Category - OWASP Best Practices - Use of Web Application Firewalls - OWASP

3/6/2015
Category:OWASPBestPractices:UseofWebApplicationFirewallsOWASP
Category:OWASPBestPractices:UseofWeb
ApplicationFirewalls
FromOWASP
Main Download Terminology Licence Authors ProjectAbout
[edit]
Abstract
Webapplicationsofallkinds,whetheronlineshopsorpartnerportals,haveinrecentyears
increasinglybecomethetargetofhackerattacks.Theattackersareusingmethodswhichare
specificallyaimedatexploitingpotentialweakspotsinthewebapplicationsoftwareitselfand
thisiswhytheyarenotdetected,orarenotdetectedwithsufficientaccuracy,bytraditionalIT
securitysystemssuchasnetworkfirewallsorIDS/IPSsystems.OWASPdevelopstoolsandbest
practicestosupportdevelopers,projectmanagersandsecuritytestersinthedevelopmentand
operationofsecurewebapplications.Additionalprotectionagainstattacks,inparticularforalready
productivewebapplications,isofferedbywhatisstillaemergingcategoryofITsecuritysystems,
knownasWebApplicationFirewalls(hereinafterreferredtosimplyasWAF),oftenalsocalledWeb
ApplicationShieldsorWebApplicationSecurityFilters.
Oneofthecriteriaformeetingthesecuritystandardofthecreditcardindustrycurrentlyinforce
(PCIDSSPaymentCardIndustryDataSecurityStandardv.1.1)forexample,iseitheraregular
sourcecodereviewortheuseofaWAF.
Thedocumentisaimedprimarilyattechnicaldecisionmakers,especiallythoseresponsiblefor
operationsandsecurityaswellasapplicationowners(specialistdepartment,technicalapplication
managers)evaluatingtheuseofaWAF.Specialattentionhasbeenpaidwhereverpossibletothe
displayofworkestimatesincludingincomparisontopossiblealternativessuchasmodifications
tothesourcecode.
Inadditiontotheimportanceofthewebapplicationregardingturnoverorimagethetermaccess
toawebapplicationusedinthisdocumentcanbeagoodcriterioninthedecisionmakingprocess
relatingtotheuseofWAFs.Specifically,theaccesstoawebapplication,measurestheextentto
whichtherequiredchangestotheapplicationsourcecodeareactuallycarriedoutinhouse,on
time,orcanbecarriedoutbythirdparties.Asillustratedbythegraphbelow,awebapplicationto
whichthereisnoaccess,canonlybeprotectedsensiblybyaWAF(additionalbenefitofthe
WAF),.Evenwithanapplicationinfullaccess,aWAFcanbeusedasacentralservicepointfor
variousservicessuchassecuresessionmanagement,whichcanbeimplementedforallapplications
equally,andasasuitablemeansforproactivesafetymeasuressuchasURLencryption
http://www.owasp.org/Image:Best_Practice_WAFchartEN.png
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls
1/24
3/6/2015
Furtherkeytopicsdiscussedinthispaperincludebestpracticesforprocessesconcerningthe
installationandoperationofaWAFaswellasinparticularforlargercompaniesadescriptionof
theroleoftheWAFapplicationmanager.
A1Introductionandaimofthisdocument
A1.1Introduction
Whethertheonlinebranchofabank,anonlineshop,acustomer,partneroremployeeportalall
ofthesewebapplicationsareavailabletotheircustomersaswellastheirattackersaroundthe
clockduetothealwaysonnatureoftheinternet.AttackssuchasSQLinjection,crosssitescripting
orsessionhijackingareaimedatvulnerabilitiesinthewebapplicationsitselfandnotatthoseon
thenetworklevel.Forthisreason,traditionalITsecuritysystemssuchasfirewallsorIDS/IPSare
eithertotallyunabletoguardagainsttheseattacksorareincapableofofferingcomprehensive
protection.
Fromatechnicalpointofviewthefundamentalissueis,thattheweb,especiallytheHTTP
protocol,wasnotdesignedforsuchcomplexapplicationswhicharecurrentlystateoftheart.Many
vulnerabilitieshavetheiroriginhere:forexample,HTTPisnotstateful,i.e.sessionsorstateful
applicationsmustbedefinedseparatelyandimplementedsecurely.Thesevulnerabilitiesare
increasedevenfurtherbythehighdegreeofcomplexityofthewebscripts,frameworksandweb
technologiesfrequentlyused.
2/24
3/6/2015
Inadditiontotherecentintroductionofindustrialstandards,e.g.thedatasecuritystandardofthe
creditcardindustry(PCIDSSv1.1),securitybreachesinGermanywhichhaveonlyrecentlybeen
revealed,suchasthelossofapprox.70,000itemsofcustomerdataincl.creditcardinformationfor
onlineticketdealerkartenhaus.de,haveensuredanincreasedlevelofinterestinpossiblesecurity
measuresagainstapplicationlevelattacks.
Thisdocumentcoversacategoryofsecuritysystems,theWebApplicationFirewalls(WAF),which
areespeciallywellsuitedforsecuringwebapplicationswhicharealreadyinproduction.
A1.2DefinitionofthetermWAFWebApplicationFirewall
Inthisdocument,aWAFisdefinedasasecuritysolutiononthewebapplicationlevelwhichfrom
atechnicalpointofviewdoesnotdependontheapplicationitself.Thisdocumentfocusesonthe
expositionandevaluationofthesecuritymethodsandfunctionsprovidedbyaWAF.Aspectsofthe
deploymentwithintheexistingITinfrastructurewhetherasahardwareappliance,asoftware
pluginforawebserverorasanaddonforexistinginfrastructurecomponents,suchasload
balancersornetworkfirewallsareonlycoveredinbrief.UnlikethedefinitioninWAFECitis
notassumedthataWAFhastobeavailableasaseparatehardwareapplianceinfrontoftheweb
serversthiscertainlydoesnotrepresentthebestimplementationoption,especiallyinlarge,fast
growinginfrastructures.
A1.3Targetreadershipandobjective
Thedocumentisaimedprimarilyattechnicaldecisionmakers,especiallythoseresponsiblefor
operationsandsecurityaswellasapplicationowners(specialistdepartment,technicalapplication
managers)evaluatingtheuseofaWAF.Specialattentionhasbeenpaidwhereverpossibletothe
displayofworkestimates.Furtherkeytopicsdiscussedinthispaperincludebestpracticesfor
processesconcerningtheinstallationandoperationofaWAFaswellasinparticularforlarger
companiesadescriptionoftheroleoftheWAFapplicationmanager.
A2CharacteristicsofwebapplicationswithregardtoWeb
ApplicationSecurity
A2.1Higherlevelaspectswithintheorganization
Especiallywithinlargerorganizations,manyaspectsneedtobetakenintoaccountregardingthe
importanceofthesecurityofthewebapplicationsinoperation.
