Web Application Security



Similar documents
White Paper Secure Reverse Proxy Server and Web Application Firewall

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Technical Brief ActiveSync Configuration for WatchGuard SSL 100

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Guidelines for Web applications protection with dedicated Web Application Firewall

Sitefinity Security and Best Practices

What is Web Security? Motivation

Total Enterprise Mobility

HTTPS Inspection with Cisco CWS

Securing Internet Facing. Applications. Technical White Paper. configuration drift, in which IT members open up ports or make small, supposedly

The Hillstone and Trend Micro Joint Solution

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

The Secure Web Access Solution Includes:

Vodafone Hosted Services. Getting your . User guide

Reverse Proxy for Trusted Web Environments > White Paper

End User Devices Security Guidance: Apple ios 8

Certified Secure Computer User

Introduction to the Mobile Access Gateway

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Where every interaction matters.

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Simple security is better security Or: How complexity became the biggest security threat

Web Application Report

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Inspection of Encrypted HTTPS Traffic

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

Zscaler Internet Security Frequently Asked Questions

Information Systems. Connecting Smartphones to NTU s System

Network Security Topologies. Chapter 11

Certified Secure Computer User

Firewall Environments. Name

How To Use A Microsoft Mobile Security Software For A Corporate Account On A Mobile Device

全 球 資 安 剖 析, 您 做 確 實 了 嗎? Albert Yung Barracuda Networks

Using MobileIron Sentry for Control and Visibility into ActiveSync Devices

ONE Mail Direct for Mobile Devices

Setting Up Scan to SMB on TaskALFA series MFP s.

1 Outlook Web Access. 1.1 Outlook Web Access (OWA) Foundation IT Written approximately Dec 2010

Hosted Microsoft Exchange Client Setup & Guide Book

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Cloud Services MDM. ios User Guide

INCREASINGLY, ORGANIZATIONS ARE ASKING WHAT CAN T GO TO THE CLOUD, RATHER THAN WHAT CAN. Albin Penič Technical Team Leader Eastern Europe

Extranet Access Management Web Access Control for New Business Services

Move over, TMG! Replacing TMG with Sophos UTM

Useful Tips for Reducing the Risk of Unauthorized Access for Network Cameras Important

FortiWeb 5.0, Web Application Firewall Course #251

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

Vladimir Yordanov Director of Technology F5 Networks, Asia Pacific Developments in Web Application and Cloud Security

Basic & Advanced Administration for Citrix NetScaler 9.2

How To Secure Your Store Data With Fortinet

Hosted Microsoft Exchange Client Setup & Guide Book

iphone in Business How-To Setup Guide for Users

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

Sophos Mobile Control Technical guide

F5 Silverline Web Application Firewall Onboarding: Technical Note

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Secret Server Qualys Integration Guide

Ruby on Rails Secure Coding Recommendations

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Tableau Online Security in the Cloud

The Benefits of SSL Content Inspection ABSTRACT

The ForeScout Difference

Cisco Mobile Collaboration Management Service

Kaspersky Lab Mobile Device Management Deployment Guide

Security. Mobile Device FOR. by Rich Campagna, Subbu Iyer, and Ashwin Krishnan. John Wiley & Sons, Inc. Foreword by Mark Bauhaus.

Small Business Server Part 2

THE OPEN UNIVERSITY OF TANZANIA

Application Security Made in Switzerland

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

Access Your Cisco Smart Storage Remotely Via WebDAV

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Jort Kollerie SonicWALL

Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure

Grapevine Mail User Guide

Sophos Mobile Control Installation prerequisites form

Interact Intranet Version 7. Technical Requirements. August Interact

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

ELECTRONIC COMMERCE SYSTEMS

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Hosted SharePoint. OneDrive for Business. OneDrive for Business with Hosted SharePoint. Secure UK Cloud Document Management from Your Office Anywhere

The Internet, Intranets, and Extranets. What is the Internet. What is the Internet cont d.

