Where every interaction matters.

Transcription

1 Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper May 2013 By: Alert Logic

2 Contents Introduction 3 Vigilant web application firewall OWASP top ten defenses 3 Vigilant Web Application Firewall: Built upon Alert Logic s leading 6 security technology About Alert Logic 6 WHITE PAPER: VIGILANT WEB APPLICATION FIREWALL 2

3 White Paper Introduction The Open Web Application Security Project (OWASP) is a not-for-profit organization dedicated to improving application software security. OWASP promotes better web application security by providing information about vulnerabilities and threats, as well as secure software development practices. The OWASP Top Ten represents a broad consensus about the most critical web application security flaws that organizations must consider. This is a particularly important group of risks to understand because it informs security standards and product development for a variety of organizations and vendors. For organizations that are required to meet PCI DSS requirements, the OWASP Top Ten are critical; PCI requirements use the OWASP Top Ten as a basis for defining which practices and technologies are acceptable for meeting compliance requirements. Peer 1 Hosting s Vigilant Web Application Firewall, built upon Alert Logic Web Security Manager, is a fully managed web application firewall that provides defenses against all of the OWASP Top Ten risks. As such, implementation of Vigilant WAF provides immediate PCI DSS Requirement 6.6 compliance, as well as robust protection of web applications and sensitive data from attacks that exploit unpatched vulnerabilities and zero day attacks. For more information about OWASP, visit Vigilant Web Application Firewall OWASP Top Ten Defenses A1 - Injection Injection flaws, such as SQL, OS and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. A2 - Cross site scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim s browser that can hijack user sessions, deface websites or redirect the user to malicious sites. Vigilant WAF attacks through validation of user input using either negative or positive security policies. Vigilant WAF detects and blocks Cross Site Scripting (XSS) attacks through validation of user input using either negative or positive security policies. WHITE PAPER: VIGILANT WEB APPLICATION FIREWALL 3

4 Vigilant Web Application Firewall OWASP Top Ten Defenses A3 - Broken authentication and session management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens or exploit other implementation flaws to assume other users identities. A4 - Insecure direct object reference A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. A5 - Cross site request forgery (CSRF) A CSRF attack forces a logged on victim s browser to send a forged HTTP request, including the victim s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. Session cookies are bound to client IPs by issuing a validation cookie containing a cryptographic token (a checksum), which validates that the client IP is the original issuant. In order for an attacker to perform session attacks, he must steal the IP address of the target or give his IP to the target in case of session fixation attacks. Vigilant WAF detects and blocks insecure direct object reference attacks through validation of user input using positive security policies. Additionally, negative policies can be defined blocking direct access to directories or files (for instance /admin/). Vigilant WAF protects against session hijacking and CSRF attacks by injecting cryptographic validation cookies and parameters to responses from the web system. Forms issued by an application in the web system are bound to the session through insertion of a form validation parameter containing a cryptographic token, which proves that the action formulator (the application issuing the page containing a form) is in fact part of the web system protected by Vigilant WAF. This provides very strong protection against CSRF attacks because the attacker, in order to forge a request, must to know the validation token for the form action for the current session. WHITE PAPER: VIGILANT WEB APPLICATION FIREWALL 4

5 Vigilant Web Application Firewall OWASP Top Ten Defenses A6 - Security misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server and platform. All these settings should be defined, implemented and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application. A7 - Insecure cryptographic storage Many web applications do not properly protect sensitive data, such as credit cards, SSNs and authentication credentials with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud or other crimes. 8 - Failure to restrict URL access Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway. A9 - Insufficient transport layer protection Applications frequently fail to authenticate, encrypt and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates or do not use them correctly. Web server cloaking and customizable HTTP error handling and interception completely shield web servers from direct Internet access and defeat fingerprinting attacks. URL blocking and support for strong authentication and authorization prevent or control access to critical resources. Data leak prevention filters outgoing traffic and blocks or masks sensitive information. Access to resources requiring a valid user session from unauthenticated users (users without a valid session) is detected and blocked by Vigilant WAF. Resource access authorization can be enabled for web applications as well as static files like XML and PDF. Vigilant WAF provides an HTTPS front end to web resources, transforming an HTTP website into an encrypted HTTPS site without having to change any code. Additionally HTTP (cleartext) requests can be redirected use HTTPS. WHITE PAPER: VIGILANT WEB APPLICATION FIREWALL 5

6 Vigilant Web Application Firewall OWASP Top Ten Defenses A10 - Unvalidated redirects and forwards Web applications frequently redirect and forward users to other pages and websites and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites or use forwards to access unauthorized pages. Vigilant WAF verifies redirects sent by its protected web applications. Redirects can be limited to the domain(s) of the protected web applications plus additional domains. Vigilant Web Application Firewall: Built upon Alert Logic s leading security technology With web application and data security becoming more pressing every year, Peer 1 Hosting has leveraged the security expertise and technologies of our strategic partner, Alert Logic. Powered by Alert Logic, our Vigilant Web Application Firewall is a managed web application firewall that protects against web application attacks identified by industry security standards (including the OWASP Top Ten), as well as data leakage and other commonly exploited vulnerabilities. It also assists with DoS and DDoS mitigation. Vigilant WAF profiles, analyzes and protects web applications using both positive and negative security technologies. Vigilant WAF assists with meeting requirements of PCI DSS 2.0 section 6.5 and provides section 6.6 compliance. The service is deployed as a physical or virtual appliance within the customer s environment, and managed via Alert Logic s self-service web interface. The ActiveWatch service for Vigilant WAF addresses the challenge of ongoing management and tuning of the web application firewall. Alert Logic s security analysts provide expert analysis of customer data, professional escalation of inappropriately blocked requests and regular tuning of Vigilant WAF policies and settings. The Alert Logic security team also acts as a resource for other questions about and analysis of web security data. About Alert Logic Alert Logic, the leading provider of Security-as-a-Service solutions for the cloud, provides solutions to secure the application and infrastructure stack. By integrating advanced security tools with 24 7x365 Security Operations Center expertise, customers can defend against security threats and address compliance mandates. By leveraging an as-a-service delivery model, Alert Logic solutions include day-to-day management of security infrastructure, security experts translating complex data into actionable insight and flexible deployment options to address customer security needs in any computing environment. Built from the ground up to address the unique challenges of public and private cloud environments, Alert Logic partners with over half of the largest cloud and hosting service providers to provide Security-asa-Service solutions for business application deployments for over 1,700 enterprises. Alert Logic is based in Houston, Texas, and was founded in For more information, please visit Call us to get started now / peer1.com WHITE PAPER: VIGILANT WEB APPLICATION FIREWALL 6