Web Application Security
Grant Murphy, CISSP
VP Enterprise Solutions
“The State of Web Application Security”
Cenzic/Barracuda/Ponemon
Research Study – February 2011
Ponenon Research – Key Findings
• 74% of the respondents said Web Application
Security is amongst their highest security priority.
All’s Good………… Right?
Ponenon Research – Key Findings
• 74% of the respondents said Web Application
Security is amongst their highest security priority.
• 69% said they use Network layer Firewalls to protect
their web applications
“We’ll leave a light on…” Tom Bodett
Ponenon Research – Key Findings
• 74% of the respondents said Web Application
Security is amongst their highest security priority.
• 69% said they use Network layer Firewalls to protect
their web applications
• When asked why they don’t test their web apps for
nearly 2/3rds said “No expertise or budget exists”,
yet the average prediction for loss due to a hacking
event is $255,000
Truer Words Cannot be Spoken
"We don't spend enough money on app security and we
spend way too much on antivirus software, which is
basically worthless"
Josh Corman, The 451 Group
Ponenon Research – Key Findings
• 74% of the respondents said Web Application
Security is amongst their highest security priority.
• 69% said they use Network layer Firewalls to protect
their web applications
• When asked why they don’t test their web apps for
nearly 2/3rds said No expertise or budget, yet the
average prediction for loss due to a hacking event is
$255,000
• Over half expect their Web Hosting provider to
provide security for their Web Applications.
How Many Do?
~
Other Ponemon Stats
•
•
•
•
68% of WAF users recognize that a fully functional
WAF is one that optimizes Performance as well as
Security
60% said they protect Web apps KNOWN to be
vulnerable to exploits with layer 4 technology
(Network Firewall or IDS/IPS)
88% said their Web App Security budget is less
than their coffee budget
62% cited data protection as their #1 concern about
Web application security
Why do I need a Web Application Firewall?
Compliance, Security, Performance
What is PCI DSS?
• Insurance
•
A consortium of Visa, MasterCard, DiscoverCard, American
Express, and JCB
•
PCI standards apply to ALL companies worldwide that process,
store, or transmit credit card information
•
4 levels of Credit Card processors dependent upon volume, which
also determines the level of audit scrutiny
•
1
>6M transactions/year
•
2
>1M and <6M transactions/year
•
3
>20,000 ecommerce transactions and <1M transactions per year
•
4
<20,000 ecommerce or >1M transactions/year
What word keeps 62% of the
security bosses up at night?
Breach
The other 38% have sleep apnea!
Security Market Overview
Fact 1: 98% of all Breaches are the result of organized crime
and/or unaffiliated parties1
Fact 2: Data Breach cost organizations an average of $202
per stolen record2
Fact 3: 24% of the records stolen during breaches were
from vulnerable Web applications exploitable by SQL injection1
Fact 4: SQL injection is 3x more efficient than the #1 method
employed to extract records
1) Source: Verizon and USSS Data Breach Investigation Report, 2010
2) Source: Ponemom Institute Study, 2009
15
Interesting excerpts: 2010 Verizon and USSS
Data Breach Investigation Report
•
Records lost was down from 144M to 4M, but the number of
breaches up 5-6x
•
89% of breach victims subject to PCI DSS were not in
compliance – if they had been there would have been no breach!
•
~1/2 of breaches were on systems managed by hosting
providers – “It’s more about giving up control of our
assets….than any technology specific to The Cloud.”
•
“Just because web applications dropped as an overall
percentage of attacks, don’t believe for an instant that they are
any less critical a vector than they were a year ago. …. Please
don’t let the bad guys catch your development and application
assessment teams napping.”
ATTACK


Custom Code
Billing
Directories

Acct:5424-9383-2039-4029
Acct:4128-0004-1234-0293
3. Application forwards attack to
the database in a SQL query
Web Server
Firewall
Hardened OS
Firewall
DB Table

"SELECT * FROM
Account Summary
Account:
accounts WHERE
SKU:
acct=‘’
OR 1=1-Acct:5424-6066-2134-4334
Acct:4128-7574-3921-0192
’"
1. Application presents a form to
the attacker
2. Attacker sends an attack in the
form data
App Server
Network Layer
Human Resrcs

Web Services
HTTP
SQL
response
query

HTTP
request
APPLICATION
Legacy Systems
Databases
Communication
Knowledge Mgmt
E-Commerce
Bus. Functions
Administration
Transactions
Accounts
Finance
Application Layer
SQL Injection – Illustrated
4. Database runs query containing
attack and sends encrypted results
back to application
5. Application decrypts data as
normal and sends results to the user
OWASP - 2010
Who Gets Attacked?
Target of
Every
Opportunity
industryor
is Target
a target!
of Choice?
Source: Based on data provided by OSF DataLoss DB
Can’t We Just Go Fix the unsecure Code?
Every 1,000 lines of code averages 15 critical security defects.
- U.S. Dept. of Defense
The average security defect takes 75 min to diagnose and 6 hrs to
fix.
- 5 year Pentagon Study
The average business application has 150,000-250,000 lines of
code.
- Software Magazine
An average web application vulnerability persists between 30 – 90
days after discovery
- Forrester Research
The MATH …
It would take 70 to 562 weeks to fix the code Not to
mention the newer defects that will get introduced.
Code reviews: Start at $2000 for a small application
75% of Attacks Focused Here
(Gartner)
Database Servers
Customized Web Applications
Customized Packaged Apps
Internal and 3rd Party Code
Network
Firewall
IDS
IPS
Web
Servers
Application
Servers
Database
Servers
Operating
Systems
Operating
Systems
Operating
Systems
Network
Customer
Info
Business
Data
Transactio
n Info
Confid
ential
Malvertising
USAToday.com ad network
compromised
Visitors served malicious javascript
bundled with ad for Roxio Creator
Automatically directed users to
Rogue AV site through malicious
traffic distribution system – users
did not even have to click the link
Compromised Legitimate Sites
PBS.org – and subdomain for
Curious George site
compromised
Yielded javascript that served
exploits from a malicious
domain
Targeted a variety of software
vulnerabilities, including
Acrobat Reader, Applie
QuickTime, etc.
A WAF must provide Security…..
As well as Performance Optimization
Internet
Load Balancing
Caching
Compression
Only available
Via a Layer 7
Reverse Proxy!
Application Health Monitoring
ensures optimal Load Balancing
TCP Pooling - Multiple requests use same
connection
Improved Performance
SSL
Offloading/Acceleration,
Backend Encryption
High Availability minimizes
downtime of critical business Apps
User Access
Control
LDAP etc
Top 5 Myths of Web Application Security
 “We use SSL”
• SSL ensures that no “man-in-the-middle” can tap into communications
• Hackers are can still send application attacks through SSL
 “We have a Network Firewall”
• 75%-90% of attacks today are against applications, not networks
 “Our Web Hosting provider is secure”
• Web Hosters - at best - provide Network Firewalls
Hactivism on the Rise – Again?
“…worked with the website hosting
company, Boca Raton-based Verio, and
initially they were able to fix it. But the
images returned over the weekend.
And Monday was a holiday, so nothing
could be done.
But with just a cursory glance of the
website, Heid claimed to have
pinpointed its weaknesses -- a decadeold web applications and a system that
needs ``sanitizing.''
The Miami Herald 1/18/11
“…hackers sidestepped ineffective firewalls”
Top 5 Myths of Web Application Security
 “We use SSL”
• SSL ensures that no “man-in-the-middle” can tap into communications
• Hackers are can still send application attacks through SSL
 “We have a Network Firewall”
• 75%-90% of attacks today are against applications, not networks
 “Our Web Hosting provider is secure”
• Web Hosters - at best - provide Network Firewalls
 “Only large banks get hacked, not us”
• Hacking is an equal opportunity business
 “Too Expensive/Too Complicated”
• Not anymore with Barracuda’s Web Application Firewall
When it comes to protecting the valuable
data on which Web Applications are
dependent, the best use of a budgeted
security
$ € £ ¥
is spent on a Web Applications Firewall
Technology.
28
What Do I Need in a WAF?
Barracuda Networks
Web application hosters provide reliable application access,
Not Compliance or Secure Web Applications
PCI and security
drive inbound user
content scanning
Outbound inspection to
protect against
customer data leakage
Barracuda Web Application Firewall
• PCI standards exist for a reason!
• “Assumed” Security doesn’t exist!