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

BYOD Guidance: BlackBerry Secure Work Space

Windows Phone 8 devices will be used remotely over 3G, 4G and non-captive Wi-Fi networks to enable a variety of remote working approaches such as

How To Protect A Web Application From Attack From A Trusted Environment

CTX-1259BI Citrix Presentation Server 4.5 and XenApp 5.0 for Windows Server 2003: Administration

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions

Version 1.0 January Xerox Phaser 3635MFP Extensible Interface Platform

Web App Security Audit Services

FRONT RUNNER DIPLOMA PROGRAM INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

Transcription:

Web Application Security Erwin Huber Head of Research & Development Web Application Security Web Application Security Unit Strong Focus on Web Application Security since 1996 Protection of Web Applications against attacks and manipulation Access Control, Identity Management and Single Sign On for Web environments 17 Employees Top Class Customer References Over 200 customers with more than 500 installations in 8 countries 9 out of 10 banks in Switzerland protect their e-banking with Airlock Indirect Sales Model / direct touch GLOBAL SECURITY ALLIANCE 1

Mega Trend: Web Applications e-banking (starts by end of the nineties) e-shops e-government Intranet Portals (emloyees) Extranet Portals (Partner) Web 2.0 Applications / Social Network Collaboration (MS Sharepoint etc) Massive savings, growing customer satisfaction, more visibility So far so good but what is with security Motivation Today s Application Level Attacks are targeted and motivated by Data theft (criminally, commercially) Espionage Reputation damage Malware Deployment (Spam, Botnets) Identity Theft Denial of Service Web Applications & Web Services are the most attractive target as they represent an electronic interface to data Many people say «We never had such a problem» well... how do you know? Application level data theft is not recognized in most cases! 2

Effectivity =Security 9/8/2010 How to make web applications more secure? There is no Silver Bullet Web application security is always a combination of instruments Goal: Achieve maximum security with reasonable effort ($) Code Analysis Web Application Firewall Penetration Tests Security Training for developers IPS / Deep Inspection Vulnerability Scanning Efficiency = Value/Cost /time to market Key Criteria for Application Security WHOM are we dealing with? Access Control WHAT are we dealing with? Filtering 3

Strategic Web Entry Solution PCI-DSS Compliance Multi-Level Filtering Application Acceleration Access Control, Identity Mgt., Single Sign On ICAP Content Filtering Monitoring & Reporting Multi-Level Filtering 4

Dynamic Whitelisting Technologies URL Encryption Effective protection against forceful browsing URLs and parameters 100% protected Topology and technology hiding Dynamic, no static configuration Smart Form Protection Cryptographic protection of HTML forms Only valid inputs allowed Automatic protection of hidden fields, selections, etc Dynamic, no static configuration Cookie Protection Cryptographic protection of application cookies Only valid cookies accepted Privacy & Integrity Dynamic, no static configuration Local cookie store Application dynamically defines valid URLs, parameters and values. Airlock enforces valid usage! Cookie Protection Pass-through (not protected) conventional, cookie may be read and manipulated in browser Same as without airlock Encrypt airlock encrypts cookie before sending it to the browser Cookie not forgeable because a valid encryption is required Store Cookies are not sent to browser but held in the user session on airlock airlock needs its own session tracking (cookie or SSL session) 1) 2) 3) Web Application 5

URL Encryption Example User requests start page: https://www.myapp.com Application sends plain URL in HTML: http://192.168.1.123/news.php?include=news.txt User browser receives encrypted URL: Secured Area https://www.myapp.com/$xp1/gmnguyqptcsymqqb DMZ Manipulated requests are blocked: https://www.myapp.com/news.php? include=../../../../../etc/passwd Error! Key Web Application Security Topics 6

Access Control User Airlock Authentication Service User Directory Web Application Authentication enforcement & Single Sign On Authentication may depend on user type, role and origin 7

Airlock Secure Active Sync Authentication via SSL client certificate before the access onto Exchange servers Active-Sync specific whitelist-rules Device-independent: Windows Mobile Nokia N-Series Apple iphone Supported Push Email Calendar & contacts synchronisation Enforcement of data erasing if client is lost or subject to brute force Policy enforcement for e.g. device password Airlock SharePoint Integration 8

Your Choice: Airlock benefits! Leading Web application firewall in central Europe Competent and trusted product development in Switzerland Unique and unmatched combination of authentication enforcement, filtering and high security platform Only WAF solution with real dynamic whitelisting (much easier to manage, less operational costs, less application dependencies) Rapid Web-Security Compliance (e.g. PCI-DSS, Certified Secure Web) Thank you! https://techzone.ergon.ch/url-encryption erwin.huber@ergon.ch 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information