The New PCI Requirement: Application Firewall vs. Code Review

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "The New PCI Requirement: Application Firewall vs. Code Review"

Transcription

1 The New PCI Requirement: Application Firewall vs. Code Review The Imperva SecureSphere Web Application Firewall meets the new PCI requirement for an application layer firewall. With the highest security and lowest total cost of ownership (TCO), SecureSphere is the clear choice from both security and financial perspectives. If your enterprise handles credit card information, you must meet the requirements under the new Payment Card Industry Data Security Standard version 1.1 (PCI DSS), released September With PCI requirement 6.6, the brand new Web application security requirement, it s your choice you can have your code reviewed by an external company or you can install a Web Application Firewall. This paper details PCI requirement 6.6, the issues, the products involved, and the costs associated with choosing a code review versus selecting an application firewall.

2 The New PCI Requirement: Application Firewall vs. Code Review White Paper Executive Summary In September 2006, five major credit card companies formed the PCI Security Standards Council and issued the second version of the PCI Data Security Standard 1.1 (PCI 1.1). The new PCI standard contains a brand new requirement, 6.6, which mandates that all Web-facing applications be protected against known attacks by either submitting to an external code review or by installation of an application layer firewall. Since the first PCI standard 1.0 was released in January 2005, high-profile security breaches involving Web applications continually hit the news wire. Recently, a breach at AT&T's online store for DSL equipment resulted in the theft of cardholder information for 19,000 customers. No industry, educational institution or government agency is immune to the threat and the theft can be from inside an organization or from outside, including nearly anywhere on the globe. Researchers at Imperva s Application Defense Center have found that over 90% of Web applications have vulnerabilities. Web application vulnerabilities are the impetus behind the new Web security requirement 6.6 in PCI 1.1. Widely deployed security products including network firewalls and intrusion protection systems do not provide adequate security for Web applications. These products are useful for guarding against network level attacks or application attacks that can be defined with signatures. However, they lack the full-spectrum visibility and sophisticated analytics necessary to detect and protect against Web application attacks that can occur across layers and over time. This is why requirement 6.6 of PCI 1.1 specifies the deployment of an application layer firewall or the engagement of a third party firm specializing in application security to manually review application source code, line by line. While code review is a good idea, and is consistent with coding best practices, calling in expensive outside consultants, as required under requirement 6.6, entails significant cost, loss of flexibility, resource allocation issues, and scheduling headaches. For these reasons, many companies have found it more cost effective to practice secure coding using their own in-house resources and meet the PCI requirement by deploying a Web application firewall. For security and total cost of ownership (TCO), the Imperva SecureSphere Web Application Firewall is your best choice for meeting the new PCI requirement. With SecureSphere, your organization can expect to achieve impressive cost savings over five years. In addition to consistent security and low TCO, SecureSphere provides your organization with flexibility and greater autonomy by enabling you to determine your own project parameters, timelines, and budget for addressing application code vulnerabilities. The New PCI 6.6 Requirement Requirement 6 of PCI 1.1 states that organizations handling credit cards develop and maintain secure systems and applications. Within requirement 6, the new 6.6 requirement compels organizations to ensure that all web-facing applications are protected against known attacks by applying either of the following methods: 1. Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security 2. Installing an application layer firewall in front of web-facing applications. Compliance under 6.6 is considered a best practice until June 30, 2008 when it becomes a requirement. Some companies have already implemented this requirement as part of their security roadmap and others are starting their evaluation and selection process now in order to have their application layer firewall solutions installed in time for the deadline. Page 2 Imperva