• Protection against malicious users
Servers
Most Apps are Web Apps Today
• Microsoft
– Sharepoint
– Office
– Exchange
• Oracle
– Peoplesoft
– Financials
– Oracle Business
• SAP
• Custom Applications
– Partner/Sales Portals
– Order Entry Systems
– HR Systems
• Open Source
– PHP Bulletin Board
– Bugzilla
Secure Multiple Web Applications
Level of Security Customization
High
Medium
Low
Profiled applications
Utilizing template security
Default security policy
Reporting – Ensuring Compliance
One Arm Proxy
Easier, less secure, performance gains
Management
172.10.10.5
Mgmt
VIP1: 192.168.9.110
VIP2: 192.168.9.120
VIP3: 192.168.9.130
Internal DNS changes to redirect traffic
Servers
WAN
Internet
192.168.9.1
Subnet
192.168.9.0/24
Pros:
•
Limited changes to networking scheme
•
Virus scanning, Data Loss Prevention
•
Full performance optimization features
available (LB, SSL Acceleration, HA etc)
Subnet
10.10.10.0/24
10.10.10.10
10.10.10.30
10.10.10.20
Cons:
•
Backend servers are still exposed since they
have native IPs
•
In High end web sites performance is limited
since a single Ethernet nic is used for
inbound/outbound traffic
Reverse Proxy
Optimized Security, Optimized Performance
Management
172.10.10.5
DNS resolves to the WAF
Mgmt
VIP1: 192.168.9.110
VIP2: 192.168.9.120
VIP3: 192.168.9.130
Servers
WAN
LAN
10.10.10.1
192.168.9.1
Subnet
192.168.9.0/24
Subnet
10.10.10.0/24
10.10.10.10
10.10.10.30
10.10.10.20
Server IPs reside in the LAN subnet
Pros:
•
Most Secure Deployment Scheme since
backend servers are completely isolated
•
Headers can be rewritten
•
Virus scanning, Data Loss Prevention
•
Full performance optimization features
available (LB, SSL Acceleration, HA etc)
Cons:
•
Much more security and performance at the
expense of deployment simplicity
•
Applications requiring protection must be
moved behind reverse proxy during a
maintenance window
Bridge Mode - Operates as Layer 2 Bridge
Management
172.10.10.5
VIP1: 10.182.12.20
VIP2: 10.182.12.21
VIP3: 10.182.12.22
Mgmt
Virtual IP are same as
Server IP addresses
Servers
WAN
Internet
10.182.12.1
LAN
All incoming traffic is
bridged. Security
policies are applied to
defined services
Pros:
•
No Back end/Front end networking
changes
•
Ease of installation
•
Ethernet Hard Bypass Mode
10.182.12.20
10.182.12.21
Cons:
•
No Header rewrite
•
No Load Balancing
•
No TCP Pooling
10.182.12.22
The Barracuda WAF
Barracuda Networks
Load
Balancing
SSL
Accelerators
SSL Acceleration
Pipelining
Caching
Compression
Load Balancing
Remote
Users
Teleworkers
Barracuda Web
Application
Firewalls
Access
Control
OWASP protection
Malware scanning
Caching
Data leakage
Cloaking
XML Firewall
Security
IDP, IPS
Servers
Scalable Performance To Meet Applications Needs
WAF 960
WAF 860
WAF 660
WAF 460
WAF 360
Virtualized
Web Applications
Remote
Users
Teleworkers
Barracuda Web
Application
Firewalls
Servers
Evolution of the Web Application Environment
Remote
Users
Teleworkers
Virtualized
Web Applications
Infrastructure
Scalable Performance To Meet Applications Needs
WAF 960
WAF 860
WAF 660
WAF 460
WAF 360
Barracuda Control Center
Centralized Multi-Appliance Administration
–
–
–
Consistent Web interface
Status Monitoring
Distributed Configuration mgt.
