web application firewall - web application & web services security integrated in global...
Post on 24-May-2015
157 Views
Preview:
DESCRIPTION
TRANSCRIPT
Web Application & Web Services Security
integrated in Global Application Offering
- Problems? No, no
problems at all.
- Yes. We're using WAF
too.
3.11.2011
Thomas Malmberg
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 2
Agenda
• Security and its many faces
• Drivers and issues for choosing an application firewall
• Minutes to learn, a lifetime to master
”Questions may be
asked at any given
time”
Web Application & Web Services Security integrated in Global Application Offering
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 3
Security and its many faces
• Security has to be applied on many levels in an organization
– Processes
– User management
– Firewalls
– Keycards
– Doors
– SSL
– Penetration testing
– Training
– ...
• Can security be enforced by applying Magnum Force?
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 4
Security and its many faces
• Carrot and stick – approach
– Give some and get some
– Design and enforce policies, not "magnum force"
– Involve the right people – You need to "sell your agenda"
– Make sure you "enable business" (but what does that really mean?)
– In certain cases, deploying a new technology is the right solution
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 5
Drivers and issues for choosing an application firewall
..but wait - let's recap what REALLY happened (or what should have happened)
The Stick
PCI-DSS
The Carrot
Cut costs on expensive application re-testing and re-coding and re-
inventing and re-everything
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 6
Drivers and issues for choosing an application firewall
• PCI-DSS was "the drop that spilled the cup"
• Before PCI-DSS we had at least this: – National Legislation
– Financial Supervisory Authority Directives
– EU Legislation & Directives
– Finanssivalvonta, Finansinspektionen
– Common Sense
• Then we woke up and realized that... – Security had many faces
– Security cannot be bought (but neat firewalls can!)
– Security is a mindset
– Security is a way of life
Financial Supervisory Authority:
• Finanssivalvonta (FI)
• Finansinspektionen (SE)
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 7
Drivers and issues for choosing an application firewall
• Today we understand that
– Credit-card numbers are not everything
– There are a lot of different input sources to definitive compliancy
– It is not wise to pursue different directives or legislations separately
– Everything we do in this field increases the overall security
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 8
Drivers and issues for choosing an application firewall
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 9
Case HBGary
• HBGary and HBGary Federal position themselves as experts in computer security. The companies offer both software and services to both the public and private sectors.
• HBGary Federal CEO Aaron Barr thought he had unmasked the hacker hordes of Anonymous and was preparing to name and shame those responsible for co-ordinating the group's actions, including the denial-of-service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last year
• Anonymous is a diverse bunch: though they tend to be younger rather than older, their age group spans decades. Some may still be in school, but many others are gainfully employed office-workers, software developers, or IT support technicians, among other things.
• Source: http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 10
Case HBGary
1. The CMS-system had an SQL-injection vulnerability
2. Usernames were stolen from the user-database
3. Passwords were hashed using simple MD5 w/o salting
4. Passwords were weak
5. Same passwords were used for public SSH-access
6. The SSH-server was not patched, root access could be gained
7. Same passwords were used for email accounts, Google apps and for gmail-administrators
8. Using admin-rights, many email accounts were scavenged for information
9. Emailing was used for social engineering to gain even more access to other sites
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 11
Drivers and issues for choosing an application firewall
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 12
Drivers and issues for choosing an application firewall
• An application firewall (WAF) would not make us PCI-DSS compliant
• It would only partially answer one of the requirements set by the PCI-council
• BUT - depending on the product we choose we could – increase the overall security level of all
of our public internet services
– accelerate our websites
– apply quick fixes to 0-day vulnerabilities when we most need it
– safely deploy applications with known issues to the public while investigating the root cause
– possibly protect our web-services
”0-day
vulnerabilities must
be fixed
IMMEDIATELY.”
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 13
Minutes to learn, a lifetime to master
• A few do's and don't along the way
– Don't expect the application firewall to be a generic solution to issues in your software development
– Don't ditch external security audits
– Don't expect everything to be up and running smoothly day 1
– Don't expect that the application firewall never requires attention
– Make sure you have a process to monitor discrepancies and (major) changes in your traffic profile
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 14
Minutes to learn, a lifetime to master
• A few do's and don't along the way
– It does add security where you need it the most
– It does fix issues with your applications programmers can't (at least not fast enough)
– It gives you a good idea of what is going on with your applications
11.9.2014 (C) Thomas Malmberg [FOR INTENDED AUDIENCES ONLY] 15
Minutes to learn, a lifetime to master
• Plan the implementation beforehand
• Inform your stakeholders about possible issues when rolling out
• Treat the application firewall rollout as any major software update in your system
• Don't try to solve everything at once – Think big, start small
”A WAF-project is like any
other IT-project – it fails
of not conducted
properly”
Thank You!
Kiitos!
Tack!
Questions?
Kysymyksiä?
Frågor?
Hopefully at least a few...
Contact:
thomas.malmberg@aktia.fi
http://fi.linkedin.com/in/thomasmalmberg
top related