Open Source Web Application Security Project
Software automated security analysis and testing tools
Secure testing guidance of OWASP
OWASP devtools and best practice to support development, project and OA testers to secure web application
To be compliant either regular source code or using web application firewall
Specifically the access to web application, measures the extent to which the required changes to the app. Source code are actually carried out, in-house, on-time, or can be carried out by third party
Attacks such as SQL injection, cross-site scripting or sessions hijacking are aimed at vulnerabilities
*WebApp → not a network layer, so sometimes IT security systems such as firewalls or IDS/IPS
Http is stateful, stateful applications must be defined separately and implemented securely
Web Application which seems to be unimportant at first glance should have minimum secured against known attacks
Priority of Web Apps
Access to personal data of customer partners and/or employee
Access to confidential information
Essential requirements for the completion of critical business process
Relevance for the attainment of critical security certifications
Possibility effect of non-availability or data loss
Interruption of business
Loss of Reputation
Damage compensation claims
Revocation of licenses
Loss of confidential information
Technical Aspects
Design phase tools are needed for implementation as will test and quality assurance tools
Complete documentation of architecture and the source code or availability of the developers
Maintenance contracts for the application architecture
Short error rectification times by the manufacturers of third party products
Development Phase:
Methods such as static source code analysis help to promptly detect and rectify vulnerabilities
Penetration tests cover vulnerabilities of external behaviour
Primary Goal is to secure web applications against detected vulnerabilities
Secure Web applications that are in production using WAF learning mode
Learning mode
Learning policy has been active sufficiently long enough to collect some useful information reports built from the analysed logs.
Learning report will allow administrator make informed decisions
Discover which policies are being used for unintended purposes and to verify what policies are being used for intended purpose.
Traffic may have changed so set aside some time for re learning traffic
WAF Benefits
WAF for PCI DSS is alternative to regular code subsequent protection of completed, productive, web applications on app layer level
**Suitable for attaining industrial standards
When a vulnerability is uncovered using pen test or a source code review
WAF can promptly fix a vulnerability using a hotfix
WAS are easily collaborated with source code analysis tools
Easy Protection (simple to implement)
Basic protection against known attacks vulnerabilities based on blacklists
Attain industry standards without source code reviews
With a WAF who has whitelisting the vulnerabilities can be fixed promptly (hotfix)
Secure productions web apps
Additional Benefits WAF
Error messages can be evaluated at the WAF same applies to all aspects of monitoring and reporting
Secure Sessions management for all applications based on cookie stores
Proactive security mechanisms such as URL encryption for site usage enforcement
In front of WebServers can often terminate SSL connections and also sometimes Load Balancers