WebSphere DataPower: Build a more-secure web application infrastructure
|
|
- Morris Tucker
- 8 years ago
- Views:
Transcription
1 DataPower: Build a more-secure web application infrastructure Mitigate the risks associated with the OWASP Top 10 Executive summary The growth and evolution of web applications In today s economy, it is a foregone conclusion that a web presence must be maintained in order for your enterprise to compete effectively. Traditional browser-based web applications are only the beginning. Web applications have been undergoing a radical evolution in recent years. With the explosion in the number of smartphones and tablets into the hands of consumers and employees alike, with more than 5,000,000,000 mobile devices estimated to be in use worldwide, the reach of web-based applications continues to grow. In addition to the proliferation of mobile devices, there are other significant information technology (IT) trends that are driving exponential increases in web-based traffic. For example, public and hybrid cloud computing models are most commonly delivered using the web, utilizing many of the same technologies and infrastructures that are in place to support web applications. Furthermore, web application programming interfaces (APIs) are emerging as the new channel for increased market penetration. Exposure of a public web API enables third party web, mobile, and social applications that expand the reach of the enterprise to millions of consumers. 1
2 By opening up your enterprise through additional web channels whether desktop or mobile applications, cloud computing, or web APIs you are potentially exposing your systems and confidential business information to a broader set of unknown users. In so doing you are unlocking tremendous business opportunities, while at the same time introducing a whole new set of security issues and concerns. Initial web deployments may not have placed as heavy an emphasis on security and threat protection. However, with the emergence of various regulatory standards and numerous examples of tarnished brand image that have occurred as a result of security breaches, web security must now be a vital part of any enterprise security strategy and implementation. Web application security is critical to the ongoing success of your business In its 2011 study on information security, analyst firm Gartner listed network security as the number one key issue with which organizational IT security leaders should concern themselves. The enterprise perimeter is being challenged by the opening up of the data center to additional external users using web-based traffic. It is critical to implement an effective network security strategy to protect the business from the potential threats posed by these previously unknown users. 2 In addition to traditional network security devices such as intrusion detection systems (IDS) and intrusion prevention systems (IPS), more intelligent, application-aware products have emerged in order to provide the greater level of security and protection that is required. Web application firewalls (WAFs) are effective tools for providing this higher level of protection against known, and even some unknown, security vulnerabilities. Web application vulnerabilities as a percentage of all disclosures in 2011 Web applications: 41 percent Figure 1: Web application vulnerabilities Others: 59 percent 2
3 The number of potential security vulnerabilities for web applications is always changing. However, there are some commonly agreed upon risks that are recognized as being the most prevalent among web applications. These threats, known as the OWASP Top 10, are identified by the not-for-profit organization, Open Web Application Security Project (OWASP). While not an all-inclusive list of every security risk with which you should concern yourself, the OWASP Top 10 indicates those highest-priority concerns that must be addressed with any web application security strategy. The Payment Card Industry (PCI) Data Security Standard (DSS) explicitly requires protection for the OWASP Top 10 risks in order to claim certification. IBM DataPower has its roots in securing enterprise applications From the emergence of service-oriented architecture (SOA) and web services, the IBM DataPower appliance has been established as the leading secure gateway device in the industry. 3,4 This IBM product s scalable, convenient, easier-to-use, and security-rich network appliance form factor makes it a strong solution for protecting web services that are exposed within the enterprise or that are exposed to established business partners. What may not be as well known is that the core competencies of the DataPower appliance expand well beyond traditional XML and SOAP-based web services. The DataPower solution offers the following capabilities that can be applied to web-based traffic also: Support for standard message formats and protocols that are common to web traffic (for example, HTTP, HTML, XML, JSON, SSL/TLS) Deep application knowledge and message-payload inspection A thorough, wide-ranging authentication, authorization and audit (AAA) framework Highly configurable to protect against a broad range of security risks Robust scripting interface for building and enforcing customized security policies Roles-based management to support the enforcement of the proper access restrictions Graceful scalability to support a highly available and resilient application delivery infrastructure, even under increasing loads The following sections will highlight how these features, along with some established tested methods, enable DataPower to fulfill a key role in your enterprise s web application security infrastructure in addressing some of the most common web application threats. More-easily deployable and manageable, DataPower appliances are engineered to protect your web traffic today, and to scale to meet the needs of your growing business tomorrow, as you expand into the new and emerging channels of mobile, cloud and web APIs. Introduction to web application security The world of information technology (IT) has been founded on the principles of continuous change and evolution. Business leaders not only use IT in order to gain operational efficiencies, but have come to rely on it as a key component of the day-to-day operations and for driving the implementation of the business strategy. In the pre-internet age, each line of business team would develop or procure its own purposebuilt applications. A dramatic shift in the corporate mindset occurred as the world moved into the 21st century and new technologies and paradigms emerged, such as web services and service-oriented architecture (SOA). By adopting SOA, company teams could easily integrate between disparate systems and begin to recognize opportunities to reuse IT assets throughout the enterprise. The concept of reuse exposed applications to new users and new use cases, and also brought with it new concerns surrounding security and visibility. 3
