Where every interaction matters.

Similar documents
WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Web Application Penetration Testing

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Magento Security and Vulnerabilities. Roman Stepanov

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

OWASP Top Ten Tools and Tactics

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

OWASP AND APPLICATION SECURITY

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Overview of the Penetration Test Implementation and Service. Peter Kanters

Integrating Security Testing into Quality Control

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Quality Assurance version 1

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

FortiWeb Web Application Firewall. Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE

Sitefinity Security and Best Practices

Essential IT Security Testing

05.0 Application Development

Passing PCI Compliance How to Address the Application Security Mandates

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Criteria for web application security check. Version

What is Web Security? Motivation

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Guidelines for Web applications protection with dedicated Web Application Firewall

SQuAD: Application Security Testing

The Top Web Application Attacks: Are you vulnerable?

Web Application Firewall on SonicWALL SSL VPN

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

elearning for Secure Application Development

Using Free Tools To Test Web Application Security

Web Application Security and the OWASP Top 10. Web Application Security and the OWASP Top 10

Sichere Software- Entwicklung für Java Entwickler

Testing the OWASP Top 10 Security Issues

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Rational AppScan & Ounce Products

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Web application security

Cloud Security:Threats & Mitgations

Web Engineering Web Application Security Issues

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Web Application Security Assessment and Vulnerability Mitigation Tests

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

How To Protect A Web Application From Attack From A Trusted Environment

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Why a Web Application Firewall Makes Good Business Sense How to Stay Secure with AppWall Whitepaper

Web Application Firewall on SonicWALL SRA

SERENA SOFTWARE Serena Service Manager Security

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Web Application Security

Columbia University Web Security Standards and Practices. Objective and Scope

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Adobe Systems Incorporated

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

NSFOCUS Web Application Firewall White Paper

WEB APPLICATION SECURITY

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Are you fighting new threats with old weapons? Secure your Web applications with Web Application Firewalls.

WebSphere DataPower: Build a more-secure web application infrastructure

Attack Vector Detail Report Atlassian

(WAPT) Web Application Penetration Testing

Secure Web Applications. The front line defense

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

How to complete the Secure Internet Site Declaration (SISD) form

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Web Application Report

Web Application Attacks And WAF Evasion

IndusGuard Web Application Firewall Test Drive User Registration

Web Application Security 101

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web Application Firewalls Evaluation and Analysis. University of Amsterdam System & Network Engineering MSc

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

PCI DSS 3.0 Compliance

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

Hack Proof Your Webapps

Protecting Your Organisation from Targeted Cyber Intrusion

Network Security Exercise #8

OWASP TOP 10 ILIA

Auditing Web Applications

Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Transcription:

Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper May 2013 By: Alert Logic www.peer1.com

Contents Introduction 3 Vigilant web application firewall OWASP top ten defenses 3 Vigilant Web Application Firewall: Built upon Alert Logic s leading 6 security technology About Alert Logic 6 WHITE PAPER: VIGILANT WEB APPLICATION FIREWALL 2

White Paper Introduction The Open Web Application Security Project (OWASP) is a not-for-profit organization dedicated to improving application software security. OWASP promotes better web application security by providing information about vulnerabilities and threats, as well as secure software development practices. The OWASP Top Ten represents a broad consensus about the most critical web application security flaws that organizations must consider. This is a particularly important group of risks to understand because it informs security standards and product development for a variety of organizations and vendors. For organizations that are required to meet PCI DSS requirements, the OWASP Top Ten are critical; PCI requirements use the OWASP Top Ten as a basis for defining which practices and technologies are acceptable for meeting compliance requirements. Peer 1 Hosting s Vigilant Web Application Firewall, built upon Alert Logic Web Security Manager, is a fully managed web application firewall that provides defenses against all of the OWASP Top Ten risks. As such, implementation of Vigilant WAF provides immediate PCI DSS Requirement 6.6 compliance, as well as robust protection of web applications and sensitive data from attacks that exploit unpatched vulnerabilities and zero day attacks. For more information about OWASP, visit www.owasp.org. Vigilant Web Application Firewall OWASP Top Ten Defenses A1 - Injection Injection flaws, such as SQL, OS and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. A2 - Cross site scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim s browser that can hijack user sessions, deface websites or redirect the user to malicious sites. Vigilant WAF attacks through validation of user input using either negative or positive security policies. Vigilant WAF detects and blocks Cross Site Scripting (XSS) attacks through validation of user input using either negative or positive security policies. WHITE PAPER: VIGILANT WEB APPLICATION FIREWALL 3

