For the first session of the day, I decided to check out the Web Application Security Roadmap presentation by Joe White, President of Cyberlocksmith Corporation.\u00a0 Web application security is still very much in it’s infancy.\u00a0 Traditional “operations” teams do not understand web application security risk and are ill-equipped to defend against web application threats.\u00a0 Many companies are wrestling with who takes ownership of web application security.\u00a0 Still trying to figure out where they fit in the organization.\u00a0 Security “turf battles” are inevitable in these situations.\u00a0 No clear separation between where web app sec stops and traditional operation security begins.<\/p>\n
Begin by building a foundation.\u00a0 Find your web application vulnerabilities.\u00a0 Address your web application vulnerabilities.\u00a0 Monitor\/detect web application compromise attempts.\u00a0 Decide upon threat classification framework and scoring model.\u00a0 Develop web application incident response plan.<\/p>\n
Next, look at your internal projects.\u00a0 Scope\/prioritize internal web application specific projects.\u00a0 Proactively increase security awareness.\u00a0 Threat modeling and data flow diagrams.\u00a0 Manual code review (outside expert).\u00a0 Other possible roadmap items to consider.<\/p>\n
To find web application vulnerabilities, there is an automated component and a manual component.\u00a0 For the automated component, choose the automated assessment tool that works best with your web application technology.\u00a0 Make sure you are addressing all internet facing web application exposure.\u00a0 Deploy a static source code analysis tool to scan for security vulnerabilities within the source code.\u00a0 The manual component is required to compliment the automated assessment.\u00a0 You work to better educate manual assessment teams of the way your web application functions so they can better detect logic flaws and other pieces likely to be missed by the automated scans.\u00a0 Integrate both peer code review and manual review of the static source code analysis results into your SDLC.<\/p>\n
Web Application Security Assessment CapEx and Deployment Times<\/strong><\/span><\/p>\n Static Source Code Analysis CapEx and Implementation Times<\/strong><\/span><\/p>\n Mitigate immediate internet facing risk.\u00a0 Block your exposure from web application vulnerabilities as close as possible to when they are discovered.\u00a0 THIS IS CRITICAL!\u00a0 Buys you time to fix vulnerabilities in the underlying code.\u00a0 WAF will minimize threat window for each exposure by blocking access to vulnerability until it can be fixed in the code.<\/p>\n Address the vulnerabilities in the code.\u00a0 Web app sec assessment tool should assist in locating specific code level changes that need to be made.\u00a0 Static Source Code analysis will point directly to specific code level changes that need to be made.<\/p>\n WAF Vendors: Breach, ModSecurity, Imperva, F5, Citrix, Barracuda, Deny All, BeeWare, BinarySEC, Cisco, and Fortify Real-Time Analysis.<\/p>\n WAF Firewall CapEx and Deployment Times<\/strong><\/span><\/p>\n Check out wafreviews.com!\u00a0 It’s a webappsec community supported site for information and resources related to WAF Reviews and Evaluations.\u00a0 If you have participated in a recent bake-off of WAF technology and are able to share your results, feel free to forward your evaluation results to submit@wafreviews.com.\u00a0 Mission is to be fair, objective, and comprehensive.<\/p>\n Detecting web application compromise attempts.\u00a0 Use a WAF!\u00a0 Looks at Web Application (Layer 7) data and acts upon it.\u00a0 Similar to traditional network (Layer 4) firewall.\u00a0 But more like a gateway than a firewall.\u00a0 Likes to call it a “Web Application Risk Management (WARM)” device.\u00a0 Device sits between your normal firewall and your web application server.<\/p>\n WAF Use Cases<\/strong><\/span><\/p>\n Detect web application compromise attempts.\u00a0 You cannot protect what you cannot see.\u00a0 You will need greater visibility into application layer traffic.\u00a0 This is usually the place that traditional operations security folks do not understand.\u00a0 WAF should monitor and detect application anomalies and compromise attempts from users.\u00a0 WAF offers greater visibility into application security events.\u00a0 As WAF market matures, you can expect the WAF to be fed real-time vulnerabilities by your web application security assessment tool in order to proactively block newly discovered attacks.\u00a0 The tricky part here is that you will likely need the help of the traditional operations security guys to help you implement and succeed.<\/p>\n Decide upon threat classification framework.<\/p>\n Develop a web application incident response plan.\u00a0 This is the piece overlooked by most organizations.\u00a0 You do not want to be blind-sided by a web application security event while you are earning the trust of both your management and peers.<\/p>\n webappir.com\u00a0 Seeking presentations and other educational material to assist web application security professionals.<\/p>\n Don’t let internal projects distract you from building the foundation!\u00a0 Integrate security into the SDLC.\u00a0 Secured development lifecycle.<\/p>\n Increase security awareness.\u00a0 Executive web application security risk awareness.\u00a0 Developer training.<\/p>\n Threat modeling and data flow diagrams.\u00a0 Understand all entry and exit points into the web application.\u00a0 Understand threat scenarios.<\/p>\n Manual code review (outside expert).\u00a0 Include all tiers in the application architecture.\u00a0 Address internet facing code first and then move on to application tier and then database tier.<\/p>\n Other roadmap items to consider.\u00a0 DDoS attacks.\u00a0 Anti-phishing.\u00a0 Seecurity Center – reporting features of WAF should be available for users to increase security awareness and proactively address security weaknesses.\u00a0 Web application security metrics.<\/p>\n Information security risks and threats change over time.\u00a0 You must adapt to these changes.\u00a0 Web application security is the current threat that you need to understand and be adapting to.\u00a0 If you are new, it is OK because there is still time to change and adapt.\u00a0 Don’t be an information security dinosaur.\u00a0 Latest version of the presentation available at http:\/\/www.webappsecroadmap.com<\/p>\n","protected":false},"excerpt":{"rendered":" For the first session of the day, I decided to check out the Web Application Security Roadmap presentation by Joe White, President of Cyberlocksmith Corporation.\u00a0 Web application security is still very much in it’s infancy.\u00a0 Traditional “operations” teams do not understand web application security risk and are ill-equipped to defend against web application threats.\u00a0 Many […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[127],"tags":[130,128,12,131,102],"class_list":["post-68","post","type-post","status-publish","format-standard","hentry","category-owasp-appsec-nyc-2008","tag-application-security","tag-appsec","tag-owasp","tag-roadmap","tag-web"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-16","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/68","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=68"}],"version-history":[{"count":4,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/68\/revisions"}],"predecessor-version":[{"id":72,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/68\/revisions\/72"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=68"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=68"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=68"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
\n
\n
\n