4 For IT professionals, DataPower helps manage the security issues that come with a precipitous increase in the number of smartphones and tablets connecting to your enterprise. If you want to take action to manage risk exposure as your organization extends its products and services to the public using web APIs, you should seriously consider the DataPower solution as part of your strategy. In its 2011 Trend and Risk Report 5, IBM X-Force indicates that web applications accounted for approximately 41 percent of all published software security vulnerabilities in And although the total number of vulnerabilities reported in 2011 was down almost 20 percent from 2010, there remains a sharply upward trend since vulnerabilities began being tracked in 1996 (see Figure 2). In recent years, enterprises have expanded beyond SOA adoption and have experienced dramatic growth in the use of web-based applications. These applications are more than secondary or tertiary in stature. Today, enterprise leaders rely on web applications to provide mission-critical functions to a wide range of users both inside and outside the enterprise. New and emerging use cases, like mobile, cloud and web API management, continue to expand the scope and reach of webbased technologies, and at the same time usher in an era fraught with previously unimagined security risks and privacy concerns. 10,000 9,000 8,000 7,000 6,000 5,000 4,000 3,000 2,000 1,000 0 Vulnerability disclosures growth by year Historically, data centers have protected themselves from would-be security attacks by implementing an intrusion detection system (IDS) or intrusion prevention system (IPS). Products that fit into this classification can be very effective for protecting against certain network-based attacks such as denial of service (DoS), among others. However, the professional hackers of today have found ways to circumvent the protections provided by IDS and IPS, and instead have begun to exploit vulnerabilities at the application layer, or at what is commonly referred to as layer 7 according to the Open Systems Interconnection (OSI) model. IDS and IPS technologies alone are no longer sufficient protection mechanisms. Figure 2: IBM X-Force vulnerability disclosures by year 4
5 In order to more effectively protect against these applicationlevel exploits, a market segment has emerged for a product set known as web application firewalls (WAFs). WAFs are generally intelligent, application-aware software products or network appliances that are intended to protect a system against many of the common threats that target web applications. A successful WAF must be able to process both request messages and response messages that are flowing over the network, and must inspect the payloads for any malicious or potentially harmful content. In so doing, a WAF can block requests that might otherwise cause harm to back end web servers, application servers or database servers. According to a 2011 study by the analyst firm IDC, the entire worldwide web security market, which includes WAFs, grew to USD1,700,000,000 in The financial and administrative risks associated with webapplication security exploits are well documented. The ramifications associated with security breaches are so severe that web application security has even become a mandate for such well-published regulations as the Payment Card Industry (PCI) Data Security Standard (DSS). 7 PCI DSS requirement 6.6 specifies that public-facing web applications must either be subject to annual verification by vulnerability security assessment tools or else implement a front-ending WAF to prevent web-based attacks. But just having a web application firewall in place is not sufficient to ensure the integrity of your web applications. What is the OWASP Top 10? In order to effectively secure web applications, enterprise leaders must employ solutions that have a broad range of capabilities and that can be configured and maintained in such a way as to protect against new and emerging threats. As the technology has changed and evolved over time, so too have the security threats to which web applications are vulnerable. There are, however, certain security threat patterns that have proven particularly harmful or prevalent throughout the web. The need exists to raise awareness of these threat patterns and to educate those in the field of information technology (IT) on how to best protect their systems and applications from wouldbe attackers. The Open Web Application Security Project (OWASP) is a not-for-profit organization that was originally formed in 2001 with the mission of making application security more visible. 8 OWASP s most widely recognized contribution has been the creation of the OWASP Top 10. First created in 2004, and then updated again in 2007 and 2010, the OWASP Top 10 is used to communicate a consensus view of the most critical web application security flaws. The work effort is renowned, and has become the measuring stick by which many IT organizations rate their web-application security capabilities. Any leader whose enterprise is currently maintaining a web presence, be it through a traditional web application, mobile application, cloud-based offering or web API, must be concerned with implementing infrastructure components that will protect against the OWASP Top 10 risks. The following is a brief explanation of the OWASP Top 10 Web Application Security Risks for 2010: 9 A1 Injection: Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. A2 Cross Site Scripting (XSS): XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim s browser which can hijack user sessions, deface web sites or redirect the user to malicious sites. 5
