Web Application Security Using Free Tools To Test Web Application Security Speaker Biography Matt Neely, CISSP, CTGA, GCIH, and GCWN Manager of the Profiling Team at SecureState Areas of expertise: wireless, penetration testing,

More information

Why Web Applications are making a hackers life easy. Presented by Jon Grew BT SBS

Why Web Applications are making a hackers life easy. Presented by Jon Grew BT SBS Why Web Applications are making a hackers life easy. Presented by Jon Grew BT SBS Acknowledgements Ed Barlow Technical Director EMEA Ed sends his apologies. The following presentation is based on the talk

More information

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org

More information

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION External Vulnerability Assessment -Technical Summary- Prepared for: ABC ORGANIZATI On March 9, 2008 Prepared by: AOS Security Solutions 1 of 13 Table of Contents Executive Summary... 3 Discovered Security

More information

How Web Application Security Can Prevent Malicious Attacks

How Web Application Security Can Prevent Malicious Attacks Securing Enterprise Web Applications for Critical Data Protection and PCI-DSS Compliance Selecting the Right Technology is Essential in Guarding Against Malicious Attacks White_Paper As today s organizations

More information

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper Securing Web Applications As hackers moved from attacking the network to attacking the deployed applications, a category

More information

FortiWeb Web Application Firewall. Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE

FortiWeb Web Application Firewall. Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE Overview Web applications and the elements surrounding them have not only become a key part of every company

More information

Cyberoam s Future-ready Extensible Security Architecture (ESA) Cyberoam. White paper

Cyberoam s Future-ready Extensible Security Architecture (ESA) Cyberoam. White paper White paper Cyberoam Cyberoam s Future-ready Extensible Security Architecture (ESA) Protect your investment with a security architecture built to accommodate tomorrow s security requirements Cyberoam s

More information

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall A FORTINET WHITE PAPER www.fortinet.com Introduction Denial of Service attacks are rapidly becoming a popular attack vector used

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

Mingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway

Mingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway Mingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway All transparent deployment Full HTTPS site defense Prevention of OWASP top 10 Website Acceleration

More information

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011 Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing

More information

IBM Protocol Analysis Module

IBM Protocol Analysis Module IBM Protocol Analysis Module The protection engine inside the IBM Security Intrusion Prevention System technologies. Highlights Stops threats before they impact your network and the assets on your network

More information

How To Stop A Ddos Attack On A Website From Being Successful

How To Stop A Ddos Attack On A Website From Being Successful White paper Combating DoS/DDoS Attacks Using Cyberoam Eliminating the DDoS Threat by Discouraging the Spread of Botnets www.cyberoam.com Introduction Denial of Service (DoS) and Distributed Denial of Service

More information

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current

More information

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP

More information

Last update: February 23, 2004

Last update: February 23, 2004 Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to

More information

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business 6 Six Essential Elements of Web Application Security Cost Effective Strategies for Defending Your Business An Introduction to Defending Your Business Against Today s Most Common Cyber Attacks When web

More information

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference Cracking the Perimeter via Web Application Hacking Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference About 403 Labs 403 Labs is a full-service information security and compliance

More information

(WAPT) Web Application Penetration Testing

(WAPT) Web Application Penetration Testing (WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

The monsters under the bed are real... 2004 World Tour

The monsters under the bed are real... 2004 World Tour Web Hacking LIVE! The monsters under the bed are real... 2004 World Tour Agenda Wichita ISSA August 6 th, 2004 The Application Security Dilemma How Bad is it, Really? Overview of Application Architectures

More information

Imperva s Response to Information Supplement to PCI DSS Requirement Section 6.6

Imperva s Response to Information Supplement to PCI DSS Requirement Section 6.6 Imperva Technical Brief Imperva s Response to Information Supplement to PCI DSS Requirement Section 6.6 The PCI Security Standards Council s (PCI SSC) recent issuance of an Information Supplement piece

More information

Network Security Audit. Vulnerability Assessment (VA)

Network Security Audit. Vulnerability Assessment (VA) Network Security Audit Vulnerability Assessment (VA) Introduction Vulnerability Assessment is the systematic examination of an information system (IS) or product to determine the adequacy of security measures.

More information

The Key to Secure Online Financial Transactions

The Key to Secure Online Financial Transactions Transaction Security The Key to Secure Online Financial Transactions Transferring money, shopping, or paying debts online is no longer a novelty. These days, it s just one of many daily occurrences on

More information

OWASP AND APPLICATION SECURITY

OWASP AND APPLICATION SECURITY SECURING THE 3DEXPERIENCE PLATFORM OWASP AND APPLICATION SECURITY Milan Bruchter/Shutterstock.com WHITE PAPER EXECUTIVE SUMMARY As part of Dassault Systèmes efforts to counter threats of hacking, particularly

More information

White Paper Secure Reverse Proxy Server and Web Application Firewall

White Paper Secure Reverse Proxy Server and Web Application Firewall White Paper Secure Reverse Proxy Server and Web Application Firewall 2 Contents 3 3 4 4 8 Losing control Online accessibility means vulnerability Regain control with a central access point Strategic security

More information

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited Contemporary Web Application Attacks Ivan Pang Senior Consultant Edvance Limited Agenda How Web Application Attack impact to your business? What are the common attacks? What is Web Application Firewall

More information

Table of Contents. Page 2/13

Table of Contents. Page 2/13 Page 1/13 Table of Contents Introduction...3 Top Reasons Firewalls Are Not Enough...3 Extreme Vulnerabilities...3 TD Ameritrade Security Breach...3 OWASP s Top 10 Web Application Security Vulnerabilities

More information

Importance of Web Application Firewall Technology for Protecting Web-based Resources

Importance of Web Application Firewall Technology for Protecting Web-based Resources Importance of Web Application Firewall Technology for Protecting Web-based Resources By Andrew J. Hacker, CISSP, ISSAP Senior Security Analyst, ICSA Labs January 10, 2008 ICSA Labs 1000 Bent Creek Blvd.,

More information

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange

More information

The Top Web Application Attacks: Are you vulnerable?

The Top Web Application Attacks: Are you vulnerable? QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding

More information

WEB APPLICATION SECURITY

WEB APPLICATION SECURITY WEB APPLICATION SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part

More information

Chapter 1 Web Application (In)security 1

Chapter 1 Web Application (In)security 1 Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is

More information

Integrating Security Testing into Quality Control

Integrating Security Testing into Quality Control Integrating Security Testing into Quality Control Executive Summary At a time when 82% of all application vulnerabilities are found in web applications 1, CIOs are looking for traditional and non-traditional

More information

MatriXay WEB Application Vulnerability Scanner V 5.0. 1. Overview. (DAS- WEBScan ) - - - - - The best WEB application assessment tool

MatriXay WEB Application Vulnerability Scanner V 5.0. 1. Overview. (DAS- WEBScan ) - - - - - The best WEB application assessment tool MatriXay DAS-WEBScan MatriXay WEB Application Vulnerability Scanner V 5.0 (DAS- WEBScan ) - - - - - The best WEB application assessment tool 1. Overview MatriXay DAS- Webscan is a specific application

More information

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences

More information

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP) Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage

More information

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.

More information

Web App Security Audit Services

Web App Security Audit Services locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System

More information

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp. and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available

More information

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements I n t r o d u c t i o n The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2004 by the PCI Security Standards

More information

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Nuclear Regulatory Commission Computer Security Office Computer Security Standard Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1108 Web Application Standard Revision Number: 1.0 Effective Date:

More information

Application Firewall Overview. Published: February 2007 For the latest information, please see http://www.microsoft.com/iag

Application Firewall Overview. Published: February 2007 For the latest information, please see http://www.microsoft.com/iag Application Firewall Overview Published: February 2007 For the latest information, please see http://www.microsoft.com/iag Contents IAG Application Firewall: An Overview... 1 Features and Benefits... 2

More information

Introduction: 1. Daily 360 Website Scanning for Malware

Introduction: 1. Daily 360 Website Scanning for Malware Introduction: SiteLock scans your website to find and fix any existing malware and vulnerabilities followed by using the protective TrueShield firewall to keep the harmful traffic away for good. Moreover

More information

Web Application Security

Web Application Security Web Application Security Prof. Sukumar Nandi Indian Institute of Technology Guwahati Agenda Web Application basics Web Network Security Web Host Security Web Application Security Best Practices Questions?

More information

Sitefinity Security and Best Practices

Sitefinity Security and Best Practices Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration

More information

Check list for web developers

Check list for web developers Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation

More information

SERENA SOFTWARE Serena Service Manager Security

SERENA SOFTWARE Serena Service Manager Security SERENA SOFTWARE Serena Service Manager Security 2014-09-08 Table of Contents Who Should Read This Paper?... 3 Overview... 3 Security Aspects... 3 Reference... 6 2 Serena Software Operational Security (On-Demand

More information

How To Protect Your Web Applications From Attack From A Malicious Web Application From A Web Attack

How To Protect Your Web Applications From Attack From A Malicious Web Application From A Web Attack An Accurate and Effective Approach to Protecting and Monitoring Web Applications White Paper Web applications have lowered costs and increased revenue by extending the enterprise s strategic business systems

More information

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS INCONVENIENT STATISTICS 70% of ALL threats are at the Web application layer. Gartner 73% of organizations have been hacked in the past two

More information

Enterprise Application Security Workshop Series

Enterprise Application Security Workshop Series Enterprise Application Security Workshop Series Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com Defending JAVA Applications (3 Days) In The Sage Group s Defending JAVA Applications workshop, participants

More information

Global Partner Management Notice

Global Partner Management Notice Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with

More information

Penta Security 3rd Generation Web Application Firewall No Signature Required. www.gasystems.com.au

Penta Security 3rd Generation Web Application Firewall No Signature Required. www.gasystems.com.au Penta Security 3rd Generation Web Application Firewall No Signature Required www.gasystems.com.au 1 1 The Web Presence Demand The Web Still Grows INTERNET USERS 2006 1.2B Internet Users - 18% of 6.5B people

More information

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Danny Allan, strategic research analyst, IBM Software Group Contents 2 Introduction

More information

WEB ATTACKS AND COUNTERMEASURES

WEB ATTACKS AND COUNTERMEASURES WEB ATTACKS AND COUNTERMEASURES February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Essential IT Security Testing

Essential IT Security Testing Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

Excellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited

Excellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited Excellence Doesn t Need a Certificate Be an 2014 AMIGOSEC Consulting Private Limited Believe in You Introduction In this age of emerging technologies where IT plays a crucial role in enabling and running

More information

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protecting a business s IT infrastructure is complex. Take, for example, a retailer operating a standard multi-tier infrastructure

More information

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework Detecting and Exploiting XSS with Xenotix XSS Exploit Framework ajin25@gmail.com keralacyberforce.in Introduction Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s.

More information

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications Slides by Connor Schnaith Cross-Site Request Forgery One-click attack, session riding Recorded since 2001 Fourth out of top 25 most

More information

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global

More information

Web Application Vulnerabilities and Avoiding Application Exposure

Web Application Vulnerabilities and Avoiding Application Exposure Web Application Vulnerabilities and Avoiding Application Exposure The introduction of BIG-IP Application Security Manager (ASM) version 9.4.2 marks a major step forward. BIG-IP ASM now offers more features

More information