3 White Paper The New PCI Requirement: Application Firewall vs. Code Review What is an Application Layer Firewall? An application layer firewall, also known as a Web Application Firewall or WAF is a network device that is placed in front of the Web applications in an organization s data center to protect against attacks. A WAF is able to view and understand the full spectrum of application traffic so that it can protect the applications and the sensitive data from illegitimate access and usage. The capabilities of the Imperva SecureSphere Web Application Firewall exceed those offered by other vendors application firewall products by delivering a greater level of sophistication and automation. SecureSphere automatically and dynamically profiles Web applications based on production traffic in order to model the structure and dynamics of all of the elements of protected applications. Then, it analyzes all Web traffic in real time, so that it accurately identifies illegitimate, unauthorized, and suspicious behavior. SecureSphere can enforce form fields, cookies, and URL parameters per Web page to protect Web applications from attacks such as form tampering, session manipulation, and SQL injection. SecureSphere operates transparently to the network, applications and databases with zero changes to the data center infrastructure. What is NOT an Application Layer Firewall? Network firewalls and intrusion detection/prevention systems (IDS/ IPS) are not application layer firewalls. While network firewalls and intrusion prevention systems are useful tools to secure your network and application infrastructure, they do not provide the level of protection that a Web Application Firewall provides. These traditional network security products can detect known intrusion signatures, but they cannot place those signatures in context because they cannot parse HTML for the individual elements, fields, JavaScript, cookies and other components of Web applications. A Web Application Firewall not only detects attack signatures, but it recognizes where the signature occurred in the HTTP transaction. In addition, each Web request is compared to the expected behavior, enabling it to correctly assess not only white lists and black lists, but also the gray signatures in order to block unknown threats. A Web Application Firewall thwarts Web-based evasion techniques by decoding and inspecting URL-encoded data. Because network firewalls and IPS products do not provide this level of security, they would not satisfy PCI requirement 6.6. Vulnerability scanners also are not a substitute for code review or an application layer firewall. As such, they are not relevant to the new requirement 6.6 in PCI 1.1. They are applicable to another requirement of PCI 1.1, requirement This requirement requires penetration testing of the external application to a variety of vulnerability exploits and application attacks. IDS/IPS and network firewalls won t accurately protect against: SQL injections Cross-site scripting attacks Application specific buffer overflow attacks Parameter tampering Session hijacking Session replay Cookie injection Cookie poisoning Brute force login attempts Unknown, zero-day Web worms Illegal HTTP encoding (double encoding, malicious encoding) Site scanning and reconnaissance OS command injections in form fields XML and SOAP attacks Imperva Page 3

4 The New PCI Requirement: Application Firewall vs. Code Review White Paper Benefits of the Imperva Web Application Firewall Web applications are the portals to your data centers, where business critical financial information and sensitive credit card and identity data resides. The Imperva SecureSphere Web Application Firewall provides the security necessary to protect your sensitive data and enables you to check off requirement 6.6 for PCI 1.1. A single SecureSphere WAF protects multiple applications. It can be installed in hours with no impact to existing infrastructure. Because of SecureSphere s unique Dynamic Profiling capabilities, it automatically builds a complete baseline profile of your applications and network traffic in a matter of days. Using the application profile, SecureSphere can distinguish between legitimate user behavior and illegitimate behavior as well as protect from attacks. When changes are made to the applications, Dynamic Profiling technology enables SecureSphere to detect the application changes and automatically adjust its profiles accordingly. No manual intervention or tuning is necessary, keeping your on-going administrative costs far lower than other WAF products. Of course you can choose to be notified about these application changes though alerts and change logs in order to provide a closed loop for your application change control process. Patent-pending Instant Attack Validation (IAV) and Correlated Attack Validation technologies in SecureSphere contribute to an unparalleled ability to accurately identify and protect against known and zero day infrastructure attacks including complex attacks that occur over multiple layers and over time. SecureSphere not only provides improved security but it also is an automated means to achieve and document regulatory compliance. SecureSphere includes the necessary functionality and built-in and customizable reports for a wide range of regulatory compliance, including PCI, SOX, and HIPAA. The Alternative Bring in the Consultants If you decide not to deploy a Web Application Firewall such as the Imperva SecureSphere in front of Web facing applications, your organization will need to engage a specialist in Web application security to go through your Web application source code, line by line for each Web-facing application. While code review is a good idea, and is consistent with coding best practices, hiring consultants entails extra cost, loss of flexibility, resource allocation issues, scheduling headaches, and ultimately a lower grade of security than you would achieve through the deployment of a Web Application Firewall. There have been a couple of estimates as to the cost of a code review. One estimate is that the annual average cost would be about $40,000 in consulting fees for EACH small-to-medium sized Web application 1. Another estimate is that it would cost approximately $5 per line 2 of Web application code. This quickly adds up given the size of modern Web applications. Multiply these estimates by the number of Web facing applications your organization has, and the cost associated with undergoing an application code review is considerable. To begin the code review process, your IT organization needs to prepare and organize the code to present to the consultants and make themselves available for questions and requests for additional information. Once the consultants finish their code review and find vulnerabilities, your organization will need to schedule fix and test cycles to make sure the changes work. Unfortunately, that is not the end of the code review process because an individual find, fix, and test cycle does not find all of the vulnerabilities in an application. According to researchers at Imperva s Application Defense Center (ADC), at least 90% of the time there are still vulnerabilities after this process is complete. This has several causes. First, application code changes can introduce new bugs which contain security vulnerabilities. So, new vulnerabilities are introduced during the fixing process itself and more are introduced 1 Jeremiah Grossman, CTO, WhiteHat Security 2 Robert Begg, CEO, Digital Defense Page 4 Imperva

