2. 2
Attacks are Moving “Up the Stack”
Network Threats Application Threats
90% of security 75% of attacks focused
investment focused here here
Source: Gartner
3. 3
Almost every web application is vulnerable!
• “97% of websites at immediate risk of being hacked due to
vulnerabilites!
69% of vulnerabilities are client side-attacks”
- Web Application Security Consortium
• “8 out of 10 websites vulnerable to attack”
- WhiteHat “security report ”
• “75 percent of hacks happen at the application.”
- Gartner “Security at the Application Level”
• “64 percent of developers are not confident in their ability to
write secure applications.”
- Microsoft Developer Research
5. 5
How long to resolve a vulnerability?
Website Security Statistics Report
6. 6
Developers are asked to do the impractical...
Application
Security? Application
Patching
Application Application
Development Scalability
Application
Performance
7. 7
Who is responsible for application
security?
Web developers?
Network Security?
Engineering services?
DBA?
8. 8
Traditional Security Devices vs. WAF
Network IPS ASM
Firewall
Known Web Worms Limited
Unknown Web Worms X Limited
Known Web Vulnerabilities Limited Partial
Unknown Web Vulnerabilities X Limited
Illegal Access to Web-server files Limited X
Forceful Browsing X X
File/Directory Enumerations X Limited
Buffer Overflow Limited Limited
Cross-Site Scripting Limited Limited
SQL/OS Injection X Limited
Cookie Poisoning X X
Hidden-Field Manipulation X X
Parameter Tampering X X
Layer 7 DoS Attacks X X
Brute Force Login Attacks X X
App. Security and Acceleration X X
9. 9
Web Application Firewall - ASM
Intelligent Client Network Plumbing Application Infrastructure Application
Buffer Overflow DDOS Brute Force
Cross-Site Scripting
SQL/OS Injection Error Messages
Cookie Poisoning HTTP/S Traffic Non-compliant Content
Hidden-Field Manipulation Credit Card / SSN data
Application DoS Attacks Server Fingerprints
IPS App
User Firewall
App
VPN
Firewall
IDS-IDP
Anti-Virus
10. 10
Leading web attack protection
BIG-IP Application Security Manager
Users
o Protect from latest web threats
o Out-of-the box deployment
Web Application o Meeting PCI compliance
Security o Quickly resolve vulnerabilities
o Improve site performance
Web Applications
Private Public
Physical Virtual Multi-Site DCs Cloud
11. 11
Automatic DOS Attack Detection and
Protection
o Accurate detection technique – based on latency
o 3 different mitigation techniques escalated serially
o Focus on higher value productivity while automatic controls intervene
Detect a DOS
condition
Identify potential
attackers
Drop only the
attackers
12. 12
PCI Compliance Reporting
PCI DSS reporting:
• Details security measures required
• Compliancy state
• Steps to become compliant
13. 13
Protection from all of the top vulnerabilities
• OWASP Top 10 Web Application Security Risks:
– A1: Injection
– A2: Cross-Site Scripting (XSS)
– A3: Broken Authentication and Session Management
– A4: Insecure Direct Object References
– A5: Cross-Site Request Forgery (CSRF)
– A6: Security Misconfiguration
– A7: Insecure Cryptographic Storage
– A8: Failure to Restrict URL Access
– A9: Insufficient Transport Layer Protection
– A10: Unvalidated Redirects and Forwards
14. 14
Example: OWASP Top 5 - CSRF Attack
CSRF Attack example
1. Mobile user logs in to a
trusted site
Trusted Web
2. Session is authenticated
Encrypted Site
Trusted Action
3. User opens a new tab e.g.,
chat
4. Hacker embeds a request in
the chat
5. The trusted link asks the
browser to send a request to
the hacked site
16. 16
Application visibility and reporting
Monitor URIs for server latency
• Troubleshoot server code that causes latency
Editor's Notes
A1 –Injection•Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.A2 –Cross-Site Scripting (XSS)•XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.A3 –Broken Authentication and Session Management•Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.A4 –Insecure Direct Object References•A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.A5 –Cross-Site Request Forgery (CSRF)•A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.A6 –Security Misconfiguration•Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application.A7 –Insecure Cryptographic Storage•Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes.A8 -Failure to Restrict URL Access•Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.A9 -Insufficient Transport Layer Protection•Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly. A10 –Unvalidated Redirects and Forwards•Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
Spring 2009 Website Security Statistics Report from WhiteHat Security82% of websites have had a HIGH, CRITICAL, or URGENT issue 63% of websites currently have a HIGH, CRITICAL, or URGENT issue 60% vulnerability resolution rate among sample with 7,157 (out of 17,888 historical vulnerabilities) unresolved issues remaining as of 3/31/09 Vulnerability time-to-fix metrics are not changing substantively, typically requiring weeks to months to achieve resolution. Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 17 Average number of serious unresolved vulnerabilities per website: 7 Average number of inputs (attack surface) per website: 227 Average ratio of vulnerability count / number of inputs: 2.58%
Out of the box securityLog and report all application trafficProvides L2->L7 protectionPCI ComplianceComprehensive protection for all web app vulnerabilitiesSecurity policy enforcement inbound (Request) as well as outbound (Response) traffic protecting the application from attacks including OWASP top 10
Dos Configuration:Integratesapp latency measurement with client TPS measurement to gain visibility of the application sessionsThe integration and visibility then enable us to put the session into context, “what should or should not happen,” and apply policy.If conditions don’t conform to policy, take action by rate-limiting offending client. Layer 7 DoSProctection– Block application DoS attacks and increase end-user application performance with accurate triggers and automatic controls. This is based on a detection element and three different prevention methods which are applied one after another for in-depth prevention measures and techniques.Brute Force Protection – Detect and mitigate high volume failed login requests. ASM monitors server responses and when it detects multiple login failures related to a Brute Force Attack, ASM slows the requesting browser down.
Now we have consolidated PCI reports. With new PCI reporting, BIG-IP ASM details security measures required by PCI DSS 1.2, if you are in compliance and if not, steps required to become compliant.
A1 –Injection•Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.A2 –Cross-Site Scripting (XSS)•XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.A3 –Broken Authentication and Session Management•Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.A4 –Insecure Direct Object References•A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.A5 –Cross-Site Request Forgery (CSRF)•A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.A6 –Security Misconfiguration•Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application.A7 –Insecure Cryptographic Storage•Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes.A8 -Failure to Restrict URL Access•Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.A9 -Insufficient Transport Layer Protection•Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly. A10 –Unvalidated Redirects and Forwards•Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
What is a Cross Site Request Forgery (CSRF) attack?In a CSRF attack a hacker is forcing the browser to send a stealth valid request which the attacker created to a website in which the victim has a sessionWhat are the dangers?Attackers can execute full transactions that can be used for finance fraud, DOS – anything)Hard for victims to prove that they didn’t commit the transactionsHard to trace the origin
ASM can display the attacks based on country category. It’s easier for administrator to monitor where attacks are from and using policy to control that more efficiently
Monitors URIs for Server Latency - ASM monitors and reports the most requested URIs and every URI for server latency. BIG-IP ASM obtains visibility to slow server scripts and troubleshoots server code that causes latency. We basically monitor top accessed pages for a web application, for last hour, last day and last week. For these pages we provide average TPS and average latency. In addition for every web application, we also provide a list of top accessing source IP address, with TPS and throughput for every IP address. These monitoring capabilities allow the admin visibility on how the application is being accessed and how it is behaving.
