Is your WAF effective? Independent research study

  Posted by
on
Reply
There has been a lot of discussion, articles and analyst reports about WAF’s over the years (some listed below). The truth is that WAF’s aren’t perfect, but I believe that they are an essential part of a comprehensive application security defense strategy. The WAF technology has been maturing and improving over the last few years. There is even more good news in a just-released in-depth study, by Larry Suto, security consultant, where he tested six WAF’s and two IPS’s for their effectiveness at blocking application vulnerabilities.

Two of the most interesting findings in the report are:

  • A properly tuned IPS can be as or more effective than WAF solutions at blocking security vulnerabilities. After seeing the results of this study, the IPS vendors have agreed that their devices can, in concert with NTOSpider/NTODefend be counted as a WAF for PCI compliance purposes.
  • Automatically generated filters from dynamic application security tools (DAST) can improve vulnerability blocking effectiveness by as much as 39% for a WAF and as much as 66% on an IPS.
Why are WAF’s Essential?
For me, the bottom line is that we can’t ignore the fact that there are known vulnerabilities in production applications. Ideally, these would all be fixed in the source code, but the reality is that they can’t always be fixed immediately, they might take months to fix or they might not be able to be fixed at all in the foreseeable future. In these instances, a WAF is very practical solution as a temporary patch for the vulnerability. I mean, if someones sitting out there in public with no pants, someone please hand them a towel!
The other painful truth about WAF’s is that they take time to train and configure. Most security teams are short on time and short on resources. The people on the front lines whom I speak with tell me they would love to be able to better train their WAF’s more quickly. Here’s the good news
  • With about 3.5 hours of expert tuning, most WAF’s can perform fairly well.
  • When you add DAST generated custom filters, both WAF’s and IPS’s are excellent at blocking vulnerabilities
  • One of the things, that makes NTODefend unique is the ability to confirm that the filters are blocking unwanted traffic and allowing desired traffic. During his study, Larry was able to play with this false positive detection functionality in NTODefend. He was pleased to see that it does in fact shows if the WAF/IPS is blocking good traffic – pardon the promotion :-)
As you would expect, a handful of other vendors (including NT OBJECTives)  provided tools for Larry to use to complete the report. Anyone who has every tried to do a study knows that it takes a lot of work, and Larry does not receive any payment from any vendor to complete these studies. No study is perfect, but given his finite amount available time and resources, I believe Larry tried to implement the fairest study he could.
For more information about the study:
Good articles that discuss the use of WAF’s & IPS’s

Surviving the Week – 11/11/2011

  Posted by
on
Reply

Web application security news from the last couple weeks.
[I guess I didn't figure out how to keep going with this weekly post when Im traveling, but now I'm done traveling for a couple months, so should be able to keep up with the news]

SEC tells public companies they must disclose cyberattacks – time for CEOs & boards to really care about security

  Posted by
on
Reply
Interesting news out of an agency we in the security industry don’t think about very much, the SEC (Securities and Exchange Commission). Reuters reports that the SEC is now going to require public companies to disclose in their SEC filings any cyberattacks that may have affected them, and the potential losses as a result of these attacks.
This regulation should have a very interesting side-effect for those of us in the security community. For years, we have tried to quantify the cost of attacks in justifying security purchases. But to date, since companies have been so wary of sharing any information about such attacks, data has been somewhat limited.
The Ponemon Institute’s report in 2010 Annual Study: Global Cost of a Data Breach stated that the average organizational cost  of a breach across the globe was $4 million, up 18% from 2009. Globally, data breaches cost an average of $156 per record while in the United States, the costs were significantly higher at $214 per compromised record.  The study examined the actual breach data from 154 global companies across 17 industry sectors. The report states that organizations appear to be taking their “stewardship of sensitive personal data seriously” and are increasing measures to protect against breaches “by implementing data protection best practices and technologies.” The costs of a breach considered in the report include everything from PR response, software remediation, consulting costs, forensics, customer communications and more.
I’m willing to bet that the new numbers that we see out of these companies, about the cost of an attack, is going to far exceed what even we have been speculating for the past few years. As criminals become more sophisticated, as systems and applications become more intertwined and accessible, they continue to be ripe for the picking.
And for public companies, they now face not only the cost of the breach and the cost of repairing their customer trust, but also the cost of shareholder nervousness or disenchantment over their security practices and breaches.
Security is now becoming the domain of not just the CSO or the CIO. With the new SEC rules, the CEO and the board of every public company will have a vested stake in ensuring the security of their systems, if they want to keep their job, and keep their shareholders happy. And that’s a good thing for us as consumers.

