Scribd
Upload
253 views29 pages

Application Security

The document discusses challenges in web application security. It notes that 64% of security incidents target port 80, where web traffic occurs. Web applications are vulnerable due to new code not being properly tested, third party code issues, and traditional network security not protecting web apps. The solution is to use automated testing tools within web servers and network firewalls, along with secure development practices, to help make applications bug-free and secure.

Uploaded by

Ihab Abdullah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
253 views29 pages

Application Security

The document discusses challenges in web application security. It notes that 64% of security incidents target port 80, where web traffic occurs. Web applications are vulnerable due to new code not being properly tested, third party code issues, and traditional network security not protecting web apps. The solution is to use automated testing tools within web servers and network firewalls, along with secure development practices, to help make applications bug-free and secure.

Uploaded by

Ihab Abdullah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 29

1

F5
Application
Security

Radovan Gibala
Field Systems Engineer
[email protected]
+420 731 137 223

2007
2

Agenda
Challenge Websecurity – What are the problems?
Building blocks of Web Applications
Vulnerabilities and protection strategies
Websecurity with a Web Application Firewall (WAF)
Security Policy Setups
Deployment Methods
Attacking the Application
How to mitigate the risk in Web Applications with ASM
3

Market Trends
Webalization of Critical Applications

Mission-Critical Applications Business-Critical Applications

ERP, CRM, SCM Advantages of Voice, Data and


Video Integration
- With access from Internet
Profitability Increase

Data Centre Consolidation

Centralization of Applications and


Access from Internet

XML-based Web Services Mobile Applications

Access and Usage of


B2B Business Processes over Applications from Mobile
Web Services / XML (private ?) Devices
4

Security’s Gaping Hole

“64% of the 10 million


security incidents tracked
targeted port 80.” DATA
Information Week
5

Web Application Security

Attacks Now Look To


!Non-
Perimeter Security
Is Strong
Exploit Application
Vulnerabilities
Buffer Overflow
compliant
Cross-Site Scripting
Information
SQL/OS Injection PORT 80

Cookie Poisoning
Hidden-Field Manipulation
PORT 443 !
Forced
Parameter Tampering Access to
But Is Open
!
Infrastructural
to Web Traffic
Information

High
Intelligence Information
Density
=
High Value
Attack
6

Why Are Web Applications


Vulnerable?
New code written to best-practice methodology, but not
tested properly
New type of attack not protected by current methodology
New code written in a hurry due to business pressures
Code written by third parties; badly documented, poorly
tested – third party not available
Flaws in third party infrastructure elements
Session-less web applications written with client-server
mentality
7

Solution Sentences for Application


Security

Make Bug-free applications

Network Firewalls + Marketing

Tools in the Web Servers

Infrastructure Solutions
8

Traditional Alternative: Rely Exclusively on the


Developer Application Patching

Application Logic Application Optimization

1+1=2

Application Security Application Scalability

Application Integration Application Availability

Application Performance
9

Web Application Protection Strategy

Best
Automated
Practice
& Targeted
Design
Testing
Methods
Only protects against known Web Done periodically; only
vulnerabilities Apps as good as the last test
Difficult to enforce; especially
Only checks for known
with sub-contracted code
vulnerabilities
Only periodic updated; large
exposure window Does it find everything?
Web
Application
Firewall

Real-time 24 x 7 protection
Enforces Best Practice Methodology
Allows immediate protection against
new vulnerabilities
10

Web Applications Increasingly


Under Attack
High information density in the core
Flaws in applications & 3rd party software
Traditional security does not protect web apps.
Gaping hole in perimeter security for web traffic
SANS (November 2006) - Top Vulnerabilities in Cross-Platform Applications

C1. Backup Software


C2. Anti-virus Software
C3. PHP-based Applications (50% of all Apache installations worldwide use php!)
C4. Database Software
...
C6. DNS Software
...
C9. Mozilla and Firefox Browsers
...
11

Application Security Lacks Test


...or: „The Point of Truth“

Simple Version:
– Does your WAF discover that the Price of an Item on an Online Shop was
changed ?

