Web Application Security Roadmap – OWASP AppSec NYC 2008

Sep.24, 2008 in OWASP AppSec NYC 2008

For the first session of the day, I decided to check out the Web Application Security Roadmap presentation by Joe White, President of Cyberlocksmith Corporation. Web application security is still very much in it’s infancy. Traditional “operations” teams do not understand web application security risk and are ill-equipped to defend against web application threats. Many companies are wrestling with who takes ownership of web application security. Still trying to figure out where they fit in the organization. Security “turf battles” are inevitable in these situations. No clear separation between where web app sec stops and traditional operation security begins.

Begin by building a foundation. Find your web application vulnerabilities. Address your web application vulnerabilities. Monitor/detect web application compromise attempts. Decide upon threat classification framework and scoring model. Develop web application incident response plan.

Next, look at your internal projects. Scope/prioritize internal web application specific projects. Proactively increase security awareness. Threat modeling and data flow diagrams. Manual code review (outside expert). Other possible roadmap items to consider.

To find web application vulnerabilities, there is an automated component and a manual component. For the automated component, choose the automated assessment tool that works best with your web application technology. Make sure you are addressing all internet facing web application exposure. Deploy a static source code analysis tool to scan for security vulnerabilities within the source code. The manual component is required to compliment the automated assessment. You work to better educate manual assessment teams of the way your web application functions so they can better detect logic flaws and other pieces likely to be missed by the automated scans. Integrate both peer code review and manual review of the static source code analysis results into your SDLC.

Web Application Security Assessment CapEx and Deployment Times

30 days to evaluate each vendor if conducting a bake-off
0-4 weeks to deploy chosen tool after the evaluation phase
CapEx for web application security assessment tools will vary between vendors. Budget for 25-50k

Static Source Code Analysis CapEx and Implementation Times

30 days to evaluate each vendor if conducting a bake-off
3-6 weeks to deploy chosen tool after the evaluation phase
CapEx will vary between vendors and will likely depend on the chosen deployment scenario as well as how many developers are using hte tool. Budget for 50-105k (1-3k per developer)

Mitigate immediate internet facing risk. Block your exposure from web application vulnerabilities as close as possible to when they are discovered. THIS IS CRITICAL! Buys you time to fix vulnerabilities in the underlying code. WAF will minimize threat window for each exposure by blocking access to vulnerability until it can be fixed in the code.

Address the vulnerabilities in the code. Web app sec assessment tool should assist in locating specific code level changes that need to be made. Static Source Code analysis will point directly to specific code level changes that need to be made.

WAF Vendors: Breach, ModSecurity, Imperva, F5, Citrix, Barracuda, Deny All, BeeWare, BinarySEC, Cisco, and Fortify Real-Time Analysis.

WAF Firewall CapEx and Deployment Times

30 days to evaluate each vendor if conducting a bake-off
4-8 weeks to deploy chosen tool after the evaluation phase
Ongoing management and fine-tuning can be expected after deployment
CapEx varies between vendors. Expect approximately 25-40k per appliance and need at least two for redundancy
Budget for 75-100k (more for presence at multiple datacenters)

Check out wafreviews.com! It’s a webappsec community supported site for information and resources related to WAF Reviews and Evaluations. If you have participated in a recent bake-off of WAF technology and are able to share your results, feel free to forward your evaluation results to submit@wafreviews.com. Mission is to be fair, objective, and comprehensive.

Detecting web application compromise attempts. Use a WAF! Looks at Web Application (Layer 7) data and acts upon it. Similar to traditional network (Layer 4) firewall. But more like a gateway than a firewall. Likes to call it a “Web Application Risk Management (WARM)” device. Device sits between your normal firewall and your web application server.

WAF Use Cases

Web intrusion detection and prevention
Continuous security assessment
Virtual (or just-in-time) patching
HTTP traffic logging and monitoring
Network building blocks
Web application hardening

Detect web application compromise attempts. You cannot protect what you cannot see. You will need greater visibility into application layer traffic. This is usually the place that traditional operations security folks do not understand. WAF should monitor and detect application anomalies and compromise attempts from users. WAF offers greater visibility into application security events. As WAF market matures, you can expect the WAF to be fed real-time vulnerabilities by your web application security assessment tool in order to proactively block newly discovered attacks. The tricky part here is that you will likely need the help of the traditional operations security guys to help you implement and succeed.

Decide upon threat classification framework.

Develop a web application incident response plan. This is the piece overlooked by most organizations. You do not want to be blind-sided by a web application security event while you are earning the trust of both your management and peers.

webappir.com Seeking presentations and other educational material to assist web application security professionals.

Don’t let internal projects distract you from building the foundation! Integrate security into the SDLC. Secured development lifecycle.

Increase security awareness. Executive web application security risk awareness. Developer training.

Threat modeling and data flow diagrams. Understand all entry and exit points into the web application. Understand threat scenarios.