5 White Paper The New PCI Requirement: Application Firewall vs. Code Review as part of the normal development process of enhancing an application. Secondly, the identified vulnerabilities are often not fixed by the recoding intended to fix them. Without the proper expertise or resources, your organization may unwittingly enter into an endless and costly find, fix, and test loop that ties up your programmers and keeps consultants on your accounts payable list for months or years if the cycle extends long enough to bump into the next year s code review. An endless code review, fix, and test cycle should not be confused with continuous security. By selecting a code review, your organization also can be subject to the disruptions of consultants, thereby narrowing the time and detracting from the focus your staff requires to accomplish existing projects and initiatives. If you deployed a Web Application Firewall and your staff was in control of the code review, you would be able to schedule the fix and test cycle to synchronize with your next development cycle. With consultants, fixes happen on their time, not yours. For TCO and Security, Imperva is the Clear Choice The following chart shows the total cost of ownership (TCO) analysis for a medium-sized company that processes credit cards with two to three Web-facing applications. The table is a five year comparison of the cost of doing a code review with an external consultant versus the purchase, installation, and on-going operation of a SecureSphere Web Application Firewall. Of course, your results would differ based on the specifics your situation. You can request a custom analysis for your organization from Imperva based on the model used to create this example. Year 1 Year 2 Year 3 Year 4 Year 5 Code Review Costs $120,000 $120,000 $120,000 $120,000 $120,000 Total $120,000 $120,000 $120,000 $120,000 $120,000 Five Year Cost Pro Forma with SecureSphere 4 Year 1 Year 2 Year 3 Year 4 Year 5 SecureSphere Purchase $31,000 $0 $0 $0 $0 SecureSphere Software Main/Support $6,200 $6,200 $6,200 $6,200 $6,200 SecureSphere Administration Labor $7,100 $7,100 $7,100 $7,100 $7,100 Total $44,300 $13,300 $13,300 $13,300 $13,300 Total Cost of Ownership and Savings Present Value of TCO of Code Review $462,597 Present Value of TCO of SecureSphere $82,271 Cost savings of SecureSphere vs Code Review $380,326 % Cost savings of SecureSphere vs Code Review 82% Notes/Assumptions SecureSphere Savings is the total savings divided by the TCO of the Code Review. The present value calculation assumes payments made at the beginning of each period. 3 4 SecureSphere vs. Code Review - TCO Model for PCI Requirement 6.6 Five Year Cost Pro Forma for Code Review 3 The code review cost is based on a company with two to three medium-sized, Web-facing applications. The year 1 TCO for SecureSphere is based on a single SecureSphere appliance with MX Management Server, licensing, support, and administration labor. Subsequent years assume the cost of licensing, support, and administration labor. Actual costs may differ based on specific environments and needs. Imperva Page 5

6 The New PCI Requirement: Application Firewall vs. Code Review White Paper In the above scenario, a single SecureSphere Web Application Firewall provides significant cost savings in the first year. In effect, the investment pays for itself during the first year, several times over. Subsequent years serve to expand the savings margin, as the initial hardware purchase and installation has already occurred while the annual costs of code reviews recur every year. The on-going cost of a SecureSphere Web Application Firewall are very low due to the minimal need for ongoing administration and management, and the software update service that keeps the product current with new security features. The bottom line is that the benefits in terms of security and monetary investment continue to grow each year SecureSphere is deployed in your IT environment. The costs associated with the alternative choice under requirement 6.6, a code review by an outside consultant, will be high the first year and remain high every year after that. Application vulnerabilities will be with us as long as there is ongoing development from within your organization and patch releases from the vendor. The application code will never stay the same from year to year and will continue to contain the unfixed security issues, as well as new ones. Source code analysis tools may be used to speed code reviews, but these tools still require a significant amount of manual source code review. The bottom line: to be compliant with PCI 1.1 requirement 6.6 under the external code review option, you would need to undergo an annual code review of approximately the same magnitude, year after year. Summary In summary, SecureSphere not only secures critical Web applications and sensitive data, but it also significantly reduces the operational cost of maintaining a high degree of security. SecureSphere accomplishes this by eliminating the need for costly consultant-run code reviews, and the corresponding fix and test cycles. The Imperva SecureSphere Web Application Firewalls provide the necessary automation to continually protect your organization against complex Web application vulnerabilities. The sensitive data that is transacted through your business critical Web applications is protected from within your organization and throughout your organizations wider network of customers, partners, and affiliates. The calculated savings are significant. They show that the investment in SecureSphere pays for itself in the first year and after five years shows a comparatively small TCO. If you would like to apply this TCO analysis to your own organization, please call Imperva at or send an to For More Information For more information on the Imperva SecureSphere Web Application Firewall see US Headquarters International Headquarters 950 Tower Lane 12 Hachilazon Street Suite 1550 Ramat-Gan Foster City, CA Israel Tel: Tel: Fax: Fax: Imperva, Inc. All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva, Inc. All other brand or product names are trademarks or registered trademarks of their respective holders. WP_PCI-AFWvCR Page 6 Imperva

