SlideShare une entreprise Scribd logo

Securing Campus Web Apps with VAs and WAFs

Télécharger en tant que PPT, PDF
Neil Matatall
Neil Matatall

The document discusses securing campus web applications with vulnerability assessments (VAs) and web application firewalls (WAFs). It describes implementing WAFs in stages, including using the open-source ModSecurity module initially and then commercial products. It also discusses performing regular VAs and how their results can be integrated with WAFs for a layered security approach. Various WAF deployment options, features, and ongoing management considerations are outlined.

FormationTechnologie
1  sur  58
Securing Campus Web Applications with Vulnerability Assessments (VA) and Web Application Firewalls (WAFs) Neil Matatall | November 5, 2009 University of California, Irvine OWASP Orange County Chapter Lead Educause Effective Practices WG Member
Glossary ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Let’s Make It Clear ,[object Object],[object Object],[object Object],[object Object],[object Object]
About UCI ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Security Is All About The Layers ,[object Object],[object Object],This is commonly known as the “Defense in Depth” Strategy
Commonly Overheard Misconceptions of Application Security ,[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Visual Representation of WAFs
What a WAF is: ,[object Object],[object Object],[object Object],[object Object]
The OSI Stack The Application Set is handled by Web Application Firewalls The transport set is handle by traditional network firewalls
What a WAF is (Cont’d) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
What a WAF is not ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
XKCD – Missing the Point http://xkcd.com/538
Why You Need A WAF ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],1 White Hat - statistic for initial examination; 2 Gartner Research;
The Most Widespread Vulnerabilities in Web Applications WASC - Web Application Security Statistics
Why WAFs Are Attractive in Higher ED ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Example Attack: What the WAF Sees ,[object Object],[object Object],[object Object],[object Object],[object Object],OWASP Top 10: #3 Malicious File Execution (RFI)
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Step One: ModSecurity ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Before ModSecurity
After ModSecurity
Step Two: Taking the Dive…Vendors ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Downside of Negative Security Model ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],1. Methods to Bypass a Web Application Firewall
Step 1.5 ,[object Object],[object Object],[object Object],[object Object]
Common Features of Commercial Products ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Positive Security Model Examples ,[object Object],[object Object],[object Object],[object Object],[object Object]
 
Tips & Tricks ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
WAF Lifecycle ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
WAF Options ,[object Object],[object Object],[object Object],[object Object]
Deployment Options Matrix WEB APPLICATION FIREWALL DEPLOYMENT MODE CONSIDERATIONS: INLINE VS. OUT-OF-LINE
[object Object],[object Object],[object Object],Deployment Options ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Switch SecureSphere Data Center SecureSphere INTERNET SecureSphere Slides For Customer
Which WAF is Right for You? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Bonus: Database Monitoring ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Vulnerability Assessments ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Vulnerability Assessment Strategies ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Scan When ,[object Object],[object Object],[object Object],[object Object],[object Object]
Scan What ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Synergy Bliss ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Synergy Bliss Continued ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
New Form of Social Engineering? ,[object Object],[object Object],[object Object]
WAF Weakening Flavors ,[object Object],[object Object],[object Object],[object Object]
Bypassing WAFs ,[object Object],[object Object],[object Object],[object Object],Methods to Bypass a Web Application Firewall
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Lessons Learned ,[object Object],[object Object]
WAF Issues Encountered ,[object Object],[object Object]
Because the WAF Says So ,[object Object],[object Object],[object Object],[object Object],[object Object]
WAF Wins ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Side Benefits ,[object Object],[object Object],[object Object],[object Object],[object Object]
Leaving Thoughts… ,[object Object],[object Object],[object Object],[object Object],[object Object]
References ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
References Cont’d ,[object Object],[object Object],[object Object],[object Object]
References Cont’d ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object]

Recommandé

Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
WAFFLE - A Web Application Firewall that defies rules
WAFFLE - A Web Application Firewall that defies rulesWAFFLE - A Web Application Firewall that defies rules
WAFFLE - A Web Application Firewall that defies rulesDimitris Gkizanis
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
WAFEC
WAFECWAFEC
WAFECConferencias FIST
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application FirewallPort80 Software
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 ProjectMuhammad Shehata
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 

Recommandé

Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
WAFFLE - A Web Application Firewall that defies rules
WAFFLE - A Web Application Firewall that defies rulesWAFFLE - A Web Application Firewall that defies rules
WAFFLE - A Web Application Firewall that defies rulesDimitris Gkizanis
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
WAFEC
WAFECWAFEC
WAFECConferencias FIST
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application FirewallPort80 Software
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 ProjectMuhammad Shehata
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall introRich Helton
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesBulent Buyukkahraman
 
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @BratislavaGubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @BratislavaPeter Gubarevich
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudTjylen Veselyj
 