6 A3 Broken Authentication and Session Management: Often, application functions that are related to authentication and session management are not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or to exploit other implementation flaws to assume other users identities. A4 Insecure Direct Object References: A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. A5 Cross Site Request Forgery (CSRF): A CSRF attack forces a logged-on victim s browser to send a forged HTTP request, including the victim s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim s browser to generate requests that the vulnerable application recognizes as legitimate requests from the victim. A6 Security Misconfiguration: Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server and platform. All these settings should be defined, implemented and maintained, since many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application. A7 Insecure Cryptographic Storage: Many web applications do not properly protect sensitive data, such as credit cards, social security numbers and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud or other crimes. A8 Failure to Restrict URL Access: Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar accesscontrol checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway. A9 Insufficient Transport Layer Protection: Applications frequently fail to authenticate, encrypt and protect the confidentiality and integrity of sensitive network traffic. When they do, applications sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly. A10 Unvalidated Redirects and Forwards: Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. The vast range of threats identified in the OWASP Top 10 indicate that there is more to protecting web applications than simply focusing on security as part of the development life cycle, although that is a major factor. Web application security must be considered throughout the entire runtime infrastructure for application delivery. In 2011, IBM X-Force performed a security test analysis to determine the likelihood of vulnerabilities that match each of the OWASP Top 10 risks being present within applications. The applications tested were ones that were believed to have a high level of security already in place. The results, however, demonstrate that even with a concerted development effort, web applications remain vulnerable to many different attacks and other measures must be taken to provide sufficient protection (see Figure 3). 6
7 2011 findings (OWASP top ten mapping) Unvalidated redirects and forwards Insufficient transport layer protection Faliure to restrict URL access Insecure crytographic storage Security misconfiguration Cross-site request forgery (CSRF) Insecure direct object references Broken authentication Cross-site scripting (XSS) Injection % finding likely to occur in test Figure 3: Probability of finding specific application vulnerabilities How DataPower can help protect your web infrastructure IBM DataPower appliances are purpose-built solutions that offer an optimized combination of hardware, firmware and an embedded operating system. DataPower appliances are engineered with security in mind. They are sealed, network-resident appliances that provide no USB ports and have a tamper-resistant case. The appliances do not support the running of arbitrary software, and firmware upgrades are managed with a single signed and encrypted mechanism. DataPower appliances have received third-party certifications for FIPS level 3 (HSM) and Common Criteria EAL4. 18% 18% 28% 31% 42% 41% 41% 49% 79% 86% From a capabilities perspective, the heritage of DataPower has centered on XML and SOAP-based processing of web service messages. DataPower offers a state of the art XML firewall that enables hardened near-real-time protection against a wide range of XML security threats. In addition, DataPower provides a customizable access-control integration framework, allowing the DataPower solution to become the central point of enforcement for authentication, authorization and auditing (AAA) of application message traffic (see Figure 4). The DataPower appliance s applicability as a security solution extends well beyond its traditional service-oriented architecture (SOA), web services, and XML use cases. With its focus on application-level knowledge, configurable policy creation and enforcement, and scalable performance, DataPower is an optimal solution for securing web-based traffic from within the demilitarized zone (DMZ). DataPower has built-in support for many common security patterns and offers a robust, more-easily customizable scripting interface for building and enforcing additional security policies. All configurations are enabled through an easier-to-use, graphical, wizard-driven interface. For additional simplicity, IBM Appliance Management Center can be used to centrally manage appliance firmware and configurations and to monitor key metrics and events for groups of DataPower appliances. For business leaders, the challenges of technological change will not deter the determination to succeed against the competition. Embrace the future with confidence. If you are planning to extend your products or services into the world using mobile and web apps or web APIs, security is paramount. You should seriously consider the DataPower solution as part of your strategy. 7