–
–
–
Information aggregation
Role based Administration
Delegated Administration
Cloud Service, Hardware and VM based Appliance
44
Barracuda Networks Confidential
Barracuda Web Application Firewall Overview
SECURE
WEB
APPLICATIONS
COMPREHENSIVE
YET
AFFORDABLE
GAIN VISIBIILITY
VIA LOGS
AND REPORTS
SCALE AND
SPEED
APPLICATION
DELIVERY
ACHIEVE
COMPLIANCE
About Barracuda Networks
Security Principals (CIA)
Centralized Management
Availability
Confidentiality Integrity
Barracuda Message Archiver
Barracuda SSL VPN
Barracuda Load Balancer
Barracuda Link Balancer
Barracuda Spam & Virus Firewall
Barracuda Web Filter
Barracuda Web Application Firewall
Barracuda IM Firewall
Yosemite
Yosemite
Server
Desktop/Laptop
Barracuda Next-Generation Firewall
NETWORKING
PERFORMANCE
CONNECTIVITY
SECURITY
PROTECTION
SERVERS
STORAGE
PEACE OF MIND
DATA
47
Superior Technology
Proven, Field Tested
135,000+ Customers Worldwide
Innovative Technology
Diverse IP Assets
Predictive Sender Profiling
Real-time Protection
Reputation Service
Data De-duplication
Multi-tenant Cloud
Centralized management
Barracuda Labs
Global Research
Thought Leadership
Security Intelligence
Cool Vendor in Security SaaS
Top Emerging Vendor - Storage
Top 10 “Most Innovative”
Purewire Web Security Service - DEMOgod
Top 10 IT Security Companies to Watch
Barracuda Networks Confidential
Top 10 Security Stories
Questions??
Grant Murphy
gmurphy@barracuda.com
49
Supplemental Slides
50
Who Need Application Firewalls?
Hacked!
1. Compliance Audit (PCI, HIPAA, GLBA)
•
•
Anybody who works with confidential data
i.e. Credit Cards, SSN, Patient records, Client Records
2. Security Requirements
•
Internal and external threats. Business partners.
3. Secure “Load Balancer” for Web Applications
•
For the price of competitor’s Load Balancer, you can buy a WAF
Other Hacker Money Makers: Server Botnets
Botnet-as-a-Service
Distributed Denial of Service attacks (DDoS)
Brute-force hacking of bank accounts
Attackers rent bots for extortion or attacks against legitimate sites
Rental starts at $8.94/hr and averages approximately $67.02/day1
Affects All Industries
Web Application Server are especially viable bots due to high
bandwidth and processor capabilities
Your Web servers can be hijacked to be a zombie in a botnet
Malware relay point
1. VeriSign May, 2010 cybersecurity study
Barracuda Web Application
Technology
Mature Solutions Trusted by Financial Institutions Worldwide
Why Do Hackers Hack?
Amount is in USD Per Record on the Black Market
Reverse Proxy WAF Advantages…
•
•
•
•
•
•
•
Application Performance Optimization
Cookie encryption / signing
Client fingerprinting
Response control
Cross Site Request Forgery (CSRF) protection
Cloaking
Rate control
Capabilities fully implemented only in reverse proxy WAF such as Barracuda’s WAF
A WAF Should Provide
•
•
•
•
URL Decoding
Code Injection
SQL Injection
Cross Site Scripting
(XSS)
• HTML Form Validation
• XML Validation
Capabilities that a good WAF solution should provide
A Complete WAF Solution Requires
• Load Balancing
– Layer 4
– Layer 7
• Caching
• Compression
• Content Routing
• SSL Offloading
• FTP security
• Anti Virus
• Authentication &
Authorization
– Two factor authentication
• Client certificates
• RSA SecurID
• Single sign on
• CA SiteMinder
Capabilities not present in other WAF Vendors
Malicious Activity Rankings by Country
Overall
Attack
Origin
Bots
Malicious
Code
Spam
Zombie
Brazil
3
6
3
5
1
Argentina
17
19
12
46
12
Mexico
18
15
25
7
17
• Increased Adoption of Broadband and Internet leads to
growth in malicious activity
– Latin America has IP-traffic annual growth rate of 51% over next 5 years
• Web Application Security is often an after thought
Web Application Security will be increasingly important in Latin America!
Network Firewalls Only Secure Port/Protocol
Hacker
BUT
NOW
Firewalls
allowhackers are using
validtraffic
traffictotopass
exploit
vulnerabilities
only
found
in the applications
deployed
through
specific
on the
Web servers.
network
ports
Traffic is allowed
to pass through
port 80/443.