10 Things Every Web Application Firewall Should Provide Share this ebook

10 Things Every Web Application Firewall Should Provide Share this ebook The Future of Web Security 10 Things Every Web Application Firewall Should Provide Contents THE FUTURE OF WEB SECURITY EBOOK SECTION 1: The Future of Web Security SECTION 2: Why Traditional Network Security

More information

White Paper. Cutting the Cost of Application Security. An ROI White Paper

White Paper. Cutting the Cost of Application Security. An ROI White Paper Cutting the Cost of Application Security An ROI White Paper White Paper As new vulnerabilities are discovered, businesses are forced to implement emergency fixes in their Web applications, which impose

More information

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Protect the data that drives our customers business. Data Security. Imperva s mission is simple: The Imperva Story Who We Are Imperva is the global leader in data security. Thousands of the world s leading businesses, government organizations, and service providers rely on Imperva solutions to prevent

More information

Cutting the Cost of Application Security

Cutting the Cost of Application Security WHITE PAPER Cutting the Cost of Application Security Web application attacks can result in devastating data breaches and application downtime, costing companies millions of dollars in fines, brand damage,

More information

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks r.gibala@f5.com

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks r.gibala@f5.com Web Application Security Radovan Gibala Senior Field Systems Engineer F5 Networks r.gibala@f5.com Security s Gaping Hole 64% of the 10 million security incidents tracked targeted port 80. Information Week

More information

Imperva s Response to Information Supplement to PCI DSS Requirement Section 6.6

Imperva s Response to Information Supplement to PCI DSS Requirement Section 6.6 Imperva Technical Brief Imperva s Response to Information Supplement to PCI DSS Requirement Section 6.6 The PCI Security Standards Council s (PCI SSC) recent issuance of an Information Supplement piece

More information

Imperva Cloud WAF. How to Protect Your Website from Hackers. Hackers. *Bots. Legitimate. Your Websites. Scrapers. Comment Spammers

Imperva Cloud WAF. How to Protect Your Website from Hackers. Hackers. *Bots. Legitimate. Your Websites. Scrapers. Comment Spammers How to Protect Your from Hackers Web attacks are the greatest threat facing organizations today. In the last year, Web attacks have brought down businesses of all sizes and resulted in massive-scale data

More information

5 Lines of Defense You Need to Secure Your SharePoint Environment SharePoint Security Resource Kit

5 Lines of Defense You Need to Secure Your SharePoint Environment SharePoint Security Resource Kit SharePoint Security Playbook 5 Lines of Defense You Need to Secure Your SharePoint Environment Contents IT S TIME TO THINK ABOUT SHAREPOINT SECURITY Challenge 1: Ensure access rights remain aligned with

More information

White Paper. What Auditors Want Database Auditing. 5 Key Questions Auditors Ask During a Database Compliance Audit

White Paper. What Auditors Want Database Auditing. 5 Key Questions Auditors Ask During a Database Compliance Audit 5 Key Questions Auditors Ask During a Database Compliance Audit White Paper Regulatory legislation is increasingly driving the expansion of formal enterprise audit processes to include information technology

More information

White Paper. The SecureSphere Web Application Firewall. An Accurate and Effective Approach to Protecting and Monitoring Web Applications

White Paper. The SecureSphere Web Application Firewall. An Accurate and Effective Approach to Protecting and Monitoring Web Applications An Accurate and Effective Approach to Protecting and Monitoring Web Applications White Paper Web applications have lowered costs and increased revenue by extending the enterprise s strategic business systems

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

What Next Gen Firewalls Miss: 6 Requirements to Protect Web Applications

What Next Gen Firewalls Miss: 6 Requirements to Protect Web Applications What Next Gen Firewalls Miss: 6 Requirements to Protect Table of Contents Section 1: Introduction to Web Application Security 3 Section 2: The Application Threat Landscape 3 Section 3: Why Next Gen Firewalls

More information

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere Protecting Databases from Unauthorized Activities Using Imperva SecureSphere White Paper As the primary repository for the enterprise s most valuable information, the database is perhaps the most sensitive

More information

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com

More information

Powered by. Incapsula Cloud WAF

Powered by. Incapsula Cloud WAF Powered by Incapsula Cloud WAF Enero - 2013 Incapsula Cloud WAF Overview Incapsula Cloud WAF Delivery Model Threat Central 360 Global Threat Detection & Analysis Enables early detection across the entire

More information

Information Technology Policy

Information Technology Policy Information Technology Policy Enterprise Web Application Firewall ITP Number ITP-SEC004 Category Recommended Policy Contact RA-ITCentral@pa.gov Effective Date January 15, 2010 Supersedes Scheduled Review

More information

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI

More information

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)

More information

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement:

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement: Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls

More information

End-to-End Application Security from the Cloud

End-to-End Application Security from the Cloud Datasheet Website Security End-to-End Application Security from the Cloud Unmatched web application security experience, enhanced by real-time big data analytics, enables Incapsula to provide best-of-breed

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

Security for PCI Compliance Addressing Security and Auditing Requirements for In-scope Web Applications, Databases and File Servers

Security for PCI Compliance Addressing Security and Auditing Requirements for In-scope Web Applications, Databases and File Servers WHITE PAPER Security for PCI Compliance Addressing Security and Auditing Requirements for In-scope Web Applications, Databases and File Servers Organizations that process or store card holder data are

More information

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall A FORTINET WHITE PAPER www.fortinet.com Introduction Denial of Service attacks are rapidly becoming a popular attack vector used

More information

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Danny Allan, strategic research analyst, IBM Software Group Contents 2 Introduction

More information

How to Secure Your SharePoint Deployment

How to Secure Your SharePoint Deployment WHITE PAPER How to Secure Your SharePoint Deployment Some of the sites in your enterprise probably contain content that should not be available to all users [some] information should be accessible only

More information

The monsters under the bed are real... 2004 World Tour

The monsters under the bed are real... 2004 World Tour Web Hacking LIVE! The monsters under the bed are real... 2004 World Tour Agenda Wichita ISSA August 6 th, 2004 The Application Security Dilemma How Bad is it, Really? Overview of Application Architectures

More information

Guidelines for Web applications protection with dedicated Web Application Firewall

Guidelines for Web applications protection with dedicated Web Application Firewall Guidelines for Web applications protection with dedicated Web Application Firewall Prepared by: dr inŝ. Mariusz Stawowski, CISSP Bartosz Kryński, Imperva Certified Security Engineer INTRODUCTION Security

More information

Mingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway

Mingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway Mingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway All transparent deployment Full HTTPS site defense Prevention of OWASP top 10 Website Acceleration

More information

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper Securing Web Applications As hackers moved from attacking the network to attacking the deployed applications, a category

More information

The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention

The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention Whitepaper The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention May 2007 Copyright Sentrigo Ltd. 2007, All Rights Reserved The Challenge: Securing the Database Much of the effort

More information

Securing SharePoint 101. Rob Rachwald Imperva

Securing SharePoint 101. Rob Rachwald Imperva Securing SharePoint 101 Rob Rachwald Imperva Major SharePoint Deployment Types Internal Portal Uses include SharePoint as a file repository Only accessible by internal users Company Intranet External Portal

More information

From Rivals to BFF: WAF & VA Unite OWASP 07.23.2009. The OWASP Foundation http://www.owasp.org

From Rivals to BFF: WAF & VA Unite OWASP 07.23.2009. The OWASP Foundation http://www.owasp.org From Rivals to BFF: WAF & VA Unite 07.23.2009 Brian Contos, Chief Security Strategist Imperva Inc. brian.contos@imperva.com +1 (650) 832.6054 Copyright The Foundation Permission is granted to copy, distribute

More information

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities. Managing business infrastructure White paper Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities. September 2008 2 Contents 2 Overview 5 Understanding

More information

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect STOPPING LAYER 7 ATTACKS with F5 ASM Sven Müller Security Solution Architect Agenda Who is targeted How do Layer 7 attacks look like How to protect against Layer 7 attacks Building a security policy Layer

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture

More information

Application and Database Security with F5 BIG-IP ASM and IBM InfoSphere Guardium

Application and Database Security with F5 BIG-IP ASM and IBM InfoSphere Guardium Application and Database Security with F5 BIG-IP ASM and IBM InfoSphere Guardium Organizations need an end-to-end web application and database security solution to protect data, customers, and their businesses.

More information

PCI DSS Reporting WHITEPAPER

PCI DSS Reporting WHITEPAPER WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts

More information

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at www.visa.

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at www.visa. Global Partner Management Notice Subject: Visa Data Security Alert Malicious Software and Internet Protocol Addresses Dated: April 10, 2009 Announcement: The protection of account information is a responsibility

More information

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE ebook Series 2 Headlines have been written, fines have been issued and companies around the world have been challenged to find the resources, time and capital

More information

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Barracuda Web Site Firewall Ensures PCI DSS Compliance Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online

More information

Applications and data are the main targets for modern attacks. Adoption of dedicated application and data security concepts, technologies and

Applications and data are the main targets for modern attacks. Adoption of dedicated application and data security concepts, technologies and Applications and data are the main targets for modern attacks. Adoption of dedicated application and data security concepts, technologies and methodologies is a must for all enterprises. Hype Cycle for

More information

F5 Silverline Web Application Firewall Onboarding: Technical Note

F5 Silverline Web Application Firewall Onboarding: Technical Note F5 Silverline Web Application Firewall Onboarding: Technical Note F5 Silverline Web Application Firewall Onboarding With organizations transitioning application workloads to the cloud, traditional centralized