8 Extract resource Map resource Input Message Extract identity Authenticate Map credentials Authorize Audit and accounting Output Message External access control server or Onboard identity management store Figure 4: IBM DataPower AAA Framework This IBM solution s inherent capabilities for HTTP (the communication protocol of the web), service and application proxying, and content-based decision making, allow it to be used more easily as part of a web application, mobile, and web-api security infrastructure. In particular, DataPower has several features and recommended tested methods that can be used to protect applications from the OWASP Top 10 risks. 10 A1 Injection: Built-in signatures are provided to prevent common SQL and XPath injection scenarios. Additional customizable signatures can be created using regular expressions (PCRE) to detect other forms of injection (for example, LDAP, PHP, shell scripts and more). Moreover, input-limiting capabilities, provided with DataPower name-value profiles, complement the signature-based approach to protection by making it 8
9 possible for you to restrict input to a set of known and expected values. Finally, DataPower is capable of implementing virtual patches, such that identified application risks can be quickly mitigated without the need to make changes to the underlying application itself. A2 Cross Site Scripting (XSS): Although XSS occurs within the browser client, it is typically implemented using a multiphased attack that may first begin with Injection (A1), which allows the malicious script to later be returned as part of a response to a user s browser. Therefore, the same protection approach listed for Injection can be applied to XSS. In particular, DataPower name-value profiles have specific settings that can be enabled to detect and to protect against recognized XSS content. A3 Broken Authentication and Session Management: DataPower is a strong solution for providing a centralized point of control for message authentication; this IBM solution implements a broad array of security standards (for example, SAML, XACML, OAuth, and more) and integrates with many industry-leading identity access-management solutions. Furthermore, to maximize security, be sure to use SSL/TLS on all front-side communications, not just during the authentication step; this will support protection of session IDs and credentials. DataPower policies can also be crafted that will force all session cookies to have consistent expiration policies applied, in order to help prevent session hijacking of old or abandoned sessions. A4 Insecure Direct Object References: The DataPower solution s extensive and powerful transformation engine makes it possible for you to rewrite insecure direct-object references that occur in responses, and to map them to other calculated or random values. This helps protect these object references from exposure outside of the application. Most importantly, however, the AAA framework is capable of being invoked on every message that is received; thus, no access is granted to any resource unless it first passes the established authorization checks. A5 Cross Site Request Forgery (CSRF): There are several building blocks provided by DataPower that allow a successful CSRF mitigation policy to be created. For example, policies can be created that will supply a nonce value within responses (for example, within a hidden field), and the policy can then interrogate subsequent request messages for the existence of a session ID hash that is created using that nonce, in order to confirm its authenticity. A6 Security Misconfiguration: Security misconfigurations cannot be prevented in isolation. However, DataPower capabilities do facilitate an ease of management and enforcement for established security policies. When used as the centralized policy enforcement point for AAA, DataPower capabilities eliminate the need to have redundant policies duplicated at various tiers of a web infrastructure. Additionally, there are a number of tools and utilities that can be used to restrict access to the appliance (for example, roles-based management, application domains), a configuration comparison utility, audit trail of all configuration updates, extensive configuration backup and restore capabilities, and the ability to have centralized configuration management and deployment with Appliance Management Center. A7 Insecure Cryptographic Storage: DataPower policy enforcement plays a role in the application processing and the solution is built to protect the information it handles as part of the data flow. This protection is provided in a tamperresistant hardware form factor. The encryption keys used by the appliance are stored and protected in an encrypted portion of the file system that cannot be accessed. Sensitive user data is never stored directly on the appliance. 9
10 In the event that sensitive data may be included in log messages, or in other output, one can create a policy to use the transformation engine to obfuscate the sensitive data before it is written out (for example, don t allow user credentials to be included in log output ). A8 Failure to Restrict URL Access: DataPower can be configured to enforce a per-request authentication and resource-based authorization scheme for URL access using its AAA framework. Unauthenticated users are denied access; previously authenticated users must further pass the established authorization checks for the resource currently being requested. A9 Insufficient Transport Layer Protection: One of the strengths of the DataPower solution is providing SSL/TLS offload for back end services and applications. Utilizing DataPower as a central point for SSL/TLS termination can ensure that sufficient transport layer protection is provided for external web traffic. DataPower supports a strong SSL cipher suite, can enforce client mutual authentication, and, with certificate revocation list (CRL) and online certificate status protocol (OCSP) support, DataPower operations can help ensure that client-side certificates are valid and trusted. For maximum security, DataPower optionally allows the use of SSL/TLS connections both on the front- and back-end communications, thus helping to protect against both external and internal attackers. A10 Unvalidated Redirects and Forwards: In some cases, user input might be used to craft a redirect URL. If left unvalidated, this could lead to a user s browser being directed to a malicious location. Several things can be done to protect against this