“Perfect-Fit” Virtual Patching for WAF/IPS with NTODefend

  Posted by
on
Reply

Recently NT OBJECTives announced NTODefend and its ability to generate “perfect-fit” custom patches for WAF & IPS. This marketing term “perfect-fit” has been the cause of some questions. People are wondering how our “perfect-fit” rules differ from what other DAST vendors are doing, as well as solutions like ThreadFix (aka Vulnerability Manager) from Denim Group. Those who know me, know that I don’t like when vendors overstate their capabilities, and I make sure NTO does not do this either, so I think this term deserves some explanation.

The other solutions that are able to generate virtual patches work from pre-defined templates based on categories of attacks, such as SQL Injection, Cross-Site Scripting, OS Injection. So if a given input is vulnerable to SQL Injection, then the SQL Injection template will be used to generate a virtual patch for the vulnerable input.

NT Objectives’ approach differs in that NTODefend is able to generate rules based on deeper intelligence about the input. This extra information comes from two key features in NTOSpider:

  1. NTOSpider‘s input population technology works to determine the intended legitimate data. For example, the input population technology will determine if the input only accepts numbers, or is intended for a phone number, email address, street address, etc.
  2. NTOSpider’s attacking engines detail specifics about the attacks that worked, with information such as usable characters and escape sequences.

By leveraging details about the attacks, NTODefend can generate more specific and aggressive rules to function as counter-measures to the attacks that the input was vulnerable to. This can include making rules that only allow numerical values, or maybe blocking single quotes but not double quotes, or allowing parenthesis but not dashes. NTODefend can also decide which canned filters to include to make sure the input is well protected.

The key point is that each rule is generated custom to the input AND custom to the ways it can be exploited.

After installing the virtual patches into the solution, NTODefend provides the ability to re-test all the inputs with both attack traffic and good traffic (modifiable database included with each data type NTOSpider can detect). It then generates a report to show which of the good request and bad requests got blocked. This provides users with the ability to quickly understand how effective the virtual patches were and hopefully alerts them to any virtual patches that could be blocking good traffic.

We do not claim that these generated virtual patches will always be 100% accurate to all situations, but we are confident that they will be useful and that we provide solutions for users to quickly deal with discovered vulnerabilities.

I welcome discussion and questions on this topic.

Introducing Jim Broome

  Posted by
on
Reply

We caught a big one!
I’m proud to announce that my buddy Jim Broome has joined the NT OBJECTives team and will be a contributing to the blog and podcast.

Jim Broome, CISSP
Jim, an information security veteran with two decades of experience in the security industry, is joining as VP of Security Services. Jim’s role is to provide world-class SaaS based web security services through NTOSpider On-Demand while also providing leadership to the NTOLabs research and consulting teams.

Experience
Practice Manager – Accuvant LABS – Accuvant, Inc.
As one of Accuvant’s most seasoned security assessors, Mr. Broome performed innumerable consultative engagements including enterprise security strategy planning, risk assessments, threat analysis, application assessments, network assessments, penetration testing, and wireless security assessments for a large number of Fortune 500 clients. These clients came from a variety of markets, including manufacturers, telecommunications (cellular and traditional), public utilities, healthcare, financial services, and state governments.

Principal Security Consultant – ISS X-Force

Prior to joining Accuvant, Jim was a principal security consultant for Internet Security Systems (ISS) and a member of the X-Force penetration testing team. At ISS, he was responsible for providing technical leadership to the Western region consulting practice while performing his day-to-day duties of network assessments and penetration testing.

Directory of Network and Security Operations – Cavion.com

Before X-Force, he was the director of network operations for Cavion.com, a managed service provider exclusively for credit unions. At Cavion.com, Jim was responsible for managing the network operations staff and security organization while maintaining 99.999% uptime.