Web Access Firewall
Web Access FirewallWeb Access Firewall
Web Access FirewallBalaBhaskaraRao CEH,CCNA Security,CHFI,Qualys Specialist
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspectrohit_ta
 
Owasp
Owasp Owasp
Owasp penetration Tester
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsjasonhaddix
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Ishan Girdhar
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing ToolsEric Lai
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceTjylen Veselyj
 
Analyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application FirewallsAnalyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application FirewallsLarry Suto
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
t r
t rt r
t relectronicmingle01
 
WAF Deployment proposal
WAF Deployment proposalWAF Deployment proposal
WAF Deployment proposalJeremy Quadri
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentationEzhilan Elangovan (Eril)
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationSandro Gauci
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application FrewallAbhishek Singh
 

Contenu connexe

Tendances

Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall introRich Helton
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesBulent Buyukkahraman
 
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @BratislavaGubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @BratislavaPeter Gubarevich
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudTjylen Veselyj
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspectrohit_ta
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsjasonhaddix
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Ishan Girdhar
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing ToolsEric Lai
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceTjylen Veselyj
 
Analyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application FirewallsAnalyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application FirewallsLarry Suto
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
WAF Deployment proposal
WAF Deployment proposalWAF Deployment proposal
WAF Deployment proposalJeremy Quadri
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 

Tendances (20)

Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing Services
 
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @BratislavaGubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
Web Access Firewall
Web Access FirewallWeb Access Firewall
Web Access Firewall
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspect
 
Owasp
Owasp Owasp
Owasp
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabs
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing Tools
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assurance
 
Analyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application FirewallsAnalyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application Firewalls
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
 
t r
t rt r
t r
 
WAF Deployment proposal
WAF Deployment proposalWAF Deployment proposal
WAF Deployment proposal
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentation
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 

En vedette

Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationSandro Gauci
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application FrewallAbhishek Singh
 
[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)
[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)
[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)Ming-Hung Hseih
 
Modbus Data Communication Systems
Modbus Data Communication SystemsModbus Data Communication Systems
Modbus Data Communication SystemsLiving Online
 
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)Mirantis
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 

En vedette (10)

Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And Exploitation
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application Frewall
 
[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)
[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)
[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)
 
Modbus
ModbusModbus
Modbus
 
Modbus Data Communication Systems
Modbus Data Communication SystemsModbus Data Communication Systems
Modbus Data Communication Systems
 
Security in Cloud Computing
Security in Cloud ComputingSecurity in Cloud Computing
Security in Cloud Computing
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 

Similaire à Securing Campus Web Apps with VAs and WAFs

The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxCheckmarx
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewallsEnclaveSecurity
 
Security Operations
Security OperationsSecurity Operations
Security Operationsankitmehta21
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applicationsalexbe
 
OWASP: Building Secure Web Apps
OWASP: Building Secure Web AppsOWASP: Building Secure Web Apps
OWASP: Building Secure Web Appsmlogvinov
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresSBWebinars
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecIBM Security
 
CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2Zero Science Lab
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfAmeliaJonas2
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 

Similaire à Securing Campus Web Apps with VAs and WAFs (20)

The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
 
Security Operations
Security OperationsSecurity Operations
Security Operations
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applications
 
OWASP: Building Secure Web Apps
OWASP: Building Secure Web AppsOWASP: Building Secure Web Apps
OWASP: Building Secure Web Apps
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing raj
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 

Plus de Neil Matatall

Twubhubbook - it's like appsec, but for startups
Twubhubbook - it's like appsec, but for startupsTwubhubbook - it's like appsec, but for startups
Twubhubbook - it's like appsec, but for startupsNeil Matatall
 
Putting to your Robots to Work V1.1
Putting to your Robots to Work V1.1Putting to your Robots to Work V1.1
Putting to your Robots to Work V1.1Neil Matatall
 
2013: OC Rails Jan - SecureHeaders library and content security policy
2013: OC Rails Jan - SecureHeaders library and content security policy2013: OC Rails Jan - SecureHeaders library and content security policy
2013: OC Rails Jan - SecureHeaders library and content security policyNeil Matatall
 
2012: Putting your robots to work: security automation at Twitter
2012: Putting your robots to work: security automation at Twitter2012: Putting your robots to work: security automation at Twitter
2012: Putting your robots to work: security automation at TwitterNeil Matatall
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security TutorialNeil Matatall
 
Educause Annual 2007
Educause Annual 2007Educause Annual 2007
Educause Annual 2007Neil Matatall
 

Plus de Neil Matatall (8)

Twubhubbook - it's like appsec, but for startups
Twubhubbook - it's like appsec, but for startupsTwubhubbook - it's like appsec, but for startups
Twubhubbook - it's like appsec, but for startups
 
Owasp austin
Owasp austinOwasp austin
Owasp austin
 
Putting to your Robots to Work V1.1
Putting to your Robots to Work V1.1Putting to your Robots to Work V1.1
Putting to your Robots to Work V1.1
 