Oneofthemostimportantaspectsisthenumberofproductivewebapplicationsinthecompany.
Largecompaniesoftenoperateinhouseorexternallywebapplicationsnumberinginthe
hundreds.Evenifaprioritisationofeachindividualwebapplicationinorderofitsrelevanceforthe
successoftheorganizationisreasonable,itisneverthelessnecessarytoassumethatallweb
applicationsoperatedinhousedependingonthearchitecturecouldpermitanattackoninternal
systemsgiventherightattackmethods.Evenwebapplicationswhichseemtobeunimportantat
firstglanceshouldatminimumbesecuredagainstknownattacks.
3/24
3/6/2015
Thefollowingaspectsshouldbeconsideredwhenprioritizingwebapplicationsinregardtotheir
importancefortheorganization:
Accesstopersonaldataofcustomers,partnersand/oremployees
Accesstoconfidentialinformation
Essentialrequirementforthecompletionofcriticalbusinessprocesses
Relevancefortheattainmentofcritical(security)certifications.
Possibleeffectsofthenonavailabilityordatalossinthewebapplicationsinclude:
Interruptionofbusinessprocesses(includingthoseofcustomersorpartners)
Lossofreputation
Damagecompensationclaims
Revocationoflicenses
Lossofconfidentialinformation.
Forotheraspectssuchasrisksandcosts,seeA4.3andA6.4.
A2.2Technicalaspectsofeachofthecompanysindividualwebapplication
Thedecisionregardingsuitablesecuritymeasuresforawebapplicationessentiallydependsonthe
relevantphaseintheapplicationdevelopmentprocess.Thismeansthatinthedesignphasesuitable
toolsfortheimplementationaswellastestandqualityassurancetoolscanbeselectedwhere
appropriatethedeveloperscanalsobetrainedinwebapplicationsecurityandtherelevanttime
frameuntilthedeploymentintoproductiveoperationcanbeextended.
Foralreadycompletedorproductiveapplications,verydifferentaspectsarerelevantwithregardto
subsequentpossiblesecuritymeasures,suchas:
Completedocumentationofthearchitectureandthesourcecodeoravailabilityofthe
developersofthewebapplication
Maintenancecontractsforallcomponentsoftheapplicationarchitecture
Shorterrorrectificationtimesbythemanufacturerofthirdpartyproductsused
Onlyiftheseaspectshavebeenmet,theapplicationcanbesecuredwithintheexistingapplication
infrastructure,notregardingtheamountofworkinvolved.
A3OverviewofWebApplicationFirewall(WAF)features
A3.1WhereWAFsfitintotheWebApplicationSecurityfieldasawhole
Thebasicprincipleisthateverywebapplicationshouldbedevelopedassecureaspossible.Thisis
becausethelatervulnerabilityisdetectedinthelifecycleofawebapplication,thegreatertherisk
ofasuccessfulattack,andoftenalsotheamountofworkinvolvedincorrectingtheissue.
Inadditiontoappropriatetrainingmeasures,e.g.onthebasisoftheOWASPguidelinesthe
applicationdevelopmentcanbesupportedeffectivelybytheusevarioustools.Toolssuchas
StingerarenormallybasedonaframeworkJ2EEinthisexampletheyarepartoftheapplication
(eveniftheycanbeaddedtocompletedapplicationsconformingtoJ2EE)and,froman
4/24
3/6/2015
organisationalpointofview,arethusgenerallysubjecttothenormalapplicationreleasecycle.At
theircore,theyeffectivehelpdevelopersinmakingtheirapplicationmoresecure.UnlikeWAFs,
theywillalwaysbepartoftheapplication,however.Thesetoolsarementionedinthisdocumentat
variouspoints,inparticularinrelationtothecomparativeamountofworkforvarioussecurity
measures,buttheythemselvesarenotthefocusofthisdocument.
Inthedevelopmentphase,methodssuchasstaticsourcecodeanalysishelptopromptlydetectand
rectifyvulnerabilitiesinthecode.Thisadditionallyincludespenetrationtests,ideallycarriedoutby
experts,whichcoverthevulnerabilitiesintheexternalbehaviourofthewebapplicationin
productiveoperationaswell.
Inthiscontext,itistheprimaryfunctionofaWAFtosecurewebapplicationsagainstdetected
vulnerabilities,withaslittleeffortaspossible,sothattheycannotbeexploitedbyattackers.Thisis
alreadyaverychallengingtaskduetothehighdegreeofcomplexityofthetypicalwebapplication
infrastructure:webservers,applicationservers,frameworks,aswellasthetypicalcomponentsofa
webapplicationsessionhandlingwithcookies,inputvalidation,etc.
ThemainaiminusingaWAFisthereforesecuringtheexisting,oftenproductivewebapplications,
wheretherequiredchangeswithintheapplicationcannolongerbeimplementedorcanonlybe
implementedwithadisproportionatelylargeamountofwork.Thisappliestovulnerabilitiesin
particularwhichhavebeenrevealedviaapenetrationtestorevenviaanalysisofthesourcecode,,
andespeciallyintheshorttermcannotbefixedwithintheapplication.Besidesthebasic
protectionviablacklistinginotherwordsthedescriptionofknownattackpatternsthebasic
featureoftheWAFistheoptionofwhitelistingwhichcanbeconfiguredappropriately.Withactive
whitelisting,therulesetoftheWAFdescribestheexactbehaviouroftheapplicationthe
configurationofsuitablewhitelistsisoftensupportedviaalearningmode.
Inaddition,severalWAFsalsoofferfunctionalitieswhichextendbeyondapurelyprotectivenature
andwhichcanthereforealsobeusedinthedesignprocessinordertoavoidunnecessarywork.The
WAFthereforebecomesacentralservicepointforcompletingtaskswhichshouldotherwisebeon
theapplicationside,butwhichcanandshouldbeaddressedinthesamewayforallapplications.
Examplesofthisincludesecuresessionmanagementforallapplicationsbasedoncookiestores,
centralauthenticationandauthorisation,thecollectionofallrelevanterrormessagesandlogfiles
ortheoptionforproactivesecuritymechanismssuchasURLencryption.
Thetablebelowuseswhatarecurrentlythemostwellknownvulnerabilitiesormethodsofattack
onwebapplicationstoindicatetheprotectionofferedbyWAFs.TheusualfunctionalityofaWAF
isassumed,althoughnotallWAFsavailableonthemarketnecessarilyofferallthefunctionality
describedhere.