HouSecCon 2011 and B-Sides ATL Review

  Posted by
on
1

Last week was a travel week.
On Wednesday I was in Austin for some meetings, then headed to Houston for the second annual HouSecCon on Thursday. I have to say that I was blown away at how much bigger and better it was than last year (with the exception of the badges ;) . My buddy Michael Farnum puts this thing on with a team of friends and they are doing an amazing job growing the event, and it was fun having a booth for NT OBJECTives and everyone loved our new shirts we were giving out.

This year MJ Keith (now with The Denim Group) was the keynote speaker. I was first introduced to MJ Keith at last years HouSecCon where he blew me away with his Bump hack in his “Pwn on the go!” talk, and I was glad to see him being given the headlining spot this year.

The talks were all great, with highlights from Michael Gough, Josh Sokol and Zac Hinkel. I did my “Not your granddad’s webapp” talk which seemed to go over well, if you missed it, you can watch the video.

On Friday I was in Atlanta for B-Sides Atlanta, which was a fun event. I didnt have as much time to sit in the talks, but the lockpick room was great and I tried to hang in the podcasters room, even though it was a little hard to engage in useful conversation. I wonder what it was like for those listening to the live stream.I didnt do a talk at this one, so I just spent my time meeting people and eating great southern food.

Comparing the two would be hard, because they were entirely different, so I will just say that I have a fun week at both cons and look forward to both next year.

Vegas 2011 Review: Pentultimate Hack

  Posted by
on
Reply

Conference: B-Side
Title: Pentultimate Hack – Manipulating Layers 8 & 9 of the OSI Model (Management & Budget)
Speaker: Rafal Los (aka Wh1t3Rabbit)

This talk was well prepared but not as dynamic and entertaining as the Schuyler Towne talk (fortunately I attended the Towne talk and they had coffee by now).  It had alot of buzzwordology and business clichés in it but I mean that in a good way.  Knowing business-speak is unfortunately a cost of doing business so it was grating but valuable to attend this talk.  He spoke of how security is typically a bolt on or an afterthought and really needs to be thought of as part of the core business plan.  What often happens is some application that is going to generate $20 million in revenue gets audited and found to be full of security holes and that justifies $750,000 to harden it up.  It usually takes those big money projects to drive the security side of things.  He also spoke of the plight of the CSO or pen tester, specifically that they are implicitly to blame if any compromise happens but it is actually under pressure of the project manager that products ship despite the warnings of pen testers or the CSO.  So he recommends requiring the project manager to sign a document absolving the CSO or pen tester(s) of responsibility if he/she intends to ship a product against recommendation to the contrary.  He also recommends schmoozing the legal counsel as that gives political leverage in these situations.

Summary:  this guy is giving very good advice to CSOs and pen testers which, if they heed it, will create a climate in which vulnerability scanners should become more popular.

NT OBJECTives announces NTODefend, automatic WAF & IPS rule generation

  Posted by
on
Reply

Do your WAF and IPS rules fit like a custom suit or an off the rack one?

Announcing NTODefend

NT OBJECTives is excited to announce the general availability of NTODefend, a software solution that enables enterprise security teams to quickly, easily and automatically create “perfect-fit” custom rules to patch Web Application Firewalls (WAF) or Intrusion Prevention System (IPS) against web application vulnerabilities discovered in automated NTOSpider scans.

Read the full NTODefend press release.
Visit NTODefend’s web page for additional details.

NTODefend goes beyond standard, one-size-fits-all WAF rule generation to create stronger customized rules, while also allowing for rule modification. It combines NTOSpider’s knowledge of the application functionality with an understanding of specific vulnerabilities to be the first tool to create “perfect-fit” custom rules that effectively block bad traffic while letting the good traffic flow through. With these rules, NTODefend also tunes an IPS to behave like a WAF.

A comprehensive application security approach addresses the entire software development lifecycle, from development through production. Security teams use two primary kinds of tools to help them identify, patch and resolve application security issues in production applications, dynamic application testing products and web application firewalls (WAF). The ideal production solution includes a dynamic application testing tool that understands your WAF so the two can share information to automatically patch vulnerabilities that haven’t yet been fixed in the source code.

