WebSphere DataPower: Build a more-secure web application infrastructure

Transcription

1 DataPower: Build a more-secure web application infrastructure Mitigate the risks associated with the OWASP Top 10 Executive summary The growth and evolution of web applications In today s economy, it is a foregone conclusion that a web presence must be maintained in order for your enterprise to compete effectively. Traditional browser-based web applications are only the beginning. Web applications have been undergoing a radical evolution in recent years. With the explosion in the number of smartphones and tablets into the hands of consumers and employees alike, with more than 5,000,000,000 mobile devices estimated to be in use worldwide, the reach of web-based applications continues to grow. In addition to the proliferation of mobile devices, there are other significant information technology (IT) trends that are driving exponential increases in web-based traffic. For example, public and hybrid cloud computing models are most commonly delivered using the web, utilizing many of the same technologies and infrastructures that are in place to support web applications. Furthermore, web application programming interfaces (APIs) are emerging as the new channel for increased market penetration. Exposure of a public web API enables third party web, mobile, and social applications that expand the reach of the enterprise to millions of consumers. 1

2 By opening up your enterprise through additional web channels whether desktop or mobile applications, cloud computing, or web APIs you are potentially exposing your systems and confidential business information to a broader set of unknown users. In so doing you are unlocking tremendous business opportunities, while at the same time introducing a whole new set of security issues and concerns. Initial web deployments may not have placed as heavy an emphasis on security and threat protection. However, with the emergence of various regulatory standards and numerous examples of tarnished brand image that have occurred as a result of security breaches, web security must now be a vital part of any enterprise security strategy and implementation. Web application security is critical to the ongoing success of your business In its 2011 study on information security, analyst firm Gartner listed network security as the number one key issue with which organizational IT security leaders should concern themselves. The enterprise perimeter is being challenged by the opening up of the data center to additional external users using web-based traffic. It is critical to implement an effective network security strategy to protect the business from the potential threats posed by these previously unknown users. 2 In addition to traditional network security devices such as intrusion detection systems (IDS) and intrusion prevention systems (IPS), more intelligent, application-aware products have emerged in order to provide the greater level of security and protection that is required. Web application firewalls (WAFs) are effective tools for providing this higher level of protection against known, and even some unknown, security vulnerabilities. Web application vulnerabilities as a percentage of all disclosures in 2011 Web applications: 41 percent Figure 1: Web application vulnerabilities Others: 59 percent 2

3 The number of potential security vulnerabilities for web applications is always changing. However, there are some commonly agreed upon risks that are recognized as being the most prevalent among web applications. These threats, known as the OWASP Top 10, are identified by the not-for-profit organization, Open Web Application Security Project (OWASP). While not an all-inclusive list of every security risk with which you should concern yourself, the OWASP Top 10 indicates those highest-priority concerns that must be addressed with any web application security strategy. The Payment Card Industry (PCI) Data Security Standard (DSS) explicitly requires protection for the OWASP Top 10 risks in order to claim certification. IBM DataPower has its roots in securing enterprise applications From the emergence of service-oriented architecture (SOA) and web services, the IBM DataPower appliance has been established as the leading secure gateway device in the industry. 3,4 This IBM product s scalable, convenient, easier-to-use, and security-rich network appliance form factor makes it a strong solution for protecting web services that are exposed within the enterprise or that are exposed to established business partners. What may not be as well known is that the core competencies of the DataPower appliance expand well beyond traditional XML and SOAP-based web services. The DataPower solution offers the following capabilities that can be applied to web-based traffic also: Support for standard message formats and protocols that are common to web traffic (for example, HTTP, HTML, XML, JSON, SSL/TLS) Deep application knowledge and message-payload inspection A thorough, wide-ranging authentication, authorization and audit (AAA) framework Highly configurable to protect against a broad range of security risks Robust scripting interface for building and enforcing customized security policies Roles-based management to support the enforcement of the proper access restrictions Graceful scalability to support a highly available and resilient application delivery infrastructure, even under increasing loads The following sections will highlight how these features, along with some established tested methods, enable DataPower to fulfill a key role in your enterprise s web application security infrastructure in addressing some of the most common web application threats. More-easily deployable and manageable, DataPower appliances are engineered to protect your web traffic today, and to scale to meet the needs of your growing business tomorrow, as you expand into the new and emerging channels of mobile, cloud and web APIs. Introduction to web application security The world of information technology (IT) has been founded on the principles of continuous change and evolution. Business leaders not only use IT in order to gain operational efficiencies, but have come to rely on it as a key component of the day-to-day operations and for driving the implementation of the business strategy. In the pre-internet age, each line of business team would develop or procure its own purposebuilt applications. A dramatic shift in the corporate mindset occurred as the world moved into the 21st century and new technologies and paradigms emerged, such as web services and service-oriented architecture (SOA). By adopting SOA, company teams could easily integrate between disparate systems and begin to recognize opportunities to reuse IT assets throughout the enterprise. The concept of reuse exposed applications to new users and new use cases, and also brought with it new concerns surrounding security and visibility. 3