threat. Using the name-value profiles feature, any input data that might be used to build redirected URLs can be validated. Additionally, DataPower can be configured to not forward redirect response codes from unanticipated applications, or to rewrite location headers in those response messages to ensure that only known URLs are exposed. As can be seen from these features and tested methods, application insight is critical to building an effective OWASP Top 10 protection strategy. Armed with this application knowledge, DataPower capabilities can help an organization implement tested methods to strengthen protection for all types of web traffic including traditional web applications, mobile applications, cloud computing and web APIs from would-be attackers. Conclusion An immediate need exists to ensure a high level of security and threat protection for web applications. As web applications continue to evolve through mobile enablement, integration of cloud-based services and exposing web APIs, the risks become even greater. A highly scalable and configurable web application security solution is of paramount importance. IBM DataPower has a longstanding history of securing services and applications within the enterprise. Those same principles and competencies are extensible to the world of external web traffic as well. With a consistent focus on authentication, authorization, encryption and data transformation, DataPower provides a centralized platform for web security policy enforcement. By adhering to a defined set of tested methods and built-in features, DataPower can help protect against the most common web security flaws, as defined by the OWASP Top 10, and can provide a solid foundation for an enterprise s web-application security infrastructure. 10
11 Notes
12 For more information To learn more about IBM DataPower appliances, contact your IBM sales representative or your IBM Business Partner, or visit the following website: ibm.com/software/integration/datapower/ Additionally, IBM Global Financing can help you acquire the software capabilities that your business needs in the most cost-effective and strategic way possible. We ll partner with credit-qualified clients to customize a financing solution to suit your business and development goals, enable effective cash management, and improve your total cost of ownership. Fund your critical IT investment and propel your business forward with IBM Global Financing. For more information, visit: ibm.com/financing 1 Knipp, Eric, and Benoit J. Lhereux, Mobile and Context-Aware Branches Grow from Public Web APIs, p. 1, Gartner, Inc., June 28, Walls, Andrew, and Mark Nicolett, Key Issues for Information Security, 2011, pp. 2-3, Gartner, Inc., February 24, Thompson, Jess, et al., Magic Quadrant for Application Infrastructure for Systematic Application Integration Projects, Gartner, Inc., June 20, Heffner, Randy, The Forrester Wave: SOA Application Gateways, Q4 2011, Forreseter Research, Inc., November, 18, IBM X-Force 2011 Trend and Risk Report, March Hochmuth, Phil, Worldwide Web Security Forecast and 2010 Vendor Shares: From Surfing Police to Strategic Security Platform, p. 1, IDC, October Additional information about configuring the DataPower WAF service and capabilities for web application security can be found in the following: index.jsp?topic=%2fcom.ibm.dp.xg.doc% 2Fwebapplicationfirewalldevelopersguide.xg45.htm wwhimpl/js/html/wwhelp.htm?href=2-6.htm wwhimpl/js/html/wwhelp.htm?href=4-6-3.htm Copyright IBM Corporation 2012 IBM Corporation Software Group Route 100 Somers, NY Produced in the United States of America August 2012 IBM, the IBM logo, ibm.com,, and DataPower are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at Copyright and trademark information at ibm.com/legal/copytrade.shtml Other company, product or service names may be trademarks or service marks of others. This document is current as of the initial date of publication and may be changed by IBM at any time. It is the user s responsibility to evaluate and verify the operation of any other products or programs with IBM products and programs. THE INFORMATION IN THIS DOCUMENT IS PROVIDED AS IS WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that systems and products are immune from the malicious or illegal conduct of any party. Please Recycle WSW14196-USEN-00
Where every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationWHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications
More informationWHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 Ensuring compliance for PCI DSS 6.5 and 6.6 Page 2 Overview Web applications and the elements surrounding them
More informationOWASP AND APPLICATION SECURITY
SECURING THE 3DEXPERIENCE PLATFORM OWASP AND APPLICATION SECURITY Milan Bruchter/Shutterstock.com WHITE PAPER EXECUTIVE SUMMARY As part of Dassault Systèmes efforts to counter threats of hacking, particularly
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationBeyond passwords: Protect the mobile enterprise with smarter security solutions
IBM Software Thought Leadership White Paper September 2013 Beyond passwords: Protect the mobile enterprise with smarter security solutions Prevent fraud and improve the user experience with an adaptive
More informationSix Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business
6 Six Essential Elements of Web Application Security Cost Effective Strategies for Defending Your Business An Introduction to Defending Your Business Against Today s Most Common Cyber Attacks When web
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationWeb applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh
Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP
More informationIntegrating Security Testing into Quality Control
Integrating Security Testing into Quality Control Executive Summary At a time when 82% of all application vulnerabilities are found in web applications 1, CIOs are looking for traditional and non-traditional
More informationSitefinity Security and Best Practices
Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management
More informationWEB APPLICATION FIREWALLS: DO WE NEED THEM?