NTODefend Product Features

  • Automated Custom Rule Generation for WAF/IPS Quickly and easily generate custom rules, and if needed modify these rules, to patch vulnerabilities on WAF/IPS, using the results from NTOSpider scans.
  • Vulnerability Report Selection – Quickly select which vulnerabilities to patch and automatically generate the highly targeted filters for the user’s particular WAF/IPS solution.
  • Re-scan Ability to Confirm Effectiveness – NTODefend enables security teams to conduct a quick re-scan applications to confirm the trained WAF/IPS effectiveness. Now, teams can quickly confirm that target vulnerabilities are patched and that good traffic can continue to flow through as expected, eliminating the risk of false positives & false negatives and dramatically reducing QA time.
Visit NTODefend’s web page for additional details.

Vegas 2011 Review: Transparent Botnet Command and Control for Smartphones over SMS

  Posted by
on
Reply

Conference: B-Sides
Title: Transparent Botnet Command and Control for Smartphones over SMS
Speaker: Georgia Weidman

The title actually says most of it.  SMS is used because it is easy to conceal the botnet.  Malware on phones often announces its presence by draining the battery and piggybacking into SMS packets solves that.  And SMS is fault tolerant.  It is within the protocol itself to resend the message if there is no acknowledgement.  The protocol extends to the hacker the courtesy of persistently communicating the attack to its destination.  The balance of the talk encompassed the technical details of what an SMS packet looks like and how you craft the attack.

Summary:  this talk provided good general security knowledge.  I’m not sure if we (NTO) will ever scan smartphones.  That is an interesting business prospect though… I have never heard of a smartphone app scanner… one targeted specifically to phone apps.

Vegas 2011 Review: How to Hide Your Pr0n

  Posted by
on
Reply

Conference: B-Sides
Title: How to Hide Your Pr0n
Speaker: Orlando Barrera II and Josh Sokol

Pr0n being a fanciful distortion of “porn”… itself a fanciful name for any data you value and might want to hide.  The speakers started by noting several stupid ways to hide data (hidden files, deep directories, etc) then got down to the good ways… encryption being step one.  In the current political climate (terrorism etc), there is a law which states that the mere presence of encryption is itself suspicion, i.e. that one can be prosecuted for refusing to supply credentials to an investigator under certain circumstances.  So in addition to encryption, one must establish “plausible deniability.”  That is, hide the data and leave no traces that suggest its presence anywhere on any computer you are afraid might be searched.  Steganography is the proffered solution to this.  Steganography is concealing data in some differently-purposed file.  For example, take a lossless encode of an image like PNG and use the least significant bit of each pre-encode pixel to hold the data.  Since in any photographic data, those bits are quite plausibly noise, they can be used to store data.  On a previous Defcon, someone spoke of using whitespace in HTML source to store attack data.  That speaker did not call it steganography and the purpose was attack, not solely concealment, but conceptually, it is basically the same thing.  So, encrypt the files, stego them into image files or whatever, then store the stegoed files in the cloud.  Obviously, this is the ultra paranoid extreme but of course that’s what security is about.  The speakers mentioned that Al Quaeda were communicating data to their operatives by stegoing it into pornography images posted on the Usenet.

My reactions:  this talk inflamed my anti-establishment and paranoid sentiments.  Specifically, I wonder what happens when someone with something like encrypted bank info, encrypted personal info, any info that a private citizen might want to encrypt for quite valid reasons (identity theft etc) could be acquired by legal machinations claiming to be concerned about terrorism, child porn, etc.  Terrorism and child porn are such high fear provokers that any hint of either is so provocative that they can and have had their definitions stretched to rather dubious extremes.  So I’m not rushing to stego all my data but I am concerned that authorities are being granted purview over information beyond their ability to wield such power responsibly.  But that Al Quaeda stuff is rather unsettling as well.  So I fear both the terrorists who are called terrorists and the terrorists that work for the government.  I also think this talk may prove to have some direct relevance to our product.  We might want to write a stego detector module… more for the concealing attacks in webpages variety than the stashing data in images variety although the latter could have assessment relevance as well.