Information Technology Policy



Similar documents
Information Technology Policy

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Guidelines for Web applications protection with dedicated Web Application Firewall

05.0 Application Development

Basic & Advanced Administration for Citrix NetScaler 9.2

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

How To Protect A Web Application From Attack From A Trusted Environment

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

What is Web Security? Motivation

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Penetration Testing Service. By Comsec Information Security Consulting

Where every interaction matters.

The New PCI Requirement: Application Firewall vs. Code Review

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

10 Things Every Web Application Firewall Should Provide Share this ebook

NSFOCUS Web Application Firewall

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Implementation of Web Application Firewall

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Information Technology Policy

ICSA Labs Web Application Firewall Certification Testing Report Web Application Firewall - Version 2.1 (Corrected) Radware Inc. AppWall V5.6.4.

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Application Security Testing

Imperva s Response to Information Supplement to PCI DSS Requirement Section 6.6

White Paper Secure Reverse Proxy Server and Web Application Firewall

CNS-301-3I ~ Citrix NetScaler 11 Advanced Implementation

Check list for web developers

Web Applications The Hacker s New Target

SERENA SOFTWARE Serena Service Manager Security

Why Web Applications are making a hackers life easy. Presented by Jon Grew BT SBS

The Application Delivery Controller Understanding Next-Generation Load Balancing Appliances

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

NSFOCUS Web Application Firewall White Paper

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Web Application Security

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Columbia University Web Security Standards and Practices. Objective and Scope

2013 MONITORAPP Co., Ltd.

IJMIE Volume 2, Issue 9 ISSN:

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

FortiWeb 5.0, Web Application Firewall Course #251

Recommended Practice Case Study: Cross-Site Scripting. February 2007

OWASP Top Ten Tools and Tactics

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

QuickBooks Online: Security & Infrastructure

F5 ASM i DB Monitoring w ofercie NASK

Microsoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc.

Networking and High Availability

Web App Security Audit Services

Cloud Security:Threats & Mitgations

Information Technology Policy

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Networking and High Availability

Passing PCI Compliance How to Address the Application Security Mandates

8070.S000 Application Security

Application Security Policy

New IBM Security Scanning Software Protects Businesses From Hackers

Durée 4 jours. Pré-requis

Chapter 4 Application, Data and Host Security

Web Application Security

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

INSTANT MESSAGING SECURITY

LINUX / INFORMATION SECURITY

Last update: February 23, 2004

elearning for Secure Application Development

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

IndusGuard Web Application Firewall Test Drive User Registration

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Web Application Vulnerabilities and Avoiding Application Exposure

Web Intrusion Detection with ModSecurity. Ivan Ristic

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Web Application Report

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Transcription:

Information Technology Policy Enterprise Web Application Firewall ITP Number ITP-SEC004 Category Recommended Policy Contact RA-ITCentral@pa.gov Effective Date January 15, 2010 Supersedes Scheduled Review Annual This Information Technology Policy (ITP) establishes policy and enterprise-wide standards for Web Application Firewalls. 1. Purpose Web application firewalls address the needs of limiting Internet attacks and monitoring of Web applications located in the commonwealth. This Information Technology Policy (ITP) establishes the policy and enterprise-wide standards for web application firewalls. A web application firewall provides a number of key benefits to the commonwealth s Enterprise Server Farm (ESF) and the agencies that house web applications there. These benefits include: Protecting against web attacks. Minimizing the threat window for each exposure by blocking access to vulnerability until the vulnerability can be fixed in the source code. Meeting PCI compliance requirements. Monitoring end-user s transactions with a web application. Providing an additional layer of web application hardening. 2. Scope This Information Technology Policy (ITP) applies to all departments, boards, commissions and councils under the Governor s jurisdiction. Agencies not under the Governor s jurisdiction are strongly encouraged to follow this ITP. 3. Objective To establish policy and enterprise-wide standards for use of the web application firewalls. 4. Policy In order to ensure the highest levels of security and overall effectiveness of protecting Internet-facing web applications, compliance rule sets will be invoked by Office of Information Security to automatically block attacks coming from the Internet. Internet-facing web application located in commonwealth datacenters are encouraged to use the web application firewall standard for protecting sensitive information or information classified by the data owner that meets the criteria for an Internet attack.

