Web Application Firewall - Web Application & Web Services Security integrated in Global Application Offering
1. Web Application & Web Services Security integrated in Global Application Offering
- Problems? No, no problems at all. - Yes. We're using WAF too.
3.11.2011 Thomas Malmberg
2. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
2
Agenda
•Security and its many faces
•Drivers and issues for choosing an application firewall
•Minutes to learn, a lifetime to master
”Questions may be asked at any given time”
Web Application & Web Services Security integrated in Global Application Offering
3. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
3
Security and its many faces
•Security has to be applied on many levels in an organization
–Processes
–User management
–Firewalls
–Keycards
–Doors
–SSL
–Penetration testing
–Training
–...
•Can security be enforced by applying Magnum Force?
4. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
4
Security and its many faces
•Carrot and stick – approach
–Give some and get some
–Design and enforce policies, not "magnum force"
–Involve the right people – You need to "sell your agenda"
–Make sure you "enable business" (but what does that really mean?)
–In certain cases, deploying a new technology is the right solution
5. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
5
Drivers and issues for choosing an application firewall
..but wait - let's recap what REALLY happened
(or what should have happened)
The Stick
PCI-DSS
The Carrot
Cut costs on expensive application re-testing and re-coding and re- inventing and re- everything
6. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
6
Drivers and issues for choosing an application firewall
•PCI-DSS was "the drop that spilled the cup"
•Before PCI-DSS we had at least this:
–National Legislation
–Financial Supervisory Authority Directives
–EU Legislation & Directives
–Finanssivalvonta, Finansinspektionen
–Common Sense
•Then we woke up and realized that...
–Security had many faces
–Security cannot be bought (but neat firewalls can!)
–Security is a mindset
–Security is a way of life
Financial Supervisory Authority:
• Finanssivalvonta (FI)
• Finansinspektionen (SE)
7. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
7
Drivers and issues for choosing an application firewall
•Today we understand that
–Credit-card numbers are not everything
–There are a lot of different input sources to definitive compliancy
–It is not wise to pursue different directives or legislations separately
–Everything we do in this field increases the overall security
8. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
8
Drivers and issues for choosing an application firewall
9. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
9
Case HBGary
•HBGary and HBGary Federal position themselves as experts in computer security. The companies offer both software and services to both the public and private sectors.
•HBGary Federal CEO Aaron Barr thought he had unmasked the hacker hordes of Anonymous and was preparing to name and shame those responsible for co-ordinating the group's actions, including the denial-of-service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last year
•Anonymous is a diverse bunch: though they tend to be younger rather than older, their age group spans decades. Some may still be in school, but many others are gainfully employed office-workers, software developers, or IT support technicians, among other things.
•Source: http://arstechnica.com/tech- policy/news/2011/02/anonymous-speaks-the-inside- story-of-the-hbgary-hack.ars/
10. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
10
Case HBGary
1.The CMS-system had an SQL-injection vulnerability
2.Usernames were stolen from the user-database
3.Passwords were hashed using simple MD5 w/o salting
4.Passwords were weak
5.Same passwords were used for public SSH- access
6.The SSH-server was not patched, root access could be gained
7.Same passwords were used for email accounts, Google apps and for gmail-administrators
8.Using admin-rights, many email accounts were scavenged for information
9.Emailing was used for social engineering to gain even more access to other sites
11. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
11
Drivers and issues for choosing an application firewall
12. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
12
Drivers and issues for choosing an application firewall
•An application firewall (WAF) would not make us PCI-DSS compliant
•It would only partially answer one of the requirements set by the PCI- council
•BUT - depending on the product we choose we could
–increase the overall security level of all of our public internet services
–accelerate our websites
–apply quick fixes to 0-day vulnerabilities when we most need it
–safely deploy applications with known issues to the public while investigating the root cause
–possibly protect our web-services
”0-day vulnerabilities must be fixed IMMEDIATELY.”
13. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
13
Minutes to learn, a lifetime to master
•A few do's and don't along the way
–Don't expect the application firewall to be a generic solution to issues in your software development
–Don't ditch external security audits
–Don't expect everything to be up and running smoothly day 1
–Don't expect that the application firewall never requires attention
–Make sure you have a process to monitor discrepancies and (major) changes in your traffic profile
14. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
14
Minutes to learn, a lifetime to master
•A few do's and don't along the way
–It does add security where you need it the most
–It does fix issues with your applications programmers can't (at least not fast enough)
–It gives you a good idea of what is going on with your applications
15. 11.9.2014
(C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY]
15
Minutes to learn, a lifetime to master
•Plan the implementation beforehand
•Inform your stakeholders about possible issues when rolling out
•Treat the application firewall rollout as any major software update in your system
•Don't try to solve everything at once – Think big, start small
”A WAF-project is like any other IT-project – it fails of not conducted properly”
16. Thank You! Kiitos! Tack!
Questions?
Kysymyksiä?
Frågor?
Hopefully at least a few...
Contact:
thomas.malmberg@aktia.fi
http://fi.linkedin.com/in/thomasmalmberg