4 For IT professionals, DataPower helps manage the security issues that come with a precipitous increase in the number of smartphones and tablets connecting to your enterprise. If you want to take action to manage risk exposure as your organization extends its products and services to the public using web APIs, you should seriously consider the DataPower solution as part of your strategy. In its 2011 Trend and Risk Report 5, IBM X-Force indicates that web applications accounted for approximately 41 percent of all published software security vulnerabilities in And although the total number of vulnerabilities reported in 2011 was down almost 20 percent from 2010, there remains a sharply upward trend since vulnerabilities began being tracked in 1996 (see Figure 2). In recent years, enterprises have expanded beyond SOA adoption and have experienced dramatic growth in the use of web-based applications. These applications are more than secondary or tertiary in stature. Today, enterprise leaders rely on web applications to provide mission-critical functions to a wide range of users both inside and outside the enterprise. New and emerging use cases, like mobile, cloud and web API management, continue to expand the scope and reach of webbased technologies, and at the same time usher in an era fraught with previously unimagined security risks and privacy concerns. 10,000 9,000 8,000 7,000 6,000 5,000 4,000 3,000 2,000 1,000 0 Vulnerability disclosures growth by year Historically, data centers have protected themselves from would-be security attacks by implementing an intrusion detection system (IDS) or intrusion prevention system (IPS). Products that fit into this classification can be very effective for protecting against certain network-based attacks such as denial of service (DoS), among others. However, the professional hackers of today have found ways to circumvent the protections provided by IDS and IPS, and instead have begun to exploit vulnerabilities at the application layer, or at what is commonly referred to as layer 7 according to the Open Systems Interconnection (OSI) model. IDS and IPS technologies alone are no longer sufficient protection mechanisms. Figure 2: IBM X-Force vulnerability disclosures by year 4

5 In order to more effectively protect against these applicationlevel exploits, a market segment has emerged for a product set known as web application firewalls (WAFs). WAFs are generally intelligent, application-aware software products or network appliances that are intended to protect a system against many of the common threats that target web applications. A successful WAF must be able to process both request messages and response messages that are flowing over the network, and must inspect the payloads for any malicious or potentially harmful content. In so doing, a WAF can block requests that might otherwise cause harm to back end web servers, application servers or database servers. According to a 2011 study by the analyst firm IDC, the entire worldwide web security market, which includes WAFs, grew to USD1,700,000,000 in The financial and administrative risks associated with webapplication security exploits are well documented. The ramifications associated with security breaches are so severe that web application security has even become a mandate for such well-published regulations as the Payment Card Industry (PCI) Data Security Standard (DSS). 7 PCI DSS requirement 6.6 specifies that public-facing web applications must either be subject to annual verification by vulnerability security assessment tools or else implement a front-ending WAF to prevent web-based attacks. But just having a web application firewall in place is not sufficient to ensure the integrity of your web applications. What is the OWASP Top 10? In order to effectively secure web applications, enterprise leaders must employ solutions that have a broad range of capabilities and that can be configured and maintained in such a way as to protect against new and emerging threats. As the technology has changed and evolved over time, so too have the security threats to which web applications are vulnerable. There are, however, certain security threat patterns that have proven particularly harmful or prevalent throughout the web. The need exists to raise awareness of these threat patterns and to educate those in the field of information technology (IT) on how to best protect their systems and applications from wouldbe attackers. The Open Web Application Security Project (OWASP) is a not-for-profit organization that was originally formed in 2001 with the mission of making application security more visible. 8 OWASP s most widely recognized contribution has been the creation of the OWASP Top 10. First created in 2004, and then updated again in 2007 and 2010, the OWASP Top 10 is used to communicate a consensus view of the most critical web application security flaws. The work effort is renowned, and has become the measuring stick by which many IT organizations rate their web-application security capabilities. Any leader whose enterprise is currently maintaining a web presence, be it through a traditional web application, mobile application, cloud-based offering or web API, must be concerned with implementing infrastructure components that will protect against the OWASP Top 10 risks. The following is a brief explanation of the OWASP Top 10 Web Application Security Risks for 2010: 9 A1 Injection: Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. A2 Cross Site Scripting (XSS): XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim s browser which can hijack user sessions, deface web sites or redirect the user to malicious sites. 5