DISTRIBUTING EMERGING TECHNOLOGIES, REGION-WIDE WEB APPLICATION FIREWALLS: DO WE NEED THEM? SHAIKH SURMED Sr. Solutions Engineer info@fvc.com www.fvc.com HAVE YOU BEEN HACKED????? WHAT IS THE PROBLEM?
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationBarracuda Web Site Firewall Ensures PCI DSS Compliance
Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online
More informationSafeguarding the cloud with IBM Dynamic Cloud Security
Safeguarding the cloud with IBM Dynamic Cloud Security Maintain visibility and control with proven security solutions for public, private and hybrid clouds Highlights Extend enterprise-class security from
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationNuclear Regulatory Commission Computer Security Office Computer Security Standard
Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1108 Web Application Standard Revision Number: 1.0 Effective Date:
More informationImprove your mobile application security with IBM Worklight
Improve your mobile application security with IBM Worklight Contents 1 Introduction 2 IBM Worklight overview 4 Enabling mobile security with IBM Worklight 6 Integrating IBM Worklight with enterprise security
More informationPCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker
PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker www.quotium.com 1/14 Summary Abstract 3 PCI DSS Statistics 4 PCI DSS Application Security 5 How Seeker Helps You Achieve PCI DSS
More informationQuality Assurance version 1
Quality Assurance version 1 Introduction Quality assurance (QA) is a standardised method that ensures that everything works as it was intended to work and looks as it was intended to look. It should force
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationSecuring the mobile enterprise with IBM Security solutions
Securing the mobile enterprise with IBM Security solutions Gain visibility and control with proven security for mobile initiatives in the enterprise Highlights Address the full spectrum of mobile risks
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationIBM Security Intrusion Prevention Solutions
IBM Security Intrusion Prevention Solutions Sarah Cucuz sarah.cucuz@spyders.ca IBM Software Solution Brief IBM Security intrusion prevention solutions In-depth protection for networks, servers, endpoints
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationIBM Security QRadar Risk Manager
IBM Security QRadar Risk Manager Proactively manage vulnerabilities and network device configuration to reduce risk, improve compliance Highlights Collect network security device configuration data to
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More informationIBM Protocol Analysis Module
IBM Protocol Analysis Module The protection engine inside the IBM Security Intrusion Prevention System technologies. Highlights Stops threats before they impact your network and the assets on your network
More informationPenta Security 3rd Generation Web Application Firewall No Signature Required. www.gasystems.com.au
Penta Security 3rd Generation Web Application Firewall No Signature Required www.gasystems.com.au 1 1 The Web Presence Demand The Web Still Grows INTERNET USERS 2006 1.2B Internet Users - 18% of 6.5B people
More informationIBM Security QRadar Risk Manager
IBM Security QRadar Risk Manager Proactively manage vulnerabilities and network device configuration to reduce risk, improve compliance Highlights Visualize current and potential network traffic patterns
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationStrengthen security with intelligent identity and access management
Strengthen security with intelligent identity and access management IBM Security solutions help safeguard user access, boost compliance and mitigate insider threats Highlights Enable business managers
More informationSafeguarding the cloud with IBM Security solutions
Safeguarding the cloud with IBM Security solutions Maintain visibility and control with proven solutions for public, private and hybrid clouds Highlights Address cloud concerns with enterprise-class solutions
More informationSERENA SOFTWARE Serena Service Manager Security
SERENA SOFTWARE Serena Service Manager Security 2014-09-08 Table of Contents Who Should Read This Paper?... 3 Overview... 3 Security Aspects... 3 Reference... 6 2 Serena Software Operational Security (On-Demand
More informationIBM Security Privileged Identity Manager helps prevent insider threats
IBM Security Privileged Identity Manager helps prevent insider threats Securely provision, manage, automate and track privileged access to critical enterprise resources Highlights Centrally manage privileged
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationUsing Free Tools To Test Web Application Security
Using Free Tools To Test Web Application Security Speaker Biography Matt Neely, CISSP, CTGA, GCIH, and GCWN Manager of the Profiling Team at SecureState Areas of expertise: wireless, penetration testing,
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationStaying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.