A3.2TypicalsecuritymechanismsofWAFsusingspecificvulnerabilitiesas
example
Thetablebelowgivespossiblesecuritymeasures(Countermeasurecolumn)fortypicalthreats,
vulnerabilitiesandattacks(Problemcolumn),andintheWAFcolumn,evaluateshowwellaWAF
canprotecttheapplication.Thesymbolsindicate:
+verywellcoveredbyaWAF
cannotbecovered(oronlytoasmalldegree)byaWAF
5/24
3/6/2015
!dependentontheWAF/application/requirements
=canpartiallybecoveredbyaWAF
Problem
WAF Countermeasure
Cookiescanbesigned.
Cookieprotection
+
+
!
!
Cookiescanbeencrypted.
Cookiescanbecompletelyhiddenorreplaced(Cookie
Store)CookiescanbelinkedtotheclientIP.
Informationleakage
Cloakingfilter,outgoingpagescanbecleaned(error
messages,comments,undesirableinformation).
Sessionriding(CSRF)
URLencryption/token.
Timeoutforactiveandinactive(idle)sessionscanbe
specified(iftheWAFcanmanagethesessionsitself).
Sessiontimeout
Evenifthesessionsaremanagedbytheapplication,the
WAFcandetecttheseandterminatethemwiththe
appropriateconfiguration.
Sessionfixation
CanbepreventediftheWAFmanagesthesessionsitself
Sessionhijacking
Difficulttoprevent,althoughtheWAFcanissueanalarmin
theeventofirregularities(e.g.changingIP)orterminatea
sessionwithchangingIP.
Fileupload
Viruscheck(generallyviaexternalsystems)viaICAPlinked
totheWAF.
Parametertampering
+
+
Inadditionto/insteadofdatavalidation(seebelow),
parametermanipulationcanbepreventedviaURL
encryption(GET)andparameterencryption(GETand
POST).
Siteusageenforcement,meaningthepossiblesequenceof
URLscanbefixedorcanbedetected
Forcedbrowsing
+
+
Pathtraversal(URL)link
validation
+
+
Pathtraversal
(parameter),path
CanbepreventedviaURLencryption.
Siteusageenforcement.
CanbepreventedviaURLencryption.
Siteusageenforcement.
Seeparametertamperinganddatavalidation.
6/24
3/6/2015
manipulation
+
Alloronlyspecific/permittedpartsofthedataofarequest
andoftheconnectedtestscanbelogged.
Priv.escalation
Privilegeescalationcannotbechecked,orcanonlybe
checkedtoalimiteddegree,forexamplevia
cookie/parameterencryption.
Logicallevel
ApplicationlogicgoingbeyondthevalidityofURLsand
formfields,cannotnormallybecheckedbyaWAF.
Antiautomation
Automaticattackscanbepartiallydetectedandblocked(e.g.
numberofrequests/timeinterval,identicalrequests,etc.).
ApplicationDoS
(moderate)
=
=
Logging
Transactions,IPs,and/oruserscanbeblocked.
Connections,and/orsessionscanbeended.
WAFcanforceSSLwithpredefinedencryptionstrength
(dependingontheinfrastructurescenario).
SSL
+
+
+
SSLterminationontheWAF,forwardingoftheSSLdata
(e.g.clientcertificate)toapplication.
SSLconnectionpossiblefromWAFtoapplication.
Canbetestedtoverydetaileddegree(length,constant
value/rangeofvalues,e.g.forSELECT,characterarea)
validationpossiblewithwhitelistand/orblacklist(signature).
Rulescaninpartbegeneratedautomatically.
Datavalidation(relating
to
field/content/context/appl)
+
!
Highdependencyonapplication,specificfields(hidden
form)orpredefinedparametersintheURLcanbe
automaticallyverifiedbytheWAFhowever.
Riskduetofalsepositives,problematicwithbusinesscritical
applicationsinparticular.
Datavalidation
(general/global)
HTTP(w3c)conformity,aWAFconductsacanonalisationof
thedatasothatitisavailabletotheapplicationina
standardisedform.
Bufferoverflow
Seedatavalidation[1]
Formatstringattack
Canbedetectedusingdatavalidationifthecorresponding
charactersorstringsarefiltered(difficultinpractice,as
preciseknowledgeoftheapplicationisrequiredtodothis).
Forthemajorityofthehiddeninputfields,thiscanbe
carriedoutwithoutknowledgeoftheapplication.
Usingdatavalidation,onlyreflectedXSScanbedetectedand
7/24
3/6/2015
prevented,persistentXSScannotbedetected,DOMbased
XSSonlytobelimiteddegreeifpartoftheattackissentin
parametersoftherequest.
Crosssitescripting
Crosssitetracing
RestrictionoftheHTTPmethodto,forexampleGETor
POST.
WebDAV
RestrictiontoonlyreadingWebDAVmethodspossible
Codeinjection(PHP,perl,
java)
Commandinjection
SQLinjection
LDAPinjection
XML/Xpathinjection
Usingdatavalidation(seeabove),theWAFcanprotect
againstnewlydetectedvulnerabilitiesand/orattacks(Zero
DayExploit).
HTTPresponsesplitting
(HTTPsplitting)
CanonlybedetectedusingdatavalidationinURLand/or
parametersif%0d%0aisfilteredhoweverthiscanbe
carriedoutonvirtuallyanyinputfieldwithoutimpairingthe
functionalityoftheapplication.
HTTPrequestsmuggling
Ispreventedviastricttestingoftheconformitytostandards
ofeachrequest.
Justintimepatching
(hotfixpatching)
1Basicprotectionwithblacklistinggenerallysufficient,otheroptionsbecombiningblacklisting
andwhitelisting
A4OverviewofbenefitsandrisksofWebApplication
Firewalls
ThespecificpotentialbenefitsofaWAFdescribedhereareexplainedindetailintheindepth
overviewinthenextchapter.Thischapterisusedprimarilyasasummaryfordecisionmakerswho
onlywanttoworkthroughthenextchapterasanoverview.
A4.1MainbenefitsofWAFs
ThemainbenefitofaWAFisthesubsequentprotectionofcompleted,productivewebapplications
ontheapplicationlevelwithareasonableamountofeffortandwithouthavingtochangethe
applicationitself.
Ontheonehand,theWAFoffersabasicprotectionagainstknownattacksorvulnerabilitiesbased
onblacklists:Thedatasecuritystandardofthecreditcardindustry(PCIDSSv.1.1)forexample,in
itscurrentversionprescribestheuseofaWAFasanalternativetoregularcodereviewsbya
specialistasanadequatemeasuretoprotectwebapplications.TheWAFisthereforeasuitable
toolforattainingindustrialstandardsaswellasfulfillinglegalrequirements.