More information

Production Security and the SDLC. Mark Kraynak Sr. Dir. Strategic Marketing Imperva mark@imperva.com

Production Security and the SDLC. Mark Kraynak Sr. Dir. Strategic Marketing Imperva mark@imperva.com Production Security and the SDLC Mark Kraynak Sr. Dir. Strategic Marketing Imperva mark@imperva.com Building Security Into the Development Process Production Test existing deployed apps Eliminate security

More information

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND Introduction > New security threats are emerging all the time, from new forms of malware and web application exploits that target

More information

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6 WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications

More information

The SQL Injection and Signature Evasion

The SQL Injection and Signature Evasion The SQL Injection and Signature Evasion Protecting Web Sites Against SQL Injection SQL injection is one of the most common attack strategies employed by attackers to steal identity and other sensitive

More information

SharePoint Governance & Security: Where to Start

SharePoint Governance & Security: Where to Start WHITE PAPER SharePoint Governance & Security: Where to Start 82% The percentage of organizations using SharePoint for sensitive content. AIIM 2012 By 2016, 20 percent of CIOs in regulated industries will

More information

Securing Enterprise Web Applications for Critical Data Protection and PCI-DSS Compliance

Securing Enterprise Web Applications for Critical Data Protection and PCI-DSS Compliance Securing Enterprise Web Applications for Critical Data Protection and PCI-DSS Compliance Selecting the Right Technology is Essential in Guarding Against Malicious Attacks White_Paper As today s organizations

More information

Global Web Application Firewall Market 2015-2019

Global Web Application Firewall Market 2015-2019 Global Web Application Firewall Market 2015-2019 Global Web Application Firewall Market 2015-2019 Sector Publishing Intelligence Limited (SPi) has been marketing business and market research reports from

More information

Web Application Security 101

Web Application Security 101 dotdefender Web Application Security Web Application Security 101 1 Web Application Security 101 As the Internet has evolved over the years, it has become an integral part of virtually every aspect in

More information

Enterprise-Grade Security from the Cloud

Enterprise-Grade Security from the Cloud Datasheet Website Security Enterprise-Grade Security from the Cloud Unmatched web application security experience, enhanced by real-time big data analytics, enables Incapsula to provide best-of-breed security

More information

IT Security & Compliance. On Time. On Budget. On Demand.

IT Security & Compliance. On Time. On Budget. On Demand. IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount

More information

White paper. Web Application Security: The Overlooked Vulnerabilities

White paper. Web Application Security: The Overlooked Vulnerabilities White paper Web Application Security: The Overlooked Vulnerabilities Abstract Are you adequately protecting the web applications that your business depends on? Software flaws are rapidly becoming the vulnerabilities

More information

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 WHITE PAPER FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 Ensuring compliance for PCI DSS 6.5 and 6.6 Page 2 Overview Web applications and the elements surrounding them

More information

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula? Datasheet: Website Security End-to-End Application Security from the Cloud Unmatched web application security experience, enhanced by real-time big data analytics, enables Incapsula to provide best-ofbreed

More information

New IBM Security Scanning Software Protects Businesses From Hackers

New IBM Security Scanning Software Protects Businesses From Hackers New IBM Security Scanning Software Protects Businesses From Hackers Chatchawun Jongudomsombut Web Application Security Situation Today HIGH AND INCREASING DEPENDENCE ON WEB SERVICES Work and business Communications

More information

Protecting Web Application Delivery with Citrix Application Firewall. Johnson Mok Systems Engineer Citrix Systems, Inc.

Protecting Web Application Delivery with Citrix Application Firewall. Johnson Mok Systems Engineer Citrix Systems, Inc. Protecting Web Application Delivery with Citrix Application Firewall Johnson Mok Systems Engineer Citrix Systems, Inc. Six Keys to Successful App Delivery Optimizing Web Application Delivery Citrix NetScaler

More information

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

WEB APPLICATION FIREWALLS: DO WE NEED THEM? DISTRIBUTING EMERGING TECHNOLOGIES, REGION-WIDE WEB APPLICATION FIREWALLS: DO WE NEED THEM? SHAIKH SURMED Sr. Solutions Engineer info@fvc.com www.fvc.com HAVE YOU BEEN HACKED????? WHAT IS THE PROBLEM?

More information

Four Ways Built-in Database Auditing Drains Your IT Budget WHITE PAPER

Four Ways Built-in Database Auditing Drains Your IT Budget WHITE PAPER Introduction IT organizations are under pressure to deliver innovative solutions, while keeping overall IT costs in check. Secular technology trends like mobile, cloud, and big data capture the attention

More information

Are you fighting new threats with old weapons? Secure your Web applications with Web Application Firewalls.