6 A3 Broken Authentication and Session Management: Often, application functions that are related to authentication and session management are not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or to exploit other implementation flaws to assume other users identities. A4 Insecure Direct Object References: A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. A5 Cross Site Request Forgery (CSRF): A CSRF attack forces a logged-on victim s browser to send a forged HTTP request, including the victim s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim s browser to generate requests that the vulnerable application recognizes as legitimate requests from the victim. A6 Security Misconfiguration: Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server and platform. All these settings should be defined, implemented and maintained, since many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application. A7 Insecure Cryptographic Storage: Many web applications do not properly protect sensitive data, such as credit cards, social security numbers and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud or other crimes. A8 Failure to Restrict URL Access: Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar accesscontrol checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway. A9 Insufficient Transport Layer Protection: Applications frequently fail to authenticate, encrypt and protect the confidentiality and integrity of sensitive network traffic. When they do, applications sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly. A10 Unvalidated Redirects and Forwards: Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. The vast range of threats identified in the OWASP Top 10 indicate that there is more to protecting web applications than simply focusing on security as part of the development life cycle, although that is a major factor. Web application security must be considered throughout the entire runtime infrastructure for application delivery. In 2011, IBM X-Force performed a security test analysis to determine the likelihood of vulnerabilities that match each of the OWASP Top 10 risks being present within applications. The applications tested were ones that were believed to have a high level of security already in place. The results, however, demonstrate that even with a concerted development effort, web applications remain vulnerable to many different attacks and other measures must be taken to provide sufficient protection (see Figure 3). 6

7 2011 findings (OWASP top ten mapping) Unvalidated redirects and forwards Insufficient transport layer protection Faliure to restrict URL access Insecure crytographic storage Security misconfiguration Cross-site request forgery (CSRF) Insecure direct object references Broken authentication Cross-site scripting (XSS) Injection % finding likely to occur in test Figure 3: Probability of finding specific application vulnerabilities How DataPower can help protect your web infrastructure IBM DataPower appliances are purpose-built solutions that offer an optimized combination of hardware, firmware and an embedded operating system. DataPower appliances are engineered with security in mind. They are sealed, network-resident appliances that provide no USB ports and have a tamper-resistant case. The appliances do not support the running of arbitrary software, and firmware upgrades are managed with a single signed and encrypted mechanism. DataPower appliances have received third-party certifications for FIPS level 3 (HSM) and Common Criteria EAL4. 18% 18% 28% 31% 42% 41% 41% 49% 79% 86% From a capabilities perspective, the heritage of DataPower has centered on XML and SOAP-based processing of web service messages. DataPower offers a state of the art XML firewall that enables hardened near-real-time protection against a wide range of XML security threats. In addition, DataPower provides a customizable access-control integration framework, allowing the DataPower solution to become the central point of enforcement for authentication, authorization and auditing (AAA) of application message traffic (see Figure 4). The DataPower appliance s applicability as a security solution extends well beyond its traditional service-oriented architecture (SOA), web services, and XML use cases. With its focus on application-level knowledge, configurable policy creation and enforcement, and scalable performance, DataPower is an optimal solution for securing web-based traffic from within the demilitarized zone (DMZ). DataPower has built-in support for many common security patterns and offers a robust, more-easily customizable scripting interface for building and enforcing additional security policies. All configurations are enabled through an easier-to-use, graphical, wizard-driven interface. For additional simplicity, IBM Appliance Management Center can be used to centrally manage appliance firmware and configurations and to monitor key metrics and events for groups of DataPower appliances. For business leaders, the challenges of technological change will not deter the determination to succeed against the competition. Embrace the future with confidence. If you are planning to extend your products or services into the world using mobile and web apps or web APIs, security is paramount. You should seriously consider the DataPower solution as part of your strategy. 7