Managing business infrastructure White paper Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities. September 2008 2 Contents 2 Overview 5 Understanding
More informationBreaking down silos of protection: An integrated approach to managing application security
IBM Software Thought Leadership White Paper October 2013 Breaking down silos of protection: An integrated approach to managing application security Protect your enterprise from the growing volume and velocity
More informationWEB APPLICATION SECURITY
WEB APPLICATION SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part
More informationMembers of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems
Soteria Health Check A Cyber Security Health Check for SAP systems Soteria Cyber Security are staffed by SAP certified consultants. We are CISSP qualified, and members of the UK Cyber Security Forum. Security
More informationIBM Security X-Force Threat Intelligence
IBM Security X-Force Threat Intelligence Use dynamic IBM X-Force data with IBM Security QRadar to detect the latest Internet threats Highlights Automatically feed IBM X-Force data into IBM QRadar Security
More informationIBM Security QRadar Vulnerability Manager
IBM Security QRadar Vulnerability Manager Improve security and compliance by prioritizing security gaps for resolution Highlights Help prevent security breaches by discovering and highlighting high-risk
More informationAnnex B - Content Management System (CMS) Qualifying Procedure
Page 1 DEPARTMENT OF Version: 1.5 Effective: December 18, 2014 Annex B - Content Management System (CMS) Qualifying Procedure This document is an annex to the Government Web Hosting Service (GWHS) Memorandum
More informationOverview of the Penetration Test Implementation and Service. Peter Kanters
Penetration Test Service @ ABN AMRO Overview of the Penetration Test Implementation and Service. Peter Kanters ABN AMRO / ISO April 2010 Contents 1. Introduction. 2. The history of Penetration Testing
More informationCracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference
Cracking the Perimeter via Web Application Hacking Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference About 403 Labs 403 Labs is a full-service information security and compliance
More informationIBM Tivoli Federated Identity Manager
IBM Tivoli Federated Identity Manager Employ user-centric federated access management to enable secure online business collaboration Highlights Enhance business-to-business and business-to-consumer collaborations
More informationFortiWeb Web Application Firewall. Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE
FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE Overview Web applications and the elements surrounding them have not only become a key part of every company
More informationWeb Application Firewall on SonicWALL SSL VPN
Web Application Firewall on SonicWALL SSL VPN Document Scope This document describes how to configure and use the Web Application Firewall feature in SonicWALL SSL VPN 5.0. This document contains the following
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationStay ahead of insiderthreats with predictive,intelligent security
Stay ahead of insiderthreats with predictive,intelligent security Sarah Cucuz sarah.cucuz@spyders.ca IBM Security White Paper Executive Summary Stay ahead of insider threats with predictive, intelligent
More informationWeb Engineering Web Application Security Issues
Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend
More informationWeb application security
Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0
More informationAchieving PCI Compliance Using F5 Products
Achieving PCI Compliance Using F5 Products Overview In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationMaking your web application. White paper - August 2014. secure
Making your web application White paper - August 2014 secure User Acceptance Tests Test Case Execution Quality Definition Test Design Test Plan Test Case Development Table of Contents Introduction 1 Why
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationIBM Cognos TM1 on Cloud Solution scalability with rapid time to value
IBM Solution scalability with rapid time to value Cloud-based deployment for full performance management functionality Highlights Reduced IT overhead and increased utilization rates with less hardware.
