DSS ITSEC Conference 2012 - Radware WAF

Mitigating Attacks on your Applications & Data

With

AppWall

Igor Kontsevoy

November, 2012

The Need:

Better Secured Web Applications

Web Applications are Easy to Exploit

• Whole system open to attack

• Thousands of Web security

vulnerabilities

• Can target different layers

• Minimal attention to security during

development, especially when

outsourced

• Traditional defences inadequate

All they need

is a browser

Slide 3

Web Site Defacements (before)

Slide 4

Web Site Defacement (after)

City of Detroit Defacement – Jan 2010

Slide 5

Data Security Breaches

Jan 31, 2011:

“Online dating Web site PlentyOfFish.com

has been hacked, exposing the personal

information and passwords associated

with almost 30 million accounts“

Slide 6

Top Web Attack Impacts

Slide 7

• Source: webappsec.org

Lost Record Cost Rises

The average total cost of a data breach rose

to $6.75 million in 2009

Slide 8

Millions of Records Breached

Slide 9

Records of sensitive information (CCN, SSN,

etc.) were breached by hacking attempts only

in the USA.

Source of Breach

Slide 10

• Source: 7safe.com

PCI

Payment Card Industry (PCI) – Definition

• Payment Card Industry (PCI) Data Security

Standard (DSS) was developed by the major credit

card companies as a guideline for organizations

that process card payments to prevent credit card

fraud, hacking and other security issues

Slide 12

PCI v2.0: Requirement 6.6

• 6.6 For public-facing web applications, address new

threats and vulnerabilities on an ongoing basis and ensure

these applications are protected against known attacks by

either of the following methods:

– Reviewing public-facing web applications via manual or

automated application vulnerability security assessment

tools or methods, at least annually and after any

changes

– Installing a web-application firewall in front of public-

facing web applications

45% of orgs experience Data Breach !!!

Slide 14

• 670 US and multinational IT security practitioners who are

involved in their companies’ PCI compliance efforts were

surveyed in April 2011

The Solution:

AppWall

Introducing AppWall

• AppWallTM is a WAF that secures Web applications

and enables PCI compliance by:

– Blocking attacks on Web application

– Preventing data theft and manipulation of sensitive data

• Available either as Physical or Virtual Appliance.

Slide 16

• Cross site scripting (XSS)

• SQL injection, LDAP injection, OS commanding

Signature & Rule

Protection

• Evasions

• HTTP response splitting (HRS)

Terminate TCP,

Normalize, HTTP RFC

• Credit card number (CCN) / Social Security (SSN)

• Regular Expression

Data Leak Prevention

Complete Web Application Protection

• Buffer overflow (BO)

• Zero-day attacks

Parameters Inspection

• Cross site request forgery

• Cookie poisoning, session hijacking

User Behavior

• Folder / file level access control

• White listing or black listing Layer 7 ACL

• XML Validity and schema enforcement

XML & Web Services

• Authentication

• User Tracking

Role Based Policy

Complete Web Application Protection

AppWall’s

Adaptive Auto Policy Generation

Reservations.com

/config/

/hotels/

/register/

/info/

/reserve/

Adaptive Auto Policy Generation (1 of 4)

App

Mapping

/admin/

Slide 20

Reservations.com

/config/

/hotels/

/register/

/info/

/reserve/

SQL Injection

CCN breach

Buffer Overflow

Directory Traversal

Adaptive Auto Policy Generation (2 of 4)

App

Mapping

Information leakage

Gain root access control

Unexpected application

behavior, system crash, full

system compromise

Threat

Analysis

Risk analysis per “ application-path”

/admin/

Spoof identity, steal user

information, data tampering

Slide 21

Reservations.com

/config/

/hotels/

/admin/

/register/

/info/

/reserve/

SQL Injection

CCN breach

Buffer Overflow

Directory Traversal

***********9459

P

Adaptive Auto Policy Generation (3 of 4)

App

Mapping

Policy

Generation

Prevent access to

sensitive app sections

Mask CCN, SSN, etc. in

responses.

Parameters inspection

Threat

Analysis

Traffic normalization &

HTTP RFC validation

Slide 22

Reservations.com

/config/

/hotels/

/admin/

/register/

/info/

/reserve/

SQL Injection

CCN breach

Buffer Overflow

Directory Traversal

Adaptive Auto Policy Generation (4 of 4)

Time to protect

App

Mapping

Policy

Activation

Add

tailored

application

rules

Optimize

rules for

best

accuracy

Policy

Generation Threat

Analysis

***********9459

Virtually zero false positive

Best Security coverage Slide 23

P

Security & Compliance Reporting

Best Security & Compliance Reports

• Network and application security correlation

reports

• Dozens of predefined security reports

• Learning reports detailing learned app resources

• Audit and access reports

• PCI Compliance reports

Slide 25

The Reporting Dashboard

Slide 26

Top Attacks by Source

Slide 27

PCI Compliance Summary Report

PCI

Requirement

Analysis Info

Action Plan

Slide 28

Compliance

Status

Summary

The Cost of Insecurity

030

The End