1
Presenter
BIG-IP ASM Comprehensive Application Security
2
Attacks are Moving “Up the Stack”
90% of security investment focused here
Network Threats Application Threats
75% of attacks focused here
Source: Gartner
3
Almost every web application is vulnerable!
• “97% of websites at immediate risk of being hacked due to vulnerabilites!
69% of vulnerabilities are client side-attacks” - Web Application Security Consortium
• “8 out of 10 websites vulnerable to attack” - WhiteHat “security report ”
• “75 percent of hacks happen at the application.” - Gartner “Security at the Application Level”
• “64 percent of developers are not confident in their ability to write secure applications.”
- Microsoft Developer Research
4
Figure 2 and 5: 10th Website Security Statistics Report (Q3 2010)
5
How long to resolve a vulnerability?
Website Security Statistics Report
6
Developers are asked to do the impractical...
Application Security?
ApplicationScalability
Application Performance
Application Patching
Application Development
7
Who is responsible for application security?
Network Security?
Web developers?
DBA?
Engineering services?
8
Traditional Security Devices vs. WAF
Known Web Worms
Unknown Web Worms
Known Web Vulnerabilities
Unknown Web Vulnerabilities
Illegal Access to Web-server files
Forceful Browsing
File/Directory Enumerations
Buffer Overflow
Cross-Site Scripting
SQL/OS Injection
Cookie Poisoning
Hidden-Field Manipulation
Parameter Tampering
Layer 7 DoS Attacks
Brute Force Login Attacks
App. Security and Acceleration
ASM
X
X
XX
X
XX
X
Network Firewall
Limited
Limited
Limited
Limited
Limited
IPS
Limited
Partial
Limited
Limited
Limited
Limited
Limited
X
XX
X
X
X
X
X
X
X X
9
Web Application Firewall - ASM
IPSVPN
AppApp
FirewallUser
Intelligent Client Network Plumbing Application Infrastructure Application
FirewallIDS-IDP
Anti-Virus
Buffer OverflowCross-Site Scripting
SQL/OS InjectionCookie Poisoning
Hidden-Field ManipulationApplication DoS Attacks
Error MessagesNon-compliant ContentCredit Card / SSN dataServer Fingerprints
HTTP/S Traffic
DDOS Brute Force
10
Leading web attack protection BIG-IP Application Security Manager
Users
Web Applications
Physical Virtual Multi-Site DCs
Private Public
Cloud
Web Application Security
o Protect from latest web threatso Out-of-the box deploymento Meeting PCI complianceo Quickly resolve vulnerabilitieso Improve site performance
11
Automatic DOS Attack Detection and Protection o Accurate detection technique – based on latencyo 3 different mitigation techniques escalated seriallyo Focus on higher value productivity while automatic controls intervene
Detect a DOS condition
Identify potential attackers
Drop only the attackers
12
PCI Compliance Reporting
PCI DSS reporting: • Details security measures required• Compliancy state• Steps to become compliant
13
Protection from all of the top vulnerabilities
• OWASP Top 10 Web Application Security Risks: – A1: Injection – A2: Cross-Site Scripting (XSS) – A3: Broken Authentication and Session Management – A4: Insecure Direct Object References – A5: Cross-Site Request Forgery (CSRF) – A6: Security Misconfiguration – A7: Insecure Cryptographic Storage – A8: Failure to Restrict URL Access – A9: Insufficient Transport Layer Protection – A10: Unvalidated Redirects and Forwards
14
CSRF Attack example1. Mobile user logs in to a
trusted site2. Session is authenticated3. User opens a new tab e.g.,
chat4. Hacker embeds a request in
the chat5. The trusted link asks the
browser to send a request to the hacked site
Example: OWASP Top 5 - CSRF Attack
Trusted Web Site
Trusted ActionEncrypted
15
Reporting
16
Application visibility and reportingMonitor URIs for server latency
• Troubleshoot server code that causes latency