More informationTable of Contents. Page 2/13
Page 1/13 Table of Contents Introduction...3 Top Reasons Firewalls Are Not Enough...3 Extreme Vulnerabilities...3 TD Ameritrade Security Breach...3 OWASP s Top 10 Web Application Security Vulnerabilities
More informationEl costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada
El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada The Traditional Approach is Changing. Security is no longer controlled and enforced through the
More informationApplication Firewall Overview. Published: February 2007 For the latest information, please see http://www.microsoft.com/iag
Application Firewall Overview Published: February 2007 For the latest information, please see http://www.microsoft.com/iag Contents IAG Application Firewall: An Overview... 1 Features and Benefits... 2
More informationIBM Connections Cloud Security
IBM Connections White Paper September 2014 IBM Connections Cloud Security 2 IBM Connections Cloud Security Contents 3 Introduction 4 Security-rich Infrastructure 6 Policy Enforcement Points Provide Application
More informationAPIs The Next Hacker Target Or a Business and Security Opportunity?
APIs The Next Hacker Target Or a Business and Security Opportunity? SESSION ID: SEC-T07 Tim Mather VP, CISO Cadence Design Systems @mather_tim Why Should You Care About APIs? Amazon Web Services EC2 alone
More informationWEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services
WEB SITE SECURITY Jeff Aliber Verizon Digital Media Services 1 SECURITY & THE CLOUD The Cloud (Web) o The Cloud is becoming the de-facto way for enterprises to leverage common infrastructure while innovating
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationF5 and Microsoft Exchange Security Solutions
F5 PARTNERSHIP SOLUTION GUIDE F5 and Microsoft Exchange Security Solutions Deploying a service-oriented perimeter for Microsoft Exchange WHAT'S INSIDE Pre-Authentication Mobile Device Security Web Application
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationEssential IT Security Testing
Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04
More informationWeb Application Security Assessment and Vulnerability Mitigation Tests
White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software
More informationHack Proof Your Webapps
Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University
More informationCloud Security Framework (CSF): Gap Analysis & Roadmap
Cloud Security Framework (CSF): Gap Analysis & Roadmap Contributors: Suren Karavettil, Bhumip Khasnabish Ning So, Gene Golovinsky, Meng Yu & Wei Yinxing Please send comments & suggestions to Suren Karavettil
More informationJVA-122. Secure Java Web Development
JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard
More informationIBM Security re-defines enterprise endpoint protection against advanced malware
IBM Security re-defines enterprise endpoint protection against advanced malware Break the cyber attack chain to stop advanced persistent threats and targeted attacks Highlights IBM Security Trusteer Apex
More informationHow to complete the Secure Internet Site Declaration (SISD) form
1 How to complete the Secure Internet Site Declaration (SISD) form The following instructions are designed to assist you in completing the SISD form that forms part of your Merchant application. Once completed,
More informationAttack Vector Detail Report Atlassian
Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes cdavies@atlassian.com The Attack Vector Details report provides details of vulnerability
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationRisk-based solutions for managing application security
IBM Software Thought Leadership White Paper September 2013 Risk-based solutions for managing application security Protect the enterprise from the growing volume and velocity of threats with integrated
More informationDon t Get Burned! Are you Leaving your Critical Applications Defenseless?
Don t Get Burned! Are you Leaving your Critical Applications Defenseless? Ed Bassett Carolyn Ryll, CISSP Enspherics Division of CIBER Presentation Overview Applications Exposed The evolving application
More informationIBM Security Access Manager for Web
IBM Security Access Manager for Web Secure user access to web applications and data Highlights Implement centralized user authentication, authorization and secure session management for online portal and
More informationMobile, Cloud, Advanced Threats: A Unified Approach to Security
Mobile, Cloud, Advanced Threats: A Unified Approach to Security David Druker, Ph.D. Senior Security Solution Architect IBM 1 Business Security for Business 2 Common Business Functions Manufacturing or
More informationIBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet
IBM PowerSC Security and compliance solution designed to protect virtualized datacenters Highlights Simplify security management and compliance measurement Reduce administration costs of meeting compliance
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationSemantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0
Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual Document Version 1.0 Table of Contents 1 SWAF... 4 1.1 SWAF Features... 4 2 Operations and User Manual... 7 2.1 SWAF Administrator
More informationCORE Security and the Payment Card Industry Data Security Standard (PCI DSS)
CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com
More informationWeb Application Firewall on SonicWALL SRA
Web Application Firewall on SonicWALL SRA Document Scope This document describes how to configure and use the Web Application Firewall feature in SonicWALL SRA 6.0. This document contains the following
More information