Technical Version:
– OWASP (http://www.owasp.org/index.php/OWASP_Top_Ten_Project )
1. Unvalidated Input
2. Broken Access Control
3. Broken Authentication and Session Management
4. Cross Site Scripting
5. Buffer Overflow
6. Injection Flaws
7. Emproper Error Handling
8. Insecure Storage
9. Application Denial of Service
10. Insecure Configuration Management
12

OWASP Top 10 / January 2007


A1 – Cross Site Scripting (XSS) XSS flaws occur whenever an application takes user supplied data and sends it to a web
browser without first validating or encoding that content. XSS allows attackers to execute
script in the victim’s browser which can hijack user sessions, deface web sites, etc.

A2 – Injection Flaws Injection flaws, particularly SQL injection, are common in web applications. Injection occurs
when user-supplied data is sent to an interpreter as part of a command or query. The
attacker’s hostile data tricks the interpreter into executing unintended commands or
changing data.
A3 – Insecure Remote File Include Code vulnerable to remote file inclusion allows attackers to include hostile code and data,
resulting in devastating attacks, such as total server compromise.

A4 – Insecure Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal
implementation object, such as a file, directory, database record, or key, as a URL or form
parameter. Attackers can manipulate those references to access other objects without
authorization.
A5 – Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim’s browser to send a pre-authenticated request to a
vulnerable web application, which then forces the victim’s browser to perform a hostile
action to the benefit of the attacker.
A6 – Information Leakage and Improper Applications can unintentionally leak information about their configuration, internal workings,
Error Handling or violate privacy through a variety of application problems. Attackers use this weakness
to violate privacy, or conduct further attacks.

A7 – Broken Authentication and Session Account credentials and session tokens are often not properly protected. Attackers
Management compromise passwords, keys, or authentication tokens to assume other users’ identities.

A8 – Insecure Cryptographic Storage Web applications rarely use cryptographic functions properly to protect data and credentials.
Attackers use weakly protected data to conduct identity theft and other crimes, such as
credit card fraud.
A9 – Insecure Communications Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive
communications.

A10 – Failure to Restrict URL Access Frequently, the only protection for sensitive areas of an application is links or URLs are not
presented to unauthorized users. Attackers can use this weakness to access and perform
unauthorized operations.
13

n-tier Web Application Layer


14

Where does Application Security


make Sense ? Option 4
Option 2 Option 3 Application Security, Option 1
Routing, ACL Network Security Optimization & Delivery Application Core
Functionality

“A combined application BIG-IP LTMdelivery


Application
Router
controller
Firewall
and Web application
Security Manager
firewall,
Web App. Database
rather than stand-alone Application Layer Server Server
Security, Acceleration,
Network Layer
Security
products,
Session Layer
Security
provides a&single-vendor
Availability
Packet Filtering relationship
Stateful Inspection and performance
Pros:
• Application Fluent
Pros:
• First point of entry
improvements.
Pros:
• Experienced in
“ • Already used as SSL proxy Pros:
• Very specific to each
for applications
Cons:
• Zero application
Gartner Research • High performance Layer 7
Network security
• Has some session &
application type and
vendor
processing
fluency app protocol awareness • Stronger support for L7
• Wrong location Cons: protocol validation Cons:
• No support for SSL • No application fluency • Perfect location directly in front • Complex to manage
• Too little and • Out in DMZ / wrong of applications and servers • Costly to implement
expensive location Cons: inside each application
processing power • Not optimized for L7 • Less focus on Layer 2/3 • Error-prone
processing security • In-efficient and re-active
• Cannot filter encrypted
content
• Less focus on SSL
15

Traditional Security Doesn’t Protect Web


Applications Looking at the wrong
thing in the wrong place

Application Network
Firewall IPS
Firewall
Known Web Worms  Present Present

Unknown Web Worms  Present Present

Known Web Vulnerabilities  Present Present

Unknown Web Vulnerabilities  Present Present

Illegal Access to Web-server files  Present Present


Forceful Browsing  Present Present

File/Directory Enumerations  Present Present

Buffer Overflow  Present Present

Cross-Site Scripting  Present Present

SQL/OS Injection  Present Present

Cookie Poisoning  X X
Hidden-Field Manipulation  X X
Parameter Tampering  X X
16

Application Security with a WAF

!
Unauthorised
And Stops
Bad !Non-
Access Requests compliant
Information

WAF Allows
Browser
! Legitimate Requests
Unauthorised
!
Infrastructural
Access Intelligence