Users
Web Application
Web Application Security Comparison
IPS/IDS
Barracuda WAF
Injection attack protection (XSS, SQLi etc)
No
Yes
Session tampering protection
No
Yes
Cookie hijacking protection
No
Yes
Data Theft protection
No
Yes
Brute-force protection
No
Yes
Web Services Projection
No
Yes
Anti Virus and Malware upload protection
Yes
Yes
Authentication/Authorization
No
Yes
XML Firewall
No
Yes
Denial of Service Attacks
Yes
Yes
Standard Installation Methods
• Bridge Mode
– Initial installation for existing applications
• One Armed Proxy Mode
– Excellent for product evaluation
• Reverse Proxy Mode
– Highest inherent security
Infected IP Addresses
Source: The Economist, July, 2010
Existing Network/Application Data Flow
The Barracuda Web Application Firewall is inserted between the Network firewall and the switch to
the backend.
Application 1
223.216.5.9
Clients
Internet
Switch / Router
N/w Firewall
Switch
Application 2
223.216.5.10
Bridge Mode - Operates as Layer 2 Bridge
Management
172.10.10.5
VIP1: 10.182.12.20
VIP2: 10.182.12.21
VIP3: 10.182.12.22
Mgmt
Virtual IP are same as
Server IP addresses
Servers
WAN
Internet
10.182.12.1
LAN
All incoming traffic is
bridged. Security
policies are applied to
defined services
Pros:
•
No Back end/Front end networking
changes
•
Ease of installation
•
Ethernet Hard Bypass Mode
10.182.12.20
10.182.12.21
10.182.12.22
Cons:
•
Some performance compromises
•
No Load Balancing
•
No TCP Pooling
One Arm Proxy
Management
172.10.10.5
Mgmt
VIP1: 192.168.9.110
VIP2: 192.168.9.120
VIP3: 192.168.9.130
Only WAN Port used
Servers
WAN
Internet
192.168.9.1
Subnet
192.168.9.0/24
Pros:
•
Easier Deployment compared to Reverse
Proxy, network infrastructure, partitioning
does not need to be changed
Subnet
10.10.10.0/24
10.10.10.10
10.10.10.30
10.10.10.20
Cons:
•
Requires DNS/IP changes as in Reverse Proxy
•
Lower throughput since only one port (WAN) is
used
One-Armed Configuration For Evaluation
VIP
10.10.10.202:80
Clients
Client Traffic
Test Traffic
Server 1
10.10.10.101:80
Internet
Testing VIP
IP : 223.216.5.18 Cache
Switch / Router
Load Balancer
IP : 223.216.5.9
Advertised IP for Web Site
No changes
Testers can use the internally published VIP
to access the Application. Existing client
traffic remains unaffected and traverses via
the Load Balancer
Server 2
10.10.10.102:80
Once the evaluation of the Barracuda is complete, it can be
moved inline into production, either coexisting with the Load
Balancer or replacing it
Reverse Proxy
VIPs belong in the WAN subnet
Management
172.10.10.5
Mgmt
VIP1: 192.168.9.110
VIP2: 192.168.9.120
VIP3: 192.168.9.130
Server IPs reside in the LAN subnet
Servers
WAN
LAN
10.10.10.1
192.168.9.1
Subnet
192.168.9.0/24
Pros:
•
Full feature availability including Load
Balancing and Instant SSL
•
Most Secure Deployment Scheme since
backend servers are completely isolated
•
Fast HA Failover
Subnet
10.10.10.0/24
10.10.10.10
10.10.10.30
10.10.10.20
Cons:
•
Network changes required such as Server IP
addresses and DNS mappings
•
Backing out requires undo of all the changes
•
Deployment requires cutover of live services
Barracuda Web Application Firewall
• Mature Solution with over 10 years of R&D
• WAF Customers in America Latina
•
•
•
•
•
•
•
•
•
•
Colombia – Efecty - Financiero
Colombia - Alianza Fiduciaria - Financiero
Mexico - Punto Clave – PCI Certified – ISP
Mexico - Metropolitana – Aseguradora
Mexico - Escuela de Trafico Aereo – Educacional
Mexico - Escuela Naval Militar – Educacional
Chile - Banco Central - Financiero
Chile - Banco de Credito – Financiero
Bolivia – Banco Mercantil – Financiero
Paraguay – Bancard – Fianciero
Competition from ADCs
• Dedicated Security Device
•
•
•
•
Malware scanning for Uploaded content
Energize updates – near real-time updates for security issues via
Barracuda Labs
Positive/Negative Security models
Rule set customization and iRules
• Capacity and performance
• Nickel and diming of Add-ons
• License simplification