2. Wallarm pre-history:
5 years in security consulting
• Security audits and research since 2009
• Penetration testing
• Blackbox analysis of web applications
• Whitebox analysis of source codes
• Specialization in e-commerce and financial web applications
2
3. Lessons learned
• Vulnerabilities can be found and fixed, but new vulnerabilities do appear
• Clients are protected after audit until next release only
• Regular security audits for each minor updates are expensive
• Security is a continuous process!
• So how can we protect web applications?
• Starting 2009 we have been looking for a Web Application Firewall that
would suite our clients needs.
3
4. Looking for the best web apps
protection solution
• NAXSI
https://github.com/nbs-system/naxsi
NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
• ModSecurity for NGINX
https://github.com/SpiderLabs/ModSecurity
Event-based programming language which provides protection from a range of attacks against web
applications
• testcookie-nginx-module
https://github.com/kyprizel/testcookie-nginx-module
application level DDoS mitigation module using cookie based challenge/response technique
• A variety of commercial WAFs
4
5. Looking for the best web apps
protection solution
Most of them worked as promised but somehow didn’t feel
right…
phase:2,rev:'2',ver:'OWASP_CRS/
2.2.9',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=
+E,block,msg:'SQL Injection Attack',id:'959073',tag:'OWASP_CRS/WEB_ATTACK/
SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/
A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found
within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%
{rule.msg}',setvar:tx.sql_injection_score=+%
{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%
{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/
SQL_INJECTION-%{matched_var_name}=%{tx.0}
5
6. We can do it by ourselves!
Probably
Goals:
• Learn from the traffic to avoid complex configuration process
• Efficiently block noise/spam from automated tools in the system interface
• Detect patch vulnerabilities, including 0days
• Support AJAX and HTML5 applications that use single-page structure and modern
standards (e.g. local storage)
• Handle high load (100K rps on a single node)
• Work in synchronous and asynchronous mode
6
7. We can do it by ourselves!
Probably
Milestones:
• In 2010 we implemented attack detection tool with self-learning
algorithms in pure PHP. It worked, but was damn slow
• In 2011-2012 we have rewritten everything in Ruby and started to
analyse traffic captured by tcpdump
• Finally in 2013 we have realised that NGINX is a great platform to
implement application level traffic filtration.
7
9. Summing up: vulnerability detection
solution WAF based on stats algorithms
• Wallarm analyses user requests and based on them learns how application
works (business logic, execution environment, programming language used,
etc).
• With this knowledge Wallarm profiles every user: what he does and when, what
data is sent, and how the application reacts.
• Requests are analysed with a set of metrics. Wallarm inspects semantics of
requests and answers, looks for correlations and seeks for the ways to group
them into potential vectors of attacks.
• This way Wallarm identifies and blocks anomalies — activity, atypical for normal
operation of the application.
9
10. Bonus
• No spam/noise in the interface
• Metrics for Dashboard are
taken from real-life projects.
Among them: reaction time,
vulnerability fix time, the time
from discovery of the
vulnerability until its exploitation.
• Google-style search bar to filter
security events.
• NGINX inside
10
11. Wallarm team
Ivan Alex Stephan Simon Dmitry
CEO CTO COO/CMO Advisor Strategy
11
Now hiring and partnering
input@wallarm.com