Bi-directional:
– Inbound: protection from generalised & targeted attacks
– Outbound: content scrubbing & application cloaking
Application content & context aware
High performance, low latency, high availability, high
security
Policy-based full proxy with deep inspection & Java support
Positive security augmenting negative security
Central point of application security enforcement
17

Application Security with a WAF


Intelligent Decisions
Allow Only Good
Application Behaviour;
Positive Security

Definition of Good
Browser and Bad Behaviour
18

Negative vs. Positive Security Model

Negative Security Model


– Lock Known Attacks
– Everything else is Allowed
– Patches implementation is quick and easy (Protection against Day
Zero Attacks)

Positive Security Model


– (Automatic) Analysis of Web Application
– Allow wanted Transactions
– Everything else is Denied
– Implicit Security against New, yet Unknown Attacks (Day Zero Attacks)
19

Flexible Policy Granularity


Search for: ‘command injection’

Single quote is a command delimiter:


• Best practice to disallow from parameters wherever possible
• Easiest to achieve with a generic policy applied to the whole
site
BUT . . .

User Name: O’Connor

Single quote needed in some parameters:


• Need to be able to selectively relax policy – eg
single quote allowed in this parameter
• Need to limit use within relaxed policy – eg only one
single quote allowed in this parameter
20

Support of dynamic values


21

Example: SAP Application

Protect the session information in the URI


– https://saptest.xyz.de/sap(bD1kZSZjPTAxMA==)/...

Protect dynamic parameter names and values


– &Tdokfilter_subdok_dokstrukturK2_Y123456789103459
185=F
22

Selective Application Flow


Enforcement

!
ALLOWED

Username
From Acc. $ Amount
Password To Acc. Transfer

? !
!
VIOLATION
VIOLATION

This part of the site is a


• Should this be a violation? financial transaction that
• The user may have requires authentication; we
should enforce strict flow
bookmarked the page!
• Unnecessarily enforcing flow and parameter validation
can lead to false positives.
23

XML Firewall
Well formatted validation
Schema/WSDL validation
Methods selection
Attack signatures for XML platforms
Backend Parser protection
XML islands application protection
Full request Logging
24

Flexible Deployment Options

Tighter OBJECT FLOWS POLICY


Security TIGHTENING
Posture SUGGESTIONS
PARAMETER VALUES
Policy-Building Tools
• “Trusted IP” Learning
PARAMETER NAMES
• Live Traffic Learning
Typical
‘standard’ • Crawler
starting point OBJECT NAMES • Negative RegEx
• Template

OBJECT TYPES
25

Flexible Policy Granularity


Generic Policies - Policy per object type
– Low number of policies
– Quick to implement
– Requires little change management
– Can’t take application flow into account

Optimum policy is often a hybrid


Specific Policies – Policy per object
– High number of policies
– More time to implement
– Requires change management policy
– Can enforce application flow
– Tightest possible security
– Protects dynamic values
26

WAF deployment with the BIG-IP


LTM & ASM
Web Servers

BIG-IP with

Firewall ASM

Internet

Management Access
(browser)

ASM = Application Security Manager


27

Link Collection www.f5.com

Overall www.f5.com
Technical ask.f5.com
devcentral.f5.com

F5 University www.f5university.com/
» Login: your email
» Password: adv5tech
Partner Informaiotn
www.f5.com/partners
www.f5.com/training_services/certification/certFAQ.html
Gartner Report http://mediaproducts.gartner.com/reprints/f5networks/article1/article1.html

Important deployment information is available at http://www.f5.com/solutions/deployment/


Data Center Virtualization http://www.f5.com/solutions/technology/pdfs/dc_virtualization_wp.pdf
Application Traffic Management http://www.f5.com/solutions/technology/pdfs/atm_wp.pdf
Application Briefs http://www.f5.com/solutions/applications/
Solution Briefs http://www.f5.com/solutions/sb/
F5 Compression and Cache Test http://www.f5demo.com/compression/index.php
F5 iControl Alliance Partners http://www.f5.com/solutions/partners/iControl/
F5 Technology Alliance Partners http://www.f5.com/solutions/partners/tech/

Let us know if you need any clarification or you have any further questions.
28

F5 is the Global Leader in


Application Delivery Networking

Users Data Centre

Application
Delivery
At Home Network SAP
In the Office Microsoft
On the Road Oracle

Business goal: Achieve these objectives in the


most operationally efficient manner
29

You might also like