Are you fighting new threats with old weapons? Secure your Web applications with Web Application Firewalls. White paper Cyberoam Application Visibility and Control Anti-Spam Bandwidth Management VPN Web Application Firewall Firewall Intrusion Prevention System Anti-Virus & Anti-Spyware On-Appliance Reporting

More information

PCI Data Security Standards (DSS)

PCI Data Security Standards (DSS) ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants

More information

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation Threat Center Real-time multi-level threat detection, analysis, and automated remediation Description Advanced targeted and persistent threats can easily evade standard security, software vulnerabilities

More information

Web Application Firewall-as-a-Service

Web Application Firewall-as-a-Service data sheet Most websites are vulnerable to attack. Vulnerabilities are due to both insecure coding practices and an increasingly complex threat landscape. In 2015, two the application security testing

More information

Top Ten Database Security Threats

Top Ten Database Security Threats How to Mitigate the Most Significant Database Vulnerabilities Written by: Amichai Shulman Co-founder, CTO The enterprise database infrastructure is subject to an overwhelming range of threats. This document

More information

The Business Case for Security Information Management

The Business Case for Security Information Management The Essentials Series: Security Information Management The Business Case for Security Information Management sponsored by by Dan Sullivan Th e Business Case for Security Information Management... 1 Un

More information

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition Advanced Administration for Citrix NetScaler 9.0 Platinum Edition Course Length: 5 Days Course Code: CNS-300 Course Description This course provides the foundation to manage, configure and monitor advanced

More information

Case Study: Security Implementation for a Non-Profit Hospital

Case Study: Security Implementation for a Non-Profit Hospital Case Study: Security Implementation for a Non-Profit Hospital The Story Security Challenges and Analysis The Case The Clone Solution The Results The Story About the hospital A private, not-for-profit hospital

More information

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it Complete and high performance protection where you need it Overview delivers high-performance protection against physical and virtual server downtime with policy based prevention, using multiple protection

More information

Trend Micro. Advanced Security Built for the Cloud

Trend Micro. Advanced Security Built for the Cloud datasheet Trend Micro deep security as a service Advanced Security Built for the Cloud Organizations are embracing the economic and operational benefits of cloud computing, turning to leading cloud providers

More information

Web Application Security

Web Application Security Web Application Security Ng Wee Kai Senior Security Consultant PulseSecure Pte Ltd About PulseSecure IT Security Consulting Company Part of Consortium in IDA (T) 606 Term Tender Cover most of the IT Security

More information

Passing PCI Compliance How to Address the Application Security Mandates

Passing PCI Compliance How to Address the Application Security Mandates Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

More information

WHITE PAPER: ENTERPRISE SECURITY. Strengthening Database Security

WHITE PAPER: ENTERPRISE SECURITY. Strengthening Database Security WHITE PAPER: ENTERPRISE SECURITY Strengthening Database Security White Paper: Enterprise Security Strengthening Database Security Contents Introduction........................................................................4

More information

WhiteHat Security White Paper. Evaluating the Total Cost of Ownership for Protecting Web Applications

WhiteHat Security White Paper. Evaluating the Total Cost of Ownership for Protecting Web Applications WhiteHat Security White Paper Evaluating the Total Cost of Ownership for Protecting Web Applications WhiteHat Security October 2013 Introduction Over the past few years, both the sophistication of IT security

More information

LogInspect 5 Product Features Robust. Dynamic. Unparalleled.

LogInspect 5 Product Features Robust. Dynamic. Unparalleled. LogInspect 5 Product Features Robust. Dynamic. Unparalleled. Enjoy ultra fast search capabilities in simple and complex modes optimized for Big Data Easily filter and display relevant topics, eg: Top 10

More information

ALERT LOGIC FOR HIPAA COMPLIANCE

ALERT LOGIC FOR HIPAA COMPLIANCE SOLUTION OVERVIEW: ALERT LOGIC FOR HIPAA COMPLIANCE AN OUNCE OF PREVENTION IS WORTH A POUND OF CURE Alert Logic provides organizations with the most advanced and cost-effective means to secure their healthcare

More information

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group Overview What is Application Security? Examples of Potential Vulnerabilities Potential Strategies

More information

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan WHITE PAPER Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan Introduction to Data Privacy Today, organizations face a heightened threat landscape with data

More information

LogPoint 5.1 Product Features Robust. Dynamic. Unparalleled.