8 Extract resource Map resource Input Message Extract identity Authenticate Map credentials Authorize Audit and accounting Output Message External access control server or Onboard identity management store Figure 4: IBM DataPower AAA Framework This IBM solution s inherent capabilities for HTTP (the communication protocol of the web), service and application proxying, and content-based decision making, allow it to be used more easily as part of a web application, mobile, and web-api security infrastructure. In particular, DataPower has several features and recommended tested methods that can be used to protect applications from the OWASP Top 10 risks. 10 A1 Injection: Built-in signatures are provided to prevent common SQL and XPath injection scenarios. Additional customizable signatures can be created using regular expressions (PCRE) to detect other forms of injection (for example, LDAP, PHP, shell scripts and more). Moreover, input-limiting capabilities, provided with DataPower name-value profiles, complement the signature-based approach to protection by making it 8

9 possible for you to restrict input to a set of known and expected values. Finally, DataPower is capable of implementing virtual patches, such that identified application risks can be quickly mitigated without the need to make changes to the underlying application itself. A2 Cross Site Scripting (XSS): Although XSS occurs within the browser client, it is typically implemented using a multiphased attack that may first begin with Injection (A1), which allows the malicious script to later be returned as part of a response to a user s browser. Therefore, the same protection approach listed for Injection can be applied to XSS. In particular, DataPower name-value profiles have specific settings that can be enabled to detect and to protect against recognized XSS content. A3 Broken Authentication and Session Management: DataPower is a strong solution for providing a centralized point of control for message authentication; this IBM solution implements a broad array of security standards (for example, SAML, XACML, OAuth, and more) and integrates with many industry-leading identity access-management solutions. Furthermore, to maximize security, be sure to use SSL/TLS on all front-side communications, not just during the authentication step; this will support protection of session IDs and credentials. DataPower policies can also be crafted that will force all session cookies to have consistent expiration policies applied, in order to help prevent session hijacking of old or abandoned sessions. A4 Insecure Direct Object References: The DataPower solution s extensive and powerful transformation engine makes it possible for you to rewrite insecure direct-object references that occur in responses, and to map them to other calculated or random values. This helps protect these object references from exposure outside of the application. Most importantly, however, the AAA framework is capable of being invoked on every message that is received; thus, no access is granted to any resource unless it first passes the established authorization checks. A5 Cross Site Request Forgery (CSRF): There are several building blocks provided by DataPower that allow a successful CSRF mitigation policy to be created. For example, policies can be created that will supply a nonce value within responses (for example, within a hidden field), and the policy can then interrogate subsequent request messages for the existence of a session ID hash that is created using that nonce, in order to confirm its authenticity. A6 Security Misconfiguration: Security misconfigurations cannot be prevented in isolation. However, DataPower capabilities do facilitate an ease of management and enforcement for established security policies. When used as the centralized policy enforcement point for AAA, DataPower capabilities eliminate the need to have redundant policies duplicated at various tiers of a web infrastructure. Additionally, there are a number of tools and utilities that can be used to restrict access to the appliance (for example, roles-based management, application domains), a configuration comparison utility, audit trail of all configuration updates, extensive configuration backup and restore capabilities, and the ability to have centralized configuration management and deployment with Appliance Management Center. A7 Insecure Cryptographic Storage: DataPower policy enforcement plays a role in the application processing and the solution is built to protect the information it handles as part of the data flow. This protection is provided in a tamperresistant hardware form factor. The encryption keys used by the appliance are stored and protected in an encrypted portion of the file system that cannot be accessed. Sensitive user data is never stored directly on the appliance. 9