A business-determined mission critical Internet-facing web application infrastructure can be secured by either a hardware or software form factor. The web application firewall may not disallow an authorized request from an Internet user and may not affect legitimate business traffic in the IT infrastructure while protecting web applications. The web application firewall default configuration must be able to monitor and prevent specific web application attacks until emergency patches and or source-code changes can be made to the vulnerable web application. The default web application rule configuration must be able to monitor and immediately block types of Web attacks targeting the web application. A SSL certificate is required by the web application firewall to inspect data passed between the Web servers. The web application firewall must be able to track, log, and inspect the following information relating to the web applications access by the end-user: o Application layer network traffic; o External and internal user sessions; o External and internal user-encrypted sessions; o Simulated attacks; o Blocked attacks; and o HTTP, HTTPS, Proxy error logging. Real-time automated failover architecture is required when web application firewall is integrated inline and could impact the flow of business-critical network traffic. Monitoring In accordance with the Commonwealth of Pennsylvania Information Technology Acceptable Use Policy, Management Directive 205.34, CoPA Information Technology Acceptable Use Policy, communication with a commonwealth authorized user may be audited by the Office for Information Security on a random basis to ensure compliance with set Web application firewall protection rules. 5. Product Standards for Web Application Firewalls CURRENT STANDARDS (These technologies or products meet the requirements of the current architecture and are recommended for use.) Technology or Product imperva (SecureSpere) Fortify (360 Application Defense Module) Product or Hardware based (Appliance) Software based (Agent) CONTAIN Technology Classification Current Current (These technologies or products no longer meet the requirements of the current architecture and are not recommended for use. They are to be phased out over time. No date has been set for their discontinuance.) Technology or Product Product or Technology Classification Page 2 of 5

-- -- Contain RETIRE (These technologies or products are being phased out. Plans are to be developed for their replacement, especially if there is risk involved, such as lack of vendor support. A date for retirement has been set.) Technology or Product Product or Technology Classification -- -- Retire mm/dd/yy EMERGING / RESEARCH (Emerging technologies have the potential to become current standards. At the present time, they are to be used only in pilot or test environments where they can be evaluated. Use of these technologies is restricted to a limited production mode, and requires approval of a waiver request. Research technologies are less widely accepted and time will determine if they will become a standard.) Technology or Product Product or Technology Classification -- -- Emerging / Research 6. Web Application Firewall Compliance Standards This minimum compliance standard is intended to provide a default set of Web application firewall protection rules to protect commonwealth confidential data from Internet web attacks. The minimum Web application compliance standard consists of protection categories with the following settings: Web Application Firewall Standard Protection (A shaded category indicates blocking is enabled for the protection rule) Category type for a protection rule Application Buffer Overflow Cross-site scripting (XSS) Counter measures Sending too much data in a request to the application. Inserting scripting language into text fields to be displayed to other users. Page 3 of 5

Cookie Poisoning Forceful Browsing Modifying the cookie file causing the return of unauthorized information of enabling performance of activity on behalf of another user. Gaining access to the constrained areas in a Web server directory. Hidden Field Manipulation Modifying form fields allowing damaging data to pass to the Web application. Parameter Tampering Modify the parameters being passed as part of the URL. Stealth Commanding (e.g., SQL/OS Injections) A code injection technique that exploits a security vulnerability occurring in the database layer of an application. URL & Unicode encoding Encoding certain characters in the URL to bypass application filters, thus accessing restricted resources on the Web server. No protection rules may appear before this enterprise protection rules without approval from Office for Information Security. Agencies may request additional protection rules for their agencies business requirements by contacting the Office for Information Security. 7. Responsibilities The commonwealth's Chief Information Security Officer (CISO) will regularly audit for compliance with this policy and its associated standards. Agency Information Security Officers (ISO s) or designates are to ensure are to ensure agency internet traffic is in accordance with this policy. Page 4 of 5

8. Related ITPs/Other References ITP-SEC019 - Policy and Procedures for Protecting Commonwealth Electronic Data MD 205.34 - CoPA Information Technology Acceptable Use Policy 9. Authority Executive Order 2011-05, Enterprise Information Technology Governance 10. Publication Version Control It is the user s responsibility to ensure they have the latest version of this publication. Questions regarding this publication are to be directed to RA-itcentral@pa.gov. This chart contains a history of this publication s revisions: Version Date Purpose of Revision Original 1/15/2010 Base Document 4/2/2014 ITP Reformat; Merged OPD-SEC004B, STD- SEC004A into ITP Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information