8/24
3/6/2015
TheuseofaWAFbecomesespeciallyrelevantinthecaseofconcretevulnerabilities,forexample
uncoveredviapenetrationtestsorsourcecodereviews.Evenifitwerepossibletofixthe
vulnerabilityintheapplicationpromptlyandwithareasonableamountofeffort,themodified
versioncangenerallyonlybedeployedatthenextmaintenanceinterval,often24weekslater
(patchdilemma).ForaWAFwithwhitelisting,thevulnerabilitycanbefixedpromptly(hotfix),so
thatitcannotbeexploitedbeforethenextscheduledmaintenance.WAFsareespeciallyfastinthis
aspect,meaningtheycancollaboratewithsourcecodeanalysistools,sothatdetectedexternal
vulnerabilitiescanautomaticallyresultinarecommendedrulesetfortheWAF.
AWAFisparticularlyimportantinsecuringproductivewebapplicationswhichthemselvesinturn
consistofmultiplecomponentsandwhichcannotbequicklychangedbytheoperatore.g.inthe
caseofpoorlydocumentedapplicationsorregardingthirdpartyproductswithoutsufficient
maintenancecycles.AWAFistheonlyoptionforpromptlyclosingexternalvulnerabilities.
A4.2AdditionalbenefitsofWAFsdependingontheactualfunctionalityofthe
product
ThereareotherconsiderablepotentialbenefitswhichareduetothecentralroleoftheWAF.The
errorlocationprocessissimplifiedconsiderablyiftheWAFsupportscentralerrormessagesin
contrasttoindividuallygeneratederrormessagesbyseveralapplications.Errormessagescanthen
becentrallyevaluatedattheWAF.Thesameappliestoallaspectsofmonitoringandreporting.As
acentralservicepoint,theWAFcanimplementtaskswhichcanbesolvedinthesamewayfor
everyapplication.Agoodexampleofthisissecuresessionmanagementforallapplicationsbased
oncookiestores.
ManyWAFsalsoprovideproactivesecuritymechanismssuchasURLencryptionorsiteusage
enforcement,inordertominimisetheareaofattackwithaslittleeffortaspossible.Inaddition,the
useofaWAFincreasestherobustnessofawebapplicationtoexternalattacks.
WAFsofferotheradditionalbenefitsdependingonthetypeofimplementation.Ahardware
applianceinfrontofthewebserverscanoftenterminateSSLconnectionsandalsosometimeshas
loadbalancercapabilities.Thiscanbedesirable,butcanalsobeprovidedbysuitableweb
applicationsecurityaddonsforproductsalreadyinuse.InhighsecurityenvironmentsDafrgibts
einenbesserenBegriff,however,theexistingsecurityguidelinesfrequentlyprohibitthetermination
ofSSLconnectionsinfrontofthewebserver.Inthiscase,WAFswhichareimplementedasa
pluginforthewebserverareespeciallywellsuited.
TheWAFcanalsoprovideaSSLterminationiftheapplicationtobeprotectedoritswebserveror
applicationserverdoesnothavethiscapability.
A4.3RisksintheuseofWAFs
NotethatchangesintheexistingIT,webandanyapplicationinfrastructurearerequiredwhen
usingaWAF.DependingontheWAFsimplementatione.g.hardwareappliancevs.embedded
WAFtherearealsoadditionaltasksandrisks:
Yetanotherproxyargument(increasedcomplexityoftheITinfrastructure)
Organisationaltasks(seeA8.2RolemodelwhenoperatingWAFs)
9/24
3/6/2015
TrainingtheWAF
Oneachnewreleaseofthewebapplication
Testing
Falsepositives(whichmayhaveasignificantbusinessimpact)
Morecomplextroubleshooting
WAFsalsohave/generateerrors
Responsibilityforsystemwideerrorsituations
AnypotentialeffectonthewebapplicationiftheWAFterminatestheapplicationsession,
forexample
Costeffectiveness
A5SecurityversusOWASPTOP10acomparisonofWAFs
andothermethods
ThischaptercoversthevarioussecurityoptionsforwhatisknownastheOWASPTop10
vulnerabilities.Threedifferentclassesofwebapplicationsareusedasexamples:
T1:awebapplicationinthedesignphase,newapplication
T2:analreadyproductiveapplication(withMVCarchitecture),whichcanbeeasilyadapted
T3:aproductiveapplicationwhichcannotoronlywithdifficultybemodified.
Securitymeasureswithintheapplicationortheapplicationarchitectureitselfaredescribedindetail
andareevaluated,basedonthesethreeclasses,eitherwiththeuseofaWAFor,alternativelyby
definitionofanappropriatesecuritypolicyThesecuritymeasuresarealsoassessedinregardtothe
amountofworkrequiredfortheirimplementation.Insomeinstances,therearenotesonspecial
functionalitiesofWAFsorassumptionsontheapplicationinfrastructureused,asthesedonotapply
globally.
Asthetablebelowclearlyshows,especiallyinthecaseofapplicationswhichareinproduction,the
useofWAFsveryoftenrequirestheleastamountofwork..Inthecaseofapplicationswhich
cannotbemodifiedorwhicharedifficulttomodify,insomeinstancestheuseofWAFsisactually
theonlyfeasiblesecuritymeasure.
Inthetablebelow,theWorkvolumecolumnliststheestimatedamountofworkrequiredforthe
applicationtypes(T1,T2,T3),aWAForasecuritypolicy(P)inregardtothethreat(Top10
column)Commentsandnotesforeachtyperegardingtheimplementationofsecuritymeasurescan
befoundintheCommentcolumn.Thecategoriesfortheworkvolumeare:
1littleworkrequired
2moderateamountofworkrequired
3considerableamountofworkrequired
notnormallyimplemented
Top10
Type Comment
Work
volume
10/24
3/6/2015
E.g.bytheconsistentuseoftaglibs(Java),or
T1 controls(ASP.NET),oradditionalframeworks
(PHPIDS).
Crosssite
A1
scripting(XSS)
Inputencodingisdifficulttointegrate(e.g.using
OWASPStinger),usinganupstreamWAFisa
T2
bettersolutionhere.For.NETapplicationsXSS
filterscanbeactivated.
3
(.NET:
2)
T3 For.NETapplications,activateXSSfilters.
(.NET:
2)
WAFdoesnotpermitoutputvalidationinthiscase,
asitdoesnotrecognisethecontextofthedata.The
WAF
validationmustbecarriedoutduringtheinput
phase,andmaybecorrelatedwiththeoutput
P
A2 Injectionflaws
CanbeavoidedbyusinganORmapper(e.g.
Hibernate)orconsistentparameterisationofallinputs
T1 (e.g.storedproceduresorideally:preparedstatements).
Otherinjectionflaws(e.g.withXML)canonlybe
avoidedwithdedicatedoutputcoding,wherenecessary.
T2 Complicated,asprogrammodificationsarerequired.