2013: OC Rails Jan - SecureHeaders library and content security policy
2013: OC Rails Jan - SecureHeaders library and content security policy2013: OC Rails Jan - SecureHeaders library and content security policy
2013: OC Rails Jan - SecureHeaders library and content security policy
 
2012: Putting your robots to work: security automation at Twitter
2012: Putting your robots to work: security automation at Twitter2012: Putting your robots to work: security automation at Twitter
2012: Putting your robots to work: security automation at Twitter
 
2012: Passw3rd
2012: Passw3rd2012: Passw3rd
2012: Passw3rd
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
 
Educause Annual 2007
Educause Annual 2007Educause Annual 2007
Educause Annual 2007
 

Dernier

What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxDr.Ibrahim Hassaan
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
Q4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxQ4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxnelietumpap1
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYKayeClaireEstoconing
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 

Dernier (20)

What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptxYOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
Q4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxQ4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptx
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 

Securing Campus Web Apps with VAs and WAFs

  • 1. Securing Campus Web Applications with Vulnerability Assessments (VA) and Web Application Firewalls (WAFs) Neil Matatall | November 5, 2009 University of California, Irvine OWASP Orange County Chapter Lead Educause Effective Practices WG Member
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 10.
  • 11. The OSI Stack The Application Set is handled by Web Application Firewalls The transport set is handle by traditional network firewalls
  • 12.
  • 13.
  • 14. XKCD – Missing the Point http://xkcd.com/538
  • 15.
  • 16. The Most Widespread Vulnerabilities in Web Applications WASC - Web Application Security Statistics
  • 17.
  • 18.
  • 19.
  • 20.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.  
  • 29.
  • 30.
  • 31.
  • 32. Deployment Options Matrix WEB APPLICATION FIREWALL DEPLOYMENT MODE CONSIDERATIONS: INLINE VS. OUT-OF-LINE
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58.

Notes de l'éditeur

  1. 11/04/09 Mention that this talk will be focused mostly on WAFs, ask if anyone is thoroughly disappointed
  2. 11/04/09
  3. 11/04/09
  4. 11/04/09
  5. 11/04/09 (Figures from 2009)
  6. 11/04/09
  7. 11/04/09
  8. 11/04/09
  9. 11/04/09 The smoking guy was the “boss” from the lovelycharts.com Notice that the intranet does not bypass the waf
  10. 11/04/09
  11. 11/04/09
  12. 11/04/09 Scope Creep!
  13. 11/04/09 WAFs take a LOT of time Too often I hear, if we have a WAF, why do we need to write secure code? One of the biggest surprises to us was how much time and effort is involved
  14. 11/04/09
  15. 11/04/09 Same goes for open source…
  16. 11/04/09 WAFs handle 4 out of 5 of these gracefully, RFI
  17. 11/04/09 AppScan/ Static analysis is difficult with a large number of small purpose apps.
  18. 11/04/09
  19. 11/04/09
  20. 11/04/09
  21. 11/04/09 Mention IDS/IPS can’t inspect SSL traffic
  22. 11/04/09
  23. 11/04/09
  24. 11/04/09
  25. 11/04/09 This left us open when our device failed.
  26. 11/04/09
  27. 11/04/09
  28. 11/04/09
  29. 11/04/09
  30. 11/04/09 It’s no good if you can’t spend the time tuning after every alert Mention the “strict profile” versus normal profile Mention profiling reports!
  31. 11/04/09
  32. 11/04/09
  33. 11/04/09 SecureSphere Web Application Firewall Presentation May 21, 2007 Imperva Mentiond the hidden slide matrix
  34. 11/04/09
  35. 11/04/09
  36. 11/04/09
  37. 11/04/09
  38. 11/04/09
  39. 11/04/09
  40. 11/04/09 Outside scans may get blocked for other reasons.
  41. 11/04/09
  42. 11/04/09 Much more accurate for XSS protection. Correllation rules are sad, virtual patches are accurate
  43. 11/04/09
  44. 11/04/09
  45. 11/04/09 Inattentive? That just sounds weird
  46. 11/04/09 Note the single and double quote at the end of the name If a signature is detected, then the WAF doesn’t request
  47. 11/04/09
  48. 11/04/09
  49. 11/04/09
  50. 11/04/09 Connection resets instead of error pages for certain classes
  51. 11/04/09
  52. 11/04/09 Fixed DWH, Library problem, caught
  53. 11/04/09 Having DB on same host as web server forces us to install an agent Messed up parameters caused unknown param alertss: &variable
  54. 11/04/09 -1.02 is not considered “numeric”
  55. 11/04/09 Fortify will do static analysis on your code if it is open source
  56. 11/04/09
  57. 11/04/09
  58. 11/04/09