Upload
lenhan
View
228
Download
0
Embed Size (px)
Citation preview
Web Application Security Made Easy Brian A. McHenry Security Solutions Architect [email protected]
Web Application Security Made Easy Easier
© F5 Networks, Inc 2
• Remediation rates are low, especially for legacy or 3rd-party applications
• Building WAF policy is one tactic, but can also be challenging
• Applications are like snowflakes; no two alike
• WAF ownership varies, and AppSec expertise varies with it
• A WAF is only as effective as the integration with the SDLC process
• Management resources for WAF are often limited
Practical Web Application Security Facts
© F5 Networks, Inc 3
Policy Deployment Options
Security policy checked
Security policy applied
DYNAMIC POLICY BUILDER INTEGRATION WITH APP SCANNERS PRE-BUILT POLICIES
Automatic • No knowledge of
the app required • Adjusts policies if
app changes
Manual • Advanced
configuration for custom policies
• Virtual patching with continuous application scanning
• Out-of-the-box • Pre-configure and validated • For mission-critical apps
including: Microsoft, Oracle, PeopleSoft
© F5 Networks, Inc 4
Identify, virtually patch, mitigate vulnerabilities
Configure vulnerability policy in BIG-IP ASM
Mitigate web app attacks Scan application with:
Hacker
Clients
Tim
ely
thre
at m
itiga
tion
Assurance
Manual
WAF
Scan
© F5 Networks, Inc 5
Configuration
© F5 Networks, Inc 6
Configuration
© F5 Networks, Inc 7
Importing Vulnerabilities
© F5 Networks, Inc 8
Importing Vulnerabilities
© F5 Networks, Inc 9
A Deeper Look
© F5 Networks, Inc 10
A Deeper Look
© F5 Networks, Inc 11
Resolve, Resolve and Stage
© F5 Networks, Inc 12
Resolve, Resolve and Stage
© F5 Networks, Inc 13
Resolve, Resolve and Stage
© F5 Networks, Inc 14
Ignore, Unignore
© F5 Networks, Inc 15
Retest
• The same attack vectors will be re-sent during a retest.
• Asynchronous
• ... after a couple of minutes ...
© F5 Networks, Inc 16
Retest
• ASM polls the status of the 'Retest Requested' vulnerabilities each 2 minutes.
• Vulnerabilities are to be retested are queued in the Sentinel. Generally they process in some minutes.
• Can end up with:
– Opened (vulnerability was not mitigated)
– Closed (vulnerability was solved)
– Mitigated (vulnerability was mitigated by ASM)
“ © F5 Networks, Inc 17
We couldn’t have provided safe remote access to SharePoint without the security F5 offers through BIG-IP ASM. And we don’t have to spend hours
reviewing thousands of vulnerability log entries in order to configure ASM effectively.
- IT Director, Large US Community College
“ © F5 Networks, Inc 18
By deploying F5’s comprehensive Application Security Manager (ASM) solution, Aura is now
enabling customers to fix its security issues within a reasonable timeframe, and subsequently shield
and prevent reoccurrences.