F5 - BigIP ASM introduction

1

Presenter

BIG-IP ASM Comprehensive Application Security

2

Attacks are Moving “Up the Stack”

90% of security investment focused here

Network Threats Application Threats

75% of attacks focused here

Source: Gartner

3

Almost every web application is vulnerable!

• “97% of websites at immediate risk of being hacked due to vulnerabilites!

69% of vulnerabilities are client side-attacks” - Web Application Security Consortium

• “8 out of 10 websites vulnerable to attack” - WhiteHat “security report ”

• “75 percent of hacks happen at the application.” - Gartner “Security at the Application Level”

• “64 percent of developers are not confident in their ability to write secure applications.”

- Microsoft Developer Research

4

Figure 2 and 5: 10th Website Security Statistics Report (Q3 2010)

5

How long to resolve a vulnerability?

Website Security Statistics Report

6

Developers are asked to do the impractical...

Application Security?

ApplicationScalability

Application Performance

Application Patching

Application Development

7

Who is responsible for application security?

Network Security?

Web developers?

DBA?

Engineering services?

8

Traditional Security Devices vs. WAF

Known Web Worms

Unknown Web Worms

Known Web Vulnerabilities

Unknown Web Vulnerabilities

Illegal Access to Web-server files

Forceful Browsing

File/Directory Enumerations

Buffer Overflow

Cross-Site Scripting

SQL/OS Injection

Cookie Poisoning

Hidden-Field Manipulation

Parameter Tampering

Layer 7 DoS Attacks

Brute Force Login Attacks

App. Security and Acceleration

ASM

X

X

XX

X

XX

X

Network Firewall

Limited

Limited

Limited

Limited

Limited

IPS

Limited

Partial

Limited

Limited

Limited

Limited

Limited

X

XX

X

X

X

X

X

X

X X

9

Web Application Firewall - ASM

IPSVPN

AppApp

FirewallUser

Intelligent Client Network Plumbing Application Infrastructure Application

FirewallIDS-IDP

Anti-Virus

Buffer OverflowCross-Site Scripting

SQL/OS InjectionCookie Poisoning

Hidden-Field ManipulationApplication DoS Attacks

Error MessagesNon-compliant ContentCredit Card / SSN dataServer Fingerprints

HTTP/S Traffic

DDOS Brute Force

10

Leading web attack protection BIG-IP Application Security Manager

Users

Web Applications

Physical Virtual Multi-Site DCs

Private Public

Cloud

Web Application Security

o Protect from latest web threatso Out-of-the box deploymento Meeting PCI complianceo Quickly resolve vulnerabilitieso Improve site performance

11

Automatic DOS Attack Detection and Protection o Accurate detection technique – based on latencyo 3 different mitigation techniques escalated seriallyo Focus on higher value productivity while automatic controls intervene

Detect a DOS condition

Identify potential attackers

Drop only the attackers

12

PCI Compliance Reporting

PCI DSS reporting: • Details security measures required• Compliancy state• Steps to become compliant

13

Protection from all of the top vulnerabilities

• OWASP Top 10 Web Application Security Risks: – A1: Injection – A2: Cross-Site Scripting (XSS) – A3: Broken Authentication and Session Management – A4: Insecure Direct Object References – A5: Cross-Site Request Forgery (CSRF) – A6: Security Misconfiguration – A7: Insecure Cryptographic Storage – A8: Failure to Restrict URL Access – A9: Insufficient Transport Layer Protection – A10: Unvalidated Redirects and Forwards

14

CSRF Attack example1. Mobile user logs in to a

trusted site2. Session is authenticated3. User opens a new tab e.g.,

chat4. Hacker embeds a request in

the chat5. The trusted link asks the

browser to send a request to the hacked site

Example: OWASP Top 5 - CSRF Attack

Trusted Web Site

Trusted ActionEncrypted

15

Reporting

16

Application visibility and reportingMonitor URIs for server latency

• Troubleshoot server code that causes latency