T3
WAFwithblacklisting:
Inprinciplecanonlysearchforspecificcharactersor
characterstringsandpreventprocessing.Essentially
thereareproblemswiththisapproachinthedegreeof
coverageaswellaswithpossiblefilterevasionattacks
(e.g.withmultiplecoding)ifnoinputnormalisationis
carriedout.Thisworksverywellwithknownattacks
(e.g.SQLinjection),butcertainlylesswellwith
protocolsnotknowntotheWAForwithproprietary
protocols.Inaddition,injectionattacksonsometypes
ofinputdatacanbeeffectivelypreventedusingURL
encryptionandhiddenformparameterprotection.An
WAF exampleofthisistheitemnumberinanonlineshop,
whichtraditionallywouldoftenbeusedforSQL
injectionattacks,butitshouldneveractuallybe
possibleforuserstomanipulatethesedirectly.
WAFwithwhitelisting:
11/24
3/6/2015
Forallotherinputfields,thereisawhitelistapproach.
HeretheWAFcanmakesuggestionsfortheindividual
fieldsfollowingalearningphase.Thismeansthatnot
all,butthemajorityoftheinputfieldscanbeprotected
againstalltypesofinjectionattacks.
InthecaseofSQLinjection:Specificationsfor
databaseaccesspermissions,otherwiselittleorno
options.
T1
Integratinguploadscannersorwhitelistingofthe
permittedremoteinclusions.
T2
T3
Whitelistingoftheparametersforthepermittedinclusion
ofURLsexternaltothesystem
A3
MaliciousFile
Execution
WAF
inclusionofuploadscannersviaICAPprotocol
1
2
responseanalysistopreventthedisplayofcriticaldata
(partiallyalsoerrormessages).
P
Specificationsfordeploymentplatform,specificationsfor
2
accesspermissions.
Implementationofanobjectvirtualisationisverytime
consuming,asdatabaseobjectsarefrequentlymappedto
T1
parametersbytheframeworksinuse(ORmapper).
Protectionrequiresintensivetesting.
InsecureDirect
A4 Object
Reference
T2
PreventionofIDmanipulationgenerallynecessitatescode
3
modifications.Protectionrequiresintensivetesting.
T3
WAF
P
ProtectionagainstIDmanipulationusingIDvirtualisation
1
orhiddenparameterprotection.
Useofimpersonationanddelegation.
T1 Canbesolvedusingspecificapplicationarchitecture.
T2
Significantamountofwork.Programchangesgenerally
required.
1
3
12/24
3/6/2015
T3
A5 Crosssite
RequestForgery WAF CanbepreventedusingpagetokenorURLencryption.
(CSRF)
P
T1
Toolsupportedtestingwithhightestcoverageand
relevantfocus.
T2
Toolsupportedtestingwithhightestcoverageand
relevantfocus.
T3
A6.1
A6.2
Information
Leakage
ImproperError
Handling
Automaticfilteringofcommentspossible.Siteusage
enforcementcanpreventaccesstoexistingbut
unpublished(unlinked)documents.Traditionalexamples 1
WAF
arebackupfilesonthewebserverwhichcontain
2
databasepasswordsinplaintextandwhoseURLcanbe
guessedbytheattacker
P
Requirementforprogrammersandauthorsnottoenter
anycomments.Specificationsforthedesignoferror
messages.
T1
Canbeconfigureddeclarativelydependingonthe
platform.
T2
platform.
T3
platform.
1/
WAF Difficulttodetect.
A7.1
Broken
T1
Linkuptoacentralaccessmanagementsystemwith
appropriatesecuritystandards
Linkuptoacentralaccessmanagementsystemwith
T2 appropriatesecuritystandards.Programmodifications
mayberequired.
T3
DependsontheabilitiesoftheWAF.AWAFcancarry
13/24
3/6/2015
Authentication
WAF outauthenticationindependentoftheapplicationandthus 2
permitalinkuptoacentralauthenticationinfrastructure
withoutchangingtheapplication.
P
A7.2
Session
Management
Specificationswithregardtopasswordcomplexity.
Onthedesignlevel,e.g.usingsessionmanagerdesign
pattern,otherwisenumerousoptions.Amountof
T1 implementationworkpartiallydependentonapplication
server,seealsoA7.1,ifthesessionmanagementis
carriedoutbytheaccessmanagementsystem.
2
Canbeintegratedcentrallytoalargeextent(usingfilters, 3
listenersorhardenedserverconfiguration)nevertheless,
T2 alargeamountofworkinsomeplacesseealsoA7.1,if
thesessionmanagementiscarriedoutbytheaccess
managementsystem.
T3 Dependsonapplicationserver,partiallyconfigurable
WAF
P
Hardeningofinsecuresessionmanagementpossiblevia
varioustechniques(e.g.pagetokens).
T1 UseofcryptoAPIs.
T2
Insecure
A8 Cryptographic
Storage
UseofcryptoAPIs.Subsequentimplementationrequires
numerousprogrammodifications.
1
3
T3
WAF
Specificationsforsavingsensitivedata.
T1
Canbeconfigureddeclarativelyintheapplicationorweb
server.
14/24
3/6/2015
Canbeconfigureddeclarativelyintheapplicationorweb 1
T2 server.VeryhighamountofworkifURLschema(HTTP) /
hasbeenhardcoded.
A9
Insecure
Communications
Canbeconfigureddeclarativelyintheapplicationorweb
T3 server(ifthereisaccess).NotpossibleifURLschema
(HTTP)hasbeenhardcoded.
WAF CansecureHTTPapplicationsusingHTTPS.
P
Useofafrontcontrollerwithgateway.Codemuststill
T1 checkuserassignmentviatheprogramatvariouspoints
(e.g.intheservice).Gapspossible.
Failureto
A10 RestrictURL
Access
Differsdependingontheapplication.URLaccess
permissionscanbeconfigureddeclarativelywithJ2EE
T2
and.NET.PreventionofIDmanipulationgenerally
necessitatescodemodifications.
Differsdependingontheapplication.URLaccess
T3 permissionscanbeconfigureddeclarativelywithJ2EE
and.NET.
1
/
1
2
2
3
PagetokensorURLencryptioncanbeusedtorestrict
userstopagesreceivedfromtheapplicationaslinks.The
applicationmustnotdisplayprotectedlinks,however
(limitedaccesspattern).Withsiteusageenforcement,the
WAF
1
usercanonlyaccesslinkedcontent.SpecificURLs/sub
treescanalsobeexcludedviawhitelist/blacklist
approaches(e.g.onlyallowaccessfor*.html,*.php,
*.gif,*.jpgbutnotfor*.bakorotherextensions).