Manual code review (outside expert). Include all tiers in the application architecture. Address internet facing code first and then move on to application tier and then database tier.

Other roadmap items to consider. DDoS attacks. Anti-phishing. Seecurity Center – reporting features of WAF should be available for users to increase security awareness and proactively address security weaknesses. Web application security metrics.

Information security risks and threats change over time. You must adapt to these changes. Web application security is the current threat that you need to understand and be adapting to. If you are new, it is OK because there is still time to change and adapt. Don’t be an information security dinosaur. Latest version of the presentation available at http://www.webappsecroadmap.com

Tags: application security, appsec, owasp, roadmap, web

Welcome to WebAdminBlog!

This blog site is run by Josh Sokol, the Founder and CEO of SimpleRisk, a free tool for Governance, Risk Management, and Compliance. Josh is a former Web Admin and Information Security Program Owner of National Instruments.

Categories
Recent Posts
Recent Comments
devops
Links
Security
Tags
21ct agile amazon analysis application appsec attack aws browser cloud Cloud Computing code Conferences data devops ec2 firewall google hansen internet lynxeon malware Management network Operations owasp PCI performance project rsnake SaaS secure Security strategies velocity velocity08 velocityconf velocityconf08 velocityconf09 Virtualization vpn vulnerability waf web wifi
Categories
- Advertising (2)
- Application Performance Management (14)
- Automation (4)
- Browsers (4)
- Cloud Computing (9)
  - Elastic Compute Cloud (3)
- Conferences (64)
  - BSides Austin 2013 (1)
  - BSides Austin 2016 (1)
  - OWASP AppSec DC 2009 (16)
  - OWASP AppSec NYC 2008 (18)
  - OWASP LASCON 2017 (1)
  - OWASP LASCON 2018 (1)
  - TRISC 2009 (8)
  - Velocity 2008 (8)
  - Velocity 2009 (8)
- Content Management (2)
- Featured (3)
- Green Computing (1)
- High Availability (1)
- Log Management (2)
- Management (4)
- Monitoring (4)
- Networking (12)
  - Firewalls (4)
  - NetFlow (4)
- Operating Systems (2)
  - Linux (2)
  - Mac OSX (1)
  - Unix (2)
- Operations (11)
- Popular (2)
- SaaS (2)
- Sarcasm (1)
- Search (1)
  - Enterprise Search (1)
- Security (75)
  - Access Management (1)
  - Capture the Flag (4)
  - Cloud Computing (4)
  - Compliance (1)
  - Disaster Recovery (1)
  - Malware (4)
  - Metrics (2)
  - OWASP (2)
  - PCI (2)
  - Phishing (2)
  - Physical (1)
  - Risk Management (2)
  - Virtualization (3)
  - Web Application Security (32)
    - Dynamic Analysis (1)
    - Static Analysis (1)
  - Wireless Networks (5)
- Service-Oriented Architecture (1)
- Software and Tools (15)
  - Crashplan (1)
  - Drobo (1)
  - GRC (1)
- Training (2)
- Uncategorized (1)
- Virtualization (4)

Blogroll
- Agile Operations Blog
- Agile Testing
- Agile Web Operations
- Amazon Web Services Blog
- dev2ops – Web Ops at Scale
- Gilligan on Data Web Analytics pro tips
- ISSA Home The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners.
- Kitchen Soap, A WebOps Blog
- Michael Howard's Blog Software security guy at Microsoft.
- National Instruments Home The majority of the contributers here are current or past NI employees.
- OWASP Home The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software.
- RSnake's Blog ha.ckers.org web application security lab
- Server Fault
- Steve Souders’ Blog Google High Performance Guru
- The Madstop
- The Open Minded Enterprise
- The Simple Logic
- Transparent Uptime blog
Archives
- March 2019
- October 2017
- April 2016
- January 2016
- December 2015
- May 2015
- November 2014
- August 2014
- June 2014
- May 2014
- October 2013
- September 2013
- August 2013
- May 2013
- March 2013
- February 2013
- October 2012
- May 2011
- April 2011
- December 2010
- July 2010
- June 2010
- April 2010
- March 2010
- February 2010
- January 2010
- November 2009
- September 2009
- July 2009
- June 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
Tag Cloud
21ct agile amazon analysis application appsec attack aws browser cloud Cloud Computing code Conferences data devops ec2 firewall google hansen internet lynxeon malware Management network Operations owasp PCI performance project rsnake SaaS secure Security strategies velocity velocity08 velocityconf velocityconf08 velocityconf09 Virtualization vpn vulnerability waf web wifi

Web Admin Blog

Real Web Admins. Real World Experience.

Web Application Security Roadmap – OWASP AppSec NYC 2008

Leave a Reply

Welcome to WebAdminBlog!

Categories

Recent Posts

Recent Comments

devops

Links

Security

Categories

Blogroll

Archives

Tag Cloud