10 In the event that sensitive data may be included in log messages, or in other output, one can create a policy to use the transformation engine to obfuscate the sensitive data before it is written out (for example, don t allow user credentials to be included in log output ). A8 Failure to Restrict URL Access: DataPower can be configured to enforce a per-request authentication and resource-based authorization scheme for URL access using its AAA framework. Unauthenticated users are denied access; previously authenticated users must further pass the established authorization checks for the resource currently being requested. A9 Insufficient Transport Layer Protection: One of the strengths of the DataPower solution is providing SSL/TLS offload for back end services and applications. Utilizing DataPower as a central point for SSL/TLS termination can ensure that sufficient transport layer protection is provided for external web traffic. DataPower supports a strong SSL cipher suite, can enforce client mutual authentication, and, with certificate revocation list (CRL) and online certificate status protocol (OCSP) support, DataPower operations can help ensure that client-side certificates are valid and trusted. For maximum security, DataPower optionally allows the use of SSL/TLS connections both on the front- and back-end communications, thus helping to protect against both external and internal attackers. A10 Unvalidated Redirects and Forwards: In some cases, user input might be used to craft a redirect URL. If left unvalidated, this could lead to a user s browser being directed to a malicious location. Several things can be done to protect against this threat. Using the name-value profiles feature, any input data that might be used to build redirected URLs can be validated. Additionally, DataPower can be configured to not forward redirect response codes from unanticipated applications, or to rewrite location headers in those response messages to ensure that only known URLs are exposed. As can be seen from these features and tested methods, application insight is critical to building an effective OWASP Top 10 protection strategy. Armed with this application knowledge, DataPower capabilities can help an organization implement tested methods to strengthen protection for all types of web traffic including traditional web applications, mobile applications, cloud computing and web APIs from would-be attackers. Conclusion An immediate need exists to ensure a high level of security and threat protection for web applications. As web applications continue to evolve through mobile enablement, integration of cloud-based services and exposing web APIs, the risks become even greater. A highly scalable and configurable web application security solution is of paramount importance. IBM DataPower has a longstanding history of securing services and applications within the enterprise. Those same principles and competencies are extensible to the world of external web traffic as well. With a consistent focus on authentication, authorization, encryption and data transformation, DataPower provides a centralized platform for web security policy enforcement. By adhering to a defined set of tested methods and built-in features, DataPower can help protect against the most common web security flaws, as defined by the OWASP Top 10, and can provide a solid foundation for an enterprise s web-application security infrastructure. 10

11 Notes

12 For more information To learn more about IBM DataPower appliances, contact your IBM sales representative or your IBM Business Partner, or visit the following website: ibm.com/software/integration/datapower/ Additionally, IBM Global Financing can help you acquire the software capabilities that your business needs in the most cost-effective and strategic way possible. We ll partner with credit-qualified clients to customize a financing solution to suit your business and development goals, enable effective cash management, and improve your total cost of ownership. Fund your critical IT investment and propel your business forward with IBM Global Financing. For more information, visit: ibm.com/financing 1 Knipp, Eric, and Benoit J. Lhereux, Mobile and Context-Aware Branches Grow from Public Web APIs, p. 1, Gartner, Inc., June 28, Walls, Andrew, and Mark Nicolett, Key Issues for Information Security, 2011, pp. 2-3, Gartner, Inc., February 24, Thompson, Jess, et al., Magic Quadrant for Application Infrastructure for Systematic Application Integration Projects, Gartner, Inc., June 20, Heffner, Randy, The Forrester Wave: SOA Application Gateways, Q4 2011, Forreseter Research, Inc., November, 18, IBM X-Force 2011 Trend and Risk Report, March Hochmuth, Phil, Worldwide Web Security Forecast and 2010 Vendor Shares: From Surfing Police to Strategic Security Platform, p. 1, IDC, October Additional information about configuring the DataPower WAF service and capabilities for web application security can be found in the following: index.jsp?topic=%2fcom.ibm.dp.xg.doc% 2Fwebapplicationfirewalldevelopersguide.xg45.htm wwhimpl/js/html/wwhelp.htm?href=2-6.htm wwhimpl/js/html/wwhelp.htm?href=4-6-3.htm Copyright IBM Corporation 2012 IBM Corporation Software Group Route 100 Somers, NY Produced in the United States of America August 2012 IBM, the IBM logo, ibm.com,, and DataPower are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at Copyright and trademark information at ibm.com/legal/copytrade.shtml Other company, product or service names may be trademarks or service marks of others. This document is current as of the initial date of publication and may be changed by IBM at any time. It is the user s responsibility to evaluate and verify the operation of any other products or programs with IBM products and programs. THE INFORMATION IN THIS DOCUMENT IS PROVIDED AS IS WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that systems and products are immune from the malicious or illegal conduct of any party. Please Recycle WSW14196-USEN-00