A6CriteriafordecidingwhetherornottouseaWAF
A6.1Organizationwidecriteria
Corecriteriainthisareaare:
15/24
3/6/2015
Importanceofthewebapplication(s)forthesuccessoftheorganization(proportional
turnover,reputation)
Importanceofthelossofdataofthewebapplication(customerdata,confidential
information,reputation)
Numberofwebapplications
Basiclegalconditionsorindustrialstandards
Complexity
Operatingcosts
Performance
Scalability
A6.2Criteriawithregardtoawebapplication
Thetermofaccesstothewebapplicationisintroducedandexplainedbelow.Thechecklistin
appendixA8.1isusedtodeterminethedegreeofaccessindividuallyforeachwebapplication,
usingapointssystem.
Theaccesstoawebapplicationcanbeusedasameasureoftheextenttowhichtheorganizationin
possessionoftheapplicationcanpromptlycarryoutorinitiateandimplementthenecessary
changestothewebapplication,inotherwordshasaccesstothesourcecodeoftheapplication.
Awebapplicationinthedesignphase(seeT1inA5)canbeconsideredasaspecialcaseofaweb
applicationwithoptimumaccess.
Theotherextreme,awebapplicationwithoutaccessisanapplicationconsistingofmany
undocumentedcomponents,forexample,whosedevelopercannotbecontacted,andwhichuses
thirdpartysoftwareproducts,whicharenolongermaintainedbythemanufacturer,orincaseof
opensourceprojectsbythecommunity(seeT3inA5).
Importantcriteriafordeterminingthedegreeofaccesstoawebapplicationare:
Completedocumentationofthearchitectureandthesourcecodeoravailabilityofthe
developersofthewebapplication
Maintenancecontractsforallcomponentsoftheapplicationarchitecture
Shorterrorrectificationtimesbythemanufacturerforallthirdpartyproductsused(portals,
frameworks,SAP,etc.).
Otherimportantcriteriaforeachwebapplicationaregiveninthechecklistwhichcanbefoundin
theappendix.
A6.3Evaluationandsummary
Thedegreeofaccesscanbedeterminedforeverywebapplicationusingthechecklistinappendix
A8.1.Thisalsoallowstodetermineameanvalueofaccessforallthewebapplicationsofan
organizationitisimportanttonotethatapplicationswhicharecriticaltothesuccessortheimage
oftheorganizationneedtoberatedaccordingly.
Theillustrationgivenbelowmaybeusefulasaguideinthedecisionmakingprocessregardingthe
benefitsofusingaWAF:
16/24
3/6/2015
http://www.owasp.org/Image:Best_Practice_WAFchartEN.png
Ifanorganizationhasfullaccesstotheirwebapplications,theuseofaWAFprimarilyprovidesa
reductionofthecostofoperationespeciallyduetotheadditionalbenefitsofaWAFgiveninA3
asacentralservicepoint,aswellassomecomparativelyeasytoimplementsecuritymechanisms,
seeA4.
Ifthereisvirtuallynoaccesstothewebapplications,theuseofaWAFisdefinitelyappropriateas
thisistheonlywaythattherelevantsecuritymeasurescanbeimplemented.
Withdecreasingaccesstothewebapplicationanddependingonitsimportanceandcomplexity
thebenefitsstemmingfromtheuseofaWAFgrowrapidly:fromasecondlineofdefencetotrue
fullprotectionofthewebapplicationfromoutsideinfluence,attainedbytheuseofwhitelisting.
UsingaWAFoftenresultsintheleastadditionalworkfortherequiredsecuritylevel.
A6.4Aconsiderationofthefinancialaspects
ThecosteffectivenessoftheprocurementandtheoperationofaWAFcanbeconsideredfrom
multiplepointsofview:
Avoidanceprevention?offinancialdamageresultingfromsuccessfulattacksontheweb
application
Lowercostsforreachingthenecessaryprotectionlevelforthewebapplicationin
comparisontootheroptions
SavingsviatheuseofcentralserviceswhicharemadeavailablebyaWAFformultipleweb
applications,andthereforenolongerhavetobeimplementedorconfiguredinevery
17/24
3/6/2015
application.
Whenprotectingapplicationswithinsufficientaccess(seeA6.2),butwhichstillneedtobe
protected,thecostsofaWAFcaneitherbeviewedasastrategicinvestment,orwhererealistic,set
againstthecostsofreplacingtheapplicationinquestion.
ThecostsofusingaWAFnormallyconsistofthefollowingcomponents:
Licencecosts
Licenceupdates/softwaresupport
ProjectcostsforevaluatingandintroducingaWAF
(Partial)costsforoperatingthenecessaryplatform
PersonnelcostsfortheWAFapplicationmanager(s)
TimerequiredinprojectsforcoordinationwiththeWAFapplicationmanager.
A7BestpracticesforintroducingandoperatingaWAF
A7.1Aspectsoftheexistingwebinfrastructure
A7.1.1Centralordecentralinfrastructurepredictablechanges
ItisessentialtonotethatitstheWAFthatneedstobeintegratedintotheexistingWeb
infrastructureanditsplannedorforeseeablechangesandnottheinfrastructurewhichneedstobe
fundamentallychangedduetotheimplementationofaWAF.
Accordingly,aWAFcanbeinstalledinacentralinfrastructurewhichisnotpredictedtochange,as
acentralinfrastructurecomponent,e.g.asahardwareappliancewhereaswithaninfrastructure
whichisstilldecentral,butwhichmaybegrowingquicklyforexamplealargeonlineshopa
distributedWAFapproach,e.g.asapluginintotheexistingwebservers,ismoreappropriate.With
regardtotheinfrastructureaspects,thoseWAFproductsareparticularlyflexible,whichcombine
anessentiallydistributedimplementationapproachwithacentraladministrationpointandtherefore
offerthebenefitsofbothscenarios.
Whatisworthmentioningandbecomingincreasinglyimportantwithregardtoprobablefuture
developmentsistheoptionofhardenedinfrastructuresusingvirtualisation.Whenselectingthe
WAF,itisparticularlyimportantthattheWAFcanalsobeintegratedseamlesslyintoavirtualised
approach.
A7.1.2Performancecriteria
Withregardtotechnicalperformance,itisnecessarytoensurethattherequiredWAFinfrastructure
supportsthemainkeyperformanceindicatorsoftheexistingwebinfrastructure.Statementswhich
purelyrefertotheGBthroughputofhardwareshouldnotbetakenatfacevalue,asthegiven
numbersareoftennotachievableinpractice.Whatismoreimportantarethetypicalkey
performanceindicatorsofawebapplicationsuchasthenumberofsimultaneoususersofthe
applicationandonthatbasis,thenumberofHTTPrequestspertimeunitonaverageandatpeak
loadtimes.Itshouldbenotedthatmanyapplicationshavehighloadphaseswhichoccuronly
rarely,e.g.duringtheChristmasseasonforanonlineshop.
18/24
3/6/2015
A7.2Organisationalaspects
A7.2.1Conformingtoexistingsecuritypolicies
Asfaraspossible,existingsecuritypoliciesshouldnothavetobechangedduetothe
implementationofaWAF.