Vigilant Web Application Firewall OWASP Top Ten Defenses A3 - Broken authentication and session management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens or exploit other implementation flaws to assume other users identities. A4 - Insecure direct object reference A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. A5 - Cross site request forgery (CSRF) A CSRF attack forces a logged on victim s browser to send a forged HTTP request, including the victim s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. Session cookies are bound to client IPs by issuing a validation cookie containing a cryptographic token (a checksum), which validates that the client IP is the original issuant. In order for an attacker to perform session attacks, he must steal the IP address of the target or give his IP to the target in case of session fixation attacks. Vigilant WAF detects and blocks insecure direct object reference attacks through validation of user input using positive security policies. Additionally, negative policies can be defined blocking direct access to directories or files (for instance /admin/). Vigilant WAF protects against session hijacking and CSRF attacks by injecting cryptographic validation cookies and parameters to responses from the web system. Forms issued by an application in the web system are bound to the session through insertion of a form validation parameter containing a cryptographic token, which proves that the action formulator (the application issuing the page containing a form) is in fact part of the web system protected by Vigilant WAF. This provides very strong protection against CSRF attacks because the attacker, in order to forge a request, must to know the validation token for the form action for the current session. WHITE PAPER: VIGILANT WEB APPLICATION FIREWALL 4

Vigilant Web Application Firewall OWASP Top Ten Defenses A6 - Security misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server and platform. All these settings should be defined, implemented and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application. A7 - Insecure cryptographic storage Many web applications do not properly protect sensitive data, such as credit cards, SSNs and authentication credentials with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud or other crimes. 8 - Failure to restrict URL access Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway. A9 - Insufficient transport layer protection Applications frequently fail to authenticate, encrypt and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates or do not use them correctly. Web server cloaking and customizable HTTP error handling and interception completely shield web servers from direct Internet access and defeat fingerprinting attacks. URL blocking and support for strong authentication and authorization prevent or control access to critical resources. Data leak prevention filters outgoing traffic and blocks or masks sensitive information. Access to resources requiring a valid user session from unauthenticated users (users without a valid session) is detected and blocked by Vigilant WAF. Resource access authorization can be enabled for web applications as well as static files like XML and PDF. Vigilant WAF provides an HTTPS front end to web resources, transforming an HTTP website into an encrypted HTTPS site without having to change any code. Additionally HTTP (cleartext) requests can be redirected use HTTPS. WHITE PAPER: VIGILANT WEB APPLICATION FIREWALL 5

Vigilant Web Application Firewall OWASP Top Ten Defenses A10 - Unvalidated redirects and forwards Web applications frequently redirect and forward users to other pages and websites and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites or use forwards to access unauthorized pages. Vigilant WAF verifies redirects sent by its protected web applications. Redirects can be limited to the domain(s) of the protected web applications plus additional domains. Vigilant Web Application Firewall: Built upon Alert Logic s leading security technology With web application and data security becoming more pressing every year, Peer 1 Hosting has leveraged the security expertise and technologies of our strategic partner, Alert Logic. Powered by Alert Logic, our Vigilant Web Application Firewall is a managed web application firewall that protects against web application attacks identified by industry security standards (including the OWASP Top Ten), as well as data leakage and other commonly exploited vulnerabilities. It also assists with DoS and DDoS mitigation. Vigilant WAF profiles, analyzes and protects web applications using both positive and negative security technologies. Vigilant WAF assists with meeting requirements of PCI DSS 2.0 section 6.5 and provides section 6.6 compliance. The service is deployed as a physical or virtual appliance within the customer s environment, and managed via Alert Logic s self-service web interface. The ActiveWatch service for Vigilant WAF addresses the challenge of ongoing management and tuning of the web application firewall. Alert Logic s security analysts provide expert analysis of customer data, professional escalation of inappropriately blocked requests and regular tuning of Vigilant WAF policies and settings. The Alert Logic security team also acts as a resource for other questions about and analysis of web security data. About Alert Logic Alert Logic, the leading provider of Security-as-a-Service solutions for the cloud, provides solutions to secure the application and infrastructure stack. By integrating advanced security tools with 24 7x365 Security Operations Center expertise, customers can defend against security threats and address compliance mandates. By leveraging an as-a-service delivery model, Alert Logic solutions include day-to-day management of security infrastructure, security experts translating complex data into actionable insight and flexible deployment options to address customer security needs in any computing environment. Built from the ground up to address the unique challenges of public and private cloud environments, Alert Logic partners with over half of the largest cloud and hosting service providers to provide Security-asa-Service solutions for business application deployments for over 1,700 enterprises. Alert Logic is based in Houston, Texas, and was founded in 2002. For more information, please visit http://www.alertlogic.com. Call us to get started now. 1.866.579.9690 / peer1.com WHITE PAPER: VIGILANT WEB APPLICATION FIREWALL 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information