LogPoint 5.1 Product Features Robust. Dynamic. Unparalleled. LogPoint 5.1 Product Features Robust. Dynamic. Unparalleled. LOGPOINT Enjoy ultra fast search capabilities in simple and complex modes optimized for Big Data Easily filter and display relevant topics,

More information

On-Premises DDoS Mitigation for the Enterprise

On-Premises DDoS Mitigation for the Enterprise On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has

More information

Application Firewall Overview. Published: February 2007 For the latest information, please see http://www.microsoft.com/iag

Application Firewall Overview. Published: February 2007 For the latest information, please see http://www.microsoft.com/iag Application Firewall Overview Published: February 2007 For the latest information, please see http://www.microsoft.com/iag Contents IAG Application Firewall: An Overview... 1 Features and Benefits... 2

More information

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities

More information

ModProfiler: Defending Web Applications from 0-day Attacks

ModProfiler: Defending Web Applications from 0-day Attacks ModProfiler: Defending Web Applications from 0-day Attacks Signatures out. Traffic profiling in. Ivan Ristić and Ofer Shezaf, Breach Security, BlackHat August 2008 About Us Ivan Ristić and Ofer Shezaf,

More information

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protecting a business s IT infrastructure is complex. Take, for example, a retailer operating a standard multi-tier infrastructure

More information

RFC violation Violation trigger event Attack type

RFC violation Violation trigger event Attack type WAF Explanations RFC violations Table A.1 RFC violations RFC violation Violation trigger event Attack type Cookie not RFCcompliant Evasion technique HTTP protocol compliance failed The cookie header in

More information

FISMA / NIST 800-53 REVISION 3 COMPLIANCE

FISMA / NIST 800-53 REVISION 3 COMPLIANCE Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security

More information

Importance of Web Application Firewall Technology for Protecting Web-based Resources

Importance of Web Application Firewall Technology for Protecting Web-based Resources Importance of Web Application Firewall Technology for Protecting Web-based Resources By Andrew J. Hacker, CISSP, ISSAP Senior Security Analyst, ICSA Labs January 10, 2008 ICSA Labs 1000 Bent Creek Blvd.,

More information

Compliance Guide: PCI DSS

Compliance Guide: PCI DSS Compliance Guide: PCI DSS PCI DSS Compliance Compliance mapping using Huntsman INTRODUCTION The Payment Card Industry Data Security Standard (PCI DSS) was developed with industry support by the PCI Security

More information

SYMANTEC MANAGED SECURITY SERVICES. Superior information security delivered with exceptional value.

SYMANTEC MANAGED SECURITY SERVICES. Superior information security delivered with exceptional value. SYMANTEC MANAGED SECURITY SERVICES Superior information security delivered with exceptional value. A strong security posture starts with a smart business decision. In today s complex enterprise environments,

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

From the Bottom to the Top: The Evolution of Application Monitoring

From the Bottom to the Top: The Evolution of Application Monitoring From the Bottom to the Top: The Evolution of Application Monitoring Narayan Makaram, CISSP Director, Security Solutions HP/Enterprise Security Business Unit Session ID: SP01-202 Session 2012 Classification:

More information

LogRhythm and PCI Compliance

LogRhythm and PCI Compliance LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent

More information

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems Page 1 of 5 Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems In July the Payment Card Industry Security Standards Council (PCI SSC) published

More information

FortiWeb Web Application Firewall. Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE

FortiWeb Web Application Firewall. Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE Overview Web applications and the elements surrounding them have not only become a key part of every company

More information

Securing Wireless Networks for PCI Compliance Using Fortinet s Secure WLAN Solution to Meet Regulatory Requirements

Securing Wireless Networks for PCI Compliance Using Fortinet s Secure WLAN Solution to Meet Regulatory Requirements Securing Wireless Networks for PCI Compliance Using Fortinet s Secure WLAN Solution to Meet Regulatory Requirements Introduction In the wake of many well-documented data breaches, standards such as the

More information

Application Security in the Cloud with BIG-IP ASM

Application Security in the Cloud with BIG-IP ASM F5 White Paper Application Security in the Cloud with BIG-IP ASM Whether critical applications live in the cloud, in the data center, or in both, organizations need a strategic point of control for application

More information

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015 Arrow ECS University 2015 Radware Hybrid Cloud WAF Service 9 Ottobre 2015 Get to Know Radware 2 Our Track Record Company Growth Over 10,000 Customers USD Millions 200.00 150.00 32% 144.1 16% 167.0 15%

More information

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development

More information

Barracuda Intrusion Detection and Prevention System

Barracuda Intrusion Detection and Prevention System Providing complete and comprehensive real-time network protection Today s networks are constantly under attack by an ever growing number of emerging exploits and attackers using advanced evasion techniques

More information

Why a Web Application Firewall Makes Good Business Sense How to Stay Secure with AppWall Whitepaper

Why a Web Application Firewall Makes Good Business Sense How to Stay Secure with AppWall Whitepaper Why a Web Application Firewall Makes Good Business Sense How to Stay Secure with AppWall Whitepaper Table of Contents Introduction...3 Living on the Edge: Your Unprotected Business is at Risk...3 The World

More information