Operationalize Web Application Security
Content
White Paper
How to Operationalize Web
Application Security
Persistent Threat Management is an operational model
that eliminates the “man-in-the-middle” bottleneck
that prevents the scalability of web application security
solutions vital to preventing today’s pervasive attacks
from succeeding.
by Lori MacVittie
Sr. Technical Marketing Manager
White Paper
How to Operationalize Web Application Security
Contents
The Threat from the Outside
3
The Threat from the Inside
4
The Persistent Threat Management Model
5
F5 and Persistent Threat Management
7
Dynamic Application Security Testing Solutions
7
F5 BIG-IP Application Security Manager (ASM)
8
Persistent Threat Management Solutions
8
Conclusion
9
2
White Paper
How to Operationalize Web Application Security
The Threat from the Outside
“2011 continued the shift towards external agents’ involvement in a high percentage
of data breaches. Though we have always seen an external majority, never before
has any year been so one-sided.”1
In 2011, attacks by external agents grew 6 percent over previous years, comprising
98 percent of all breaches documented by the Verizon Business 2011 Data Breach
Investigations Report (DBIR). While many attacks continue to focus on network and
systems security, DBIR data points to web application security as an area of increasing
concern, with nearly 40 percent of breaches being due to web application issues.
More than half of the most frequent attacks cited by organizations in a September
2011 Applied Research2 survey were against web applications. Half of those attacks
are on the well-known OWASP Top Ten list: cross-site scripting (XSS), SQL injection
(SQLi), and cross-site request forgery (CSRF). These attacks are well-understood as
are respective proven methods of prevention.
Likelihood of
site to have
vulnerability
Frequency
seen
Web
transactions
per day
Percentage
change of a
breach (daily)
Cross-site scripting (XSS) 64%
43%
2873
27%
SQL injection
14%
42%
2873
6%
Information leakage
64%
41%
2873
26%
WhiteHat Website
Security Statistics
Report
Applied Research
September 2011
Google Analytics
Benchmarks 2011
Possibility =
(TX * V% * F%) / TX
Figure 1: If a vulnerability exists, there is a chance it will be exploited. The higher the volume
of a site, the higher the risk.
Such attacks are persistent and frequent, fueled by massive botnets and automation.
Organizations cannot prevent these attacks from being launched in the first place.
While advice abounds on preventing an attack by hactivists for reasons other than
profit or fame, nothing short of cutting the hardline to the Internet can definitively
stop external agents from launching attacks.
The responsibility of security operations is to prevent those attacks from succeeding.
This, too, unfortunately, is an increasingly difficult task. While the benefits of using
1 Verizon 2012 Data Breach Investigations Report (DBIR).
2 Study finds traditional security safeguards failing, Application Delivery Controllers viewed as an effective alternative.
November 8, 2011.
3
White Paper
How to Operationalize Web Application Security
web application security solutions to detect and prevent the success of attacks is
now well understood and accepted, it is still widely underutilized due to the inability
to operationalize the processes required to continually scan, discover, and put into
place the policies required to do so.
The Threat from the Inside
Conventional wisdom holds that employees are the greatest risk to the security of
an organization. This remains true—not necessarily because of intentional malice on
the part of employees, but rather due to the inability of operations to scale at a rate
equal to that of external threats.
While attackers are able to scale out thanks to scripting, automation, and a plethora
of services at their command, security operations continue to struggle with processes
involving manual codification and configuration. This impedes agility and degrades
the security posture of an organization such that its web application presence is, on
average, free from vulnerabilities for only 30 days during the year.3
Coupling an inability to scale with the tendency for IT to simply turn off or disable
security services that interfere with its ability to meet demanding business
requirements for application performance puts the entire organization at a much
higher risk of experiencing firsthand the direct and indirect consequences of an
attack succeeding.
The biggest disconnect for security operations lies between discovery of
vulnerabilities—particularly those most likely to lead to a breach—and remediation.
Vulnerability scanning services have proven that discovery can be easily automated.
Web application firewalls (WAFs) can mitigate across the entire application
deployment domain. But it is often the case that the policies required to mitigate
discovered vulnerabilities take as much time to create, test, and deploy as it would
for developers to address in application code.
Codifying the policies necessary to mitigate even the most common vulnerabilities
takes time. It is a manual process and the larger the attack surface of an application,
the more time it takes. The process does not scale any better than hand-to-hand
passing of buckets of water scaled to put out serious fires. Even adding people to
such processes often has the inverse effect.
3 4 Years and 4 Thousand Websites Worth of Vulnerability Assessments: What Have We Learned?
White Hat Security video, 2012.
4
White Paper
How to Operationalize Web Application Security
A better means of addressing this serious gap between discovery and deployment
of policies is required: an automated system that eliminates the man in the middle
that is slowing it down today and putting the entire organization at risk.
The Persistent Threat Management
Model
Persistent Threat Management (PTM) is a new operational model that takes
advantage of integration and automation capabilities between vulnerability
scanning services and web application firewalls.
In the past, virtual patching has provided the ability to automatically deploy web
application firewall policies appropriate to specific vulnerabilities from within
vulnerability scanning services. This process has been largely manual, requiring
operations to deploy the policies necessary to protect web applications from attack.
The time investment in reviewing and deploying policies led to decisions on the
part of IT and business stakeholders to scan only periodically and deploy policies
to protect only those applications critical to the business.
But in recent years, the increasing persistence and rapid evolution of attacks and
attack methods have created an environment in which vulnerability scanning
services are an invaluable resource in managing web application security for all
applications, all the time. Scan continuously, mitigate promptly is an apropos
mantra for those professionals now fully focused on web application security.
To meet this need, vulnerability scanning services can now scale to provide
continuous scanning of all organizational domains. A disconnect has remained
with the requirement to manually deploy policies to a web application firewall to
promptly mitigate those vulnerabilities discovered.
This disconnect is fueled in part by a lack of confidence in operators to properly
configure and deploy the appropriate policies based on discovered vulnerabilities.
Based on years of experience, WhiteHat Security has found that 80 percent of the
most common vulnerabilities in web applications can be mitigated promptly with
the same basic rule. Those variables specific to a web application and organization
can be automatically adjusted by the vulnerability scanning service, and thus enable
the emergence of a new operational model: PTM.
5
White Paper
How to Operationalize Web Application Security
PