Embed Size (px)
Citation preview
���1
Wallarm: from NGINX module to a growing company
Wallarm pre-history: 5 years in security consulting
• Security audits and research since 2009
• Penetration testing
• Blackbox analysis of web applications
• Whitebox analysis of source codes
• Specialization in e-commerce and financial web applications
���2
Lessons learned
• Vulnerabilities can be found and fixed, but new vulnerabilities do appear
• Clients are protected after audit until next release only
• Regular security audits for each minor updates are expensive
• Security is a continuous process!
• So how can we protect web applications?
• Starting 2009 we have been looking for a Web Application Firewall that would suite our clients needs.
���3
Looking for the best web apps protection solution
• NAXSI https://github.com/nbs-system/naxsiNAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
• ModSecurity for NGINX https://github.com/SpiderLabs/ModSecurityEvent-based programming language which provides protection from a range of attacks against web applications
• testcookie-nginx-module https://github.com/kyprizel/testcookie-nginx-module application level DDoS mitigation module using cookie based challenge/response technique
• A variety of commercial WAFs
���4
Looking for the best web apps protection solution
Most of them worked as promised but somehow didn’t feel right…
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959073',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
���5
We can do it by ourselves! Probably
Goals:
• Learn from the traffic to avoid complex configuration process
• Efficiently block noise/spam from automated tools in the system interface
• Detect & patch vulnerabilities, including 0days
• Support AJAX and HTML5 applications that use single-page structure and modern standards (e.g. local storage)
• Handle high load (100K rps on a single node)
• Work in synchronous and asynchronous mode
���6
We can do it by ourselves! Probably
Milestones:
• In 2010 we implemented attack detection tool with self-learning algorithms in pure PHP. It worked, but was damn slow
• In 2011-2012 we have rewritten everything in Ruby and started to analyse traffic captured by tcpdump
• Finally in 2013 we have realised that NGINX is a great platform to implement application level traffic filtration.
���7
Wallarm architecture
���8
Wallarm nodeNGINX Wallarm module
local analytics module
Your application
All requests to application
Wallarm cloud
Training sets for Wallarm node
Statistics, attacks
information
Filtered requests
No sensitive data goes to Wallarm cloud
client’s infrastructure
cloud analytics module
active vuln
scanner
passive vuln
scanner
buffer
Summing up: vulnerability detection solution & WAF based on stats algorithms
• Wallarm analyses user requests and based on them learns how application works (business logic, execution environment, programming language used, etc).
• With this knowledge Wallarm profiles every user: what he does and when, what data is sent, and how the application reacts.
• Requests are analysed with a set of metrics. Wallarm inspects semantics of requests and answers, looks for correlations and seeks for the ways to group them into potential vectors of attacks.
• This way Wallarm identifies and blocks anomalies — activity, atypical for normal operation of the application.
���9
Bonus
• No spam/noise in the interface
• Metrics for Dashboard are taken from real-life projects. Among them: reaction time, vulnerability fix time, the time from discovery of the vulnerability until its exploitation.
• Google-style search bar to filter security events.
• NGINX inside
���10
Wallarm team
Ivan Alex Stephan Simon Dmitry CEO CTO COO/CMO Advisor Strategy
���11
Now hiring and [email protected]