AtypicalexampleisSSLterminationinfrontofthewebservers.Thisisoftendenied,in
particularinhighsecurityAndersWortinfrastructures,bytheexistingsecurityguidelinesThis
policycanbemaintainedbytheuseofasuitableWAF,asapluginonthewebserverwiththeSSL
terminationstillsubsequentlybeingcarriedoutinthewebserver.
A7.2.2Newrolemodel:WAFapplicationmanager
Aftertheoneofftaskofcommissioning,thesubsequentsuccessfuluseofaWAFessentially
dependsontheseamlessinteractionoftheWAFwithallothercomponentsoftheapplication
infrastructure.Theseincludebothobviousissuessuchasunderstandingofandappropriate
responsetoerrorandalarmmessagesoriginatingfromtheWAF,aswellasaspectssuchasthe
modificationoftheWAFrulesetinconjunctionwithchangestotheapplicationsbeingprotected.
TofullyexploittheopportunitypresentedbyaWAFasacentralservicepointforinstancefor
securesessionmanagement,positivecollaborationwithapplicationdevelopmentisrequired.
Inotherwords:InordertofullyexploitthepotentialofaWAF,itisnotsufficienttoviewtheWAF
solelyasaninfrastructurecomponent.
Forthisreason,weproposethenewroleofaWAFapplicationmanagerinadditiontotheroleof
aWAFplatformmanager,whoinasimilarwaytoanetworkfirewallplatformmanageris
responsiblefortheinfrastructurerelatedaspectsoftheWAFforeachapplicationDerSatzisterst
nachdemdrittemlesenhalbwegsverstandlichwhichmetaphoricallyspeakingrepresentsthe
bridgebetweentheWAFandthespecialistapplication.Thispersonmusthaveexcellentknowledge
oftheWAFinordertobeabletoconfigureandmonitoritforeachindividualapplication.Heor
shemustknowtheapplicationwelltobeabletoclassifyandinterpretmessagescomingfromthe
WAF.AWAFapplicationmanagerwillnormallymaintaintheWAFconfigurationformultiple
applications.AnexamplewouldbemanagingtheWAFforallwebbasedSAPsystems,whilstthe
shopsystemismanagedbyanotherWAFapplicationmanager.
AdetaileddescriptionoftheproposedrolemodelcanbefoundinappendixA8.3.
A7.3Iterativeprocedureforimplementationfrombasicsecuritytofull
protection
Aniterativeprocedurehasbeentriedandtrustedasbestpracticeintheimplementationand
operationofWAFs.
A7.3.1Step1:Specificationofroledistribution/inclusionofapplicationdevelopment
19/24
3/6/2015
Firsttheresponsibilitiesneedtobedefined,ideallyonthebasisoftheroleconceptpresented
above.Ifthewebapplicationdevelopmentisbeingcarriedoutinhouse,thisneedstobeintegrated
intotheprocessasearlyonaspossible.Thismeansthatallapplicationsnotyetinproductionuse
thecentralfunctionsoftheWAFassoonaspossible,whichincreasessecurityandsavestimeand
money.Inaddition,possibleobstaclesonthepersonallevelcanalsobeovercomeatanearlystage.
A7.3.2Step2:Basicprotectionforallwebapplications
Regardlessofthecharacteristicsofthewebapplicationinquestion,basicprotection,normally
implementedasblacklisting,isactivatedfirst.Initialevaluationsnormallyshowthefirstsuccessful
protectionmeasures,orshowfalsepositivesi.e.rulesaresettoostrictlyAtthesametimethis
phaseservesastrainingfortheorganisationalprocesses.
A7.3.3Step3:Creatingaprioritylistofallexistingwebapplications
Theprincipleforthislistofprioritiescanbethemeasureoftheaccesstothewebapplication
accordingtothechecklistinappendixA8.1,inadditiontothehigherlevelcriteriasuchasalossof
reputation,etc..
A7.3.4Furthersteps:Fullprotectionofthewebapplicationsaccordingtopriority
Webapplicationsarefullyprotectedfromoutsideattackwithwhitelistrulesetsinastepbystep
processaccordingtotheprioritylist.ThisisnormallysupportedbyalearningmodeintheWAFor
asourcecodereview/penetrationtest.TheWAFapplicationmanager,incollaborationwiththe
specialistapplicationmanager,ensuresthefullavailabilityoftheapplicationatalltimes,including
duringaconversionoftheruleset.
A8Appendices
A8.1Checklist:Accesstoawebapplicationfromasecuritystandpoint
Thefollowingchecklistcanbeusedtoevaluatetheaccessthatacompanyhastotheweb
application.Accesstoawebapplicationgetsbetter,asmorepointsareaccumulated.
Criterion
DocumentationcompleteThe
documentationfortheapplicationis
completeinsuchdetail,thatpotential
vulnerabilitiesrelatingtosecuritycanbe
detectedandrectified.Thisespecially
pertainstothedocumentationofthe
architectureandthesourcecode
Points Comment
Especiallyimportantisadetailed
documentationofthearchitecture,aswell
asadescriptionoftheinterfacesbetween
theindividualcomponentsanda
descriptionofthevalidationstakingplace
ontheseinterfaces.Documentationon
thislevelofdetailisnormallynot
available.
Developersavailable
20/24
3/6/2015
Thedeveloperswhooriginallydesignedand
implementedtheapplicationarestill
availableformodifications.
Maintenancecontractsforall
componentsTherearecontractscoveringthe
rectificationoferrorsorwithopensource
components,thereisanactivecommunity
continuingthedevelopmentforall
componentsoftheapplication(webserver,
applicationserver,database,etc.)andthe
applicationitself.
Nomaintenancecontract,nopossibility
forbugfixes.
Important,butonlyhelpstoalimited
extent.
Teststendtocheckwhethertherequired
functionalityisavailable.Securityinthis
contextdoesmeanthattheundesirable
functionalityisnotpresent>thisdoes
notnormallyaccomplishmuch.
Theanalysismustbecarriedoutbya
specialist,regardlessofwhetheritis
automatedorcarriedoutbyexternal
experts.
Basedonexperience,complexityisbest
measuredusingthetimespenton
implementingtheapplication.Linesof
codeorfunctionpointsprovidevery
differentresults,dependingonwhois
doingthecounting.Ideally,itwouldbe
bettertoconsiderthecomplexityofthe
architecture,notthetimespenton
implementation.
Errorrectificationtimesbythemanufacturer
areshort.
Theresponsetimesfromthemanufacturer
fromthereportingofanerrortodeliveryof
apatcharelessthanaweekforcritical
errors.Thesescaneitherbeerror
rectificationtimesbasedoncontractsor
empiricalerrorrectificationtimes,e.g.for
opensourceproducts.
