This presentation was by Alexander Meisel and is from a paper that was put together by the Germany OWASP chapter. He began by introducing the problem being online businesses having HTTP as their “weak spot”.\u00a0 Then talked about the definition of the term “Web Application Firewall”.\u00a0 It’s not a network firewall and not only hardware.\u00a0 The targeted audience of the paper is technical decision makers, people responsible for operations and security, and application owners.\u00a0 Next he talked about some of the characteristics of web applicatons with regard to security.\u00a0 Prioritize web applications in regard to their importance (access to personal customer data, access to confidential company information, certifications).\u00a0 Some technical aspects include test and quality assurance, documentaiton, and vendor contracts.<\/p>\n
Where do WAFs fit into the web application security field?\u00a0 WAFs are part of a solution.\u00a0 Create a table with wanted functionality (CSRF, session fixation, *-Injection).\u00a0 Do a rating\/evaluation with “+” meaning it can be very well implemented using a WAF, “-” meaning it can not be implemented, “!” meaning depends on the WAF\/application\/requirement, and “=” meaning it can partly be implemented with a WAF.<\/p>\n
Looks at the benefits and risks of WAFs.\u00a0 Good baseline security.\u00a0 Compliance.\u00a0 Just-in-time patching of problems.\u00a0 Additional benefits (depending on functionality) could be central reporting and error logging, SSL termination, URL encryption, etc.<\/p>\n
Some risks involved in using WAFs are false positives, increased complexity, having yet another proxy, and potential side effects if the WAF terminates the application.<\/p>\n
Protection against the OWASP Top 10.\u00a0 App vs WAF vs Policy.\u00a0 Three types of applications: web application in design phase, already productive app which can easily be changed, and productive app which cannot be modified or only with difficulty.\u00a0 Table of OWASP Top 10 in regards to work required with the 3 types of applications to fix the problem in the application itself, using a WAF, and using a policy.<\/p>\n
Criteria for deciding whether or not to use WAFs.\u00a0 Company wide criteria includes the importance of the application for the success of the company, number of web applications, complexity, operational costs, and performance and scalability.\u00a0 Criteria with regard to the web application includes changeability of the application, documentation, maintenance contracts, and time required fixing bugs in third-party products.\u00a0 Consideration of financial aspects includes avoidance of financial damage via successful attacks and teh costs of using a WAF (license, update, project costs for eval and WAF introduction, volume of work required\/personnel costs).<\/p>\n
He started going pretty fast here since he was already running over on time.\u00a0 The gist was a bunch of best practices for introduction and operation of web application firewalls.\u00a0 He talked about technical requirements, job requirements, and an iterative procedure for implementation.<\/p>\n
This presentation was mostly just an overview of what is in the paper and he didn’t get into too much specifics.\u00a0 Go check out the paper at https:\/\/www.owasp.org\/index.php\/Best_Practices:_Web_Application_Firewalls to get the details!<\/p>\n","protected":false},"excerpt":{"rendered":"
This presentation was by Alexander Meisel and is from a paper that was put together by the Germany OWASP chapter. He began by introducing the problem being online businesses having HTTP as their “weak spot”.\u00a0 Then talked about the definition of the term “Web Application Firewall”.\u00a0 It’s not a network firewall and not only hardware.\u00a0 […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[127,4],"tags":[76,128,162,74,164,12,163,622,160,102],"class_list":["post-108","post","type-post","status-publish","format-standard","hentry","category-owasp-appsec-nyc-2008","category-web-app-sec","tag-application","tag-appsec","tag-best","tag-firewall","tag-guide","tag-owasp","tag-practices","tag-security","tag-waf","tag-web"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-1K","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/108","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=108"}],"version-history":[{"count":3,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/108\/revisions"}],"predecessor-version":[{"id":140,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/108\/revisions\/140"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=108"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=108"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=108"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}