AutomatedtestsexistThereareautomated
testsforqualityassuranceoftheapplication
representingahighdegreeoftestcoverage
andtheyareusedwithnewreleases.
Sourcecodeanalysishasbeencompletedin
pastdevelopmentandongoingdevelopment
oftheapplication,anautomatedsourcecode
analysis(whiteboxtest)iscarriedoutwith
thefocusonapplicationsecurity.
Lowcomplexity
Fewerthan1000hourshavebeenspent
purelyonimplementingtheapplication(not
includingprojectmanagement)inthe
developmentphase.
CentralcontrollerpresentThearchitectureof
theapplicationincludesacentralcontroller,
whichprocessesalltheinputsandoutputsof
theapplication(MVC).
SecurityframeworkisusedTheapplication
3
Thismeansmainlythatthedevelopers
21/24
3/6/2015
usesasecurityframeworkthat,amongother
things,providesvalidators/filtersforinput
andoutput..
SecurityaudithasbeencarriedoutAsecurity
audit/penetrationtesthasbeencarriedout
againsttheapplicationandallvulnerabilities
detectedintheaudithavebeenrectified.
Developershavebeentrainedinsecure
programmingandareexperienced.
haveconsideredsecurityaspectsas
important.Certainlyaverypositiveand
importantissue,seelastpoint.
Alwaysthemostimportantthingare
traineddevelopers!
A8.2RolemodelwhenoperatingaWAF
TherolemodeldescribedhereshouldbeimplementedprimarilywhentheWAFcarriesouttasksin
thecontextofwhitelistingdescribedinthisdocument,inordertoprotectthewebapplications,in
additiontofunctioningasasecondlineofdefenceandbasicsecurity.Itshouldthereforebe
configuredascloselyaspossibletothefunctionalityofthewebapplication.
TheintroductionofaWAFisnormallycarriedoutaspartofaproject.Thedecisivefactorfora
longterm,successfuloperationofaWAF,however,isarolemodelinwhichtheresponsibilitiesof
allpartiesinvolvedaredefinedintheoverallsoftwaredevelopmentcycle.AWAFhasboth
characteristicsofaninfrastructurecomponent,anditsbehaviourisalsohighlyspecifictothe
application.Itsconfigurationandbehaviourcanevenvaryconsiderablybetweendifferentreleases
ofthesameapplication.TheconfigurationofaWAFismuchmorecomplexthanthatofa
traditionalfirewall.Toputitsimply,itnolongersufficestoconfigureasingleIPforanapplication,
insteadeachinputfieldofthatapplicationhastobeconfigured.
InlargerITorganisations,operationofthenetwork,towhichthefirewallbelongs,andofthe
applications,iscarriedoutbydifferentorganizationalunits,sometimesevenbydifferent
companies.Mostoperatingconceptsfollowthisorganizationalseparationwitharoleconcept
whichmakesacleardistinctionbetweentasksontheinfrastructurelevel(networkandoperating
system)andontheapplicationlevel.
Aswithafirewall,theroleofaWAFplatformmanagerisrequired,whoisresponsibleforthe
operationalaspectsoftheWAF.WeareproposingthenewroleofaWAFapplicationmanager
whoseresponsibilitiesliebetweentheWAFandtheindividualapplication.Anapplicationmanager
isstillrequired.ThismanagerisnotrequiredtohaveadeeperunderstandingoftheWAF,however
TheWAFapplicationmanageristhebridgebetweentheWAFandthespecialistapplication.This
personmusthaveexcellentknowledgeoftheWAFtobeabletoconfigureitandmonitoritforthe
individualapplication.Heorshemustknowtheapplicationwelltobeabletoclassifyandinterpret
messagescomingfromtheWAF.AWAFapplicationmanagerwillnormallymaintaintheWAF
configurationformultipleapplications.AnexamplewouldbemaintainingtheWAFforallweb
basedSAPsystems,whilsttheshopsystemismaintainedbyanotherWAFapplicationmanager.
Thismeansthat,ontheonehandthespecificrequirementsforthesecureandefficientoperationof
aWAFaretakenintoaccount,andontheotherhand,thetraditionalrolesofinfrastructureor
platformmanagerandapplicationmanagerremainunchangedwithinhighlystructured
organisations.
22/24
3/6/2015
A8.3Theindividualroles
8.3.1WAFplatformmanager
Tasks:
PlanningoftheoperationalarchitectureoftheWAF
ResponsibilityforoperationandsupportoftheWAF,includingcapacityplanning
AllocationofURLstoindividualapplications
PatchandversionmanagementoftheWAF
ManagementandadministrationoftheapplicationmanagerWAF
Knowledge:
KnowledgeoftheWAF,itsoperation,administrationandtheauthorisationconcept
8.3.2WAFapplicationmanager(perapplication)
Tasks:
ImplementationandmaintenanceoftheWAFconfigurationspecifictotheapplication
Monitoringandanalysisofthelogfiles(atleastonthesecondlevel)
Contactforerrormessages,inparticularfalsepositivesanalysisincollaborationwiththe
applicationmanager
ClosecooperationwiththeWAFapplicationmanagersandplatformmanagers
TestofWAFfunctionalitiesfortheapplication,especiallywhendeployingnewversionsof
theapplication
Knowledge:
IndepthknowledgeoftheWAFconfigurationinrelationtoapplicationspecificsecurity
mechanism
Verygoodknowledgeofthebehaviouroftheapplication,inparticularinput,output,
uploads,downloads,charactersets,etc.
8.3.3Applicationmanager
Operationordevelopmentoftheapplicationtobeprotected
Knowledgeoftheapplicationarchitectureandtheinputfields,providesthesetotheWAF
applicationmanager.
Pagesincategory"OWASPBestPractices:UseofWebApplication
Firewalls"
23/24
3/6/2015
Thefollowing2pagesareinthiscategory,outof2total.
B
BestPractices:WebApplicationFirewalls
O
Projects/OWASPBestPractices:UseofWebApplicationFirewalls/Releases/UseofWeb
ApplicationFirewallsv1.0.5/Assessment
Retrievedfrom"https://www.owasp.org/index.php?
title=Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls&oldid=195425"
Categories: OWASPProject OWASPBestPractices OWASPDocument OWASPDownload
OWASPWAF OWASPBuilders OWASPDefenders SAMMEH3 Germany
OWASPAlphaQualityDocument HowTo
Thispagewaslastmodifiedon28May2015,at09:34.
Thispagehasbeenaccessed126,214times.
ContentisavailableunderaCreativeCommons3.0Licenseunlessotherwisenoted.
24/24

Category - OWASP Best Practices - Use of Web Application Firewalls - OWASP

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Category - OWASP Best Practices - Use of Web Application Firewalls - OWASP

Загружено:

Авторское право:

Доступные форматы

3/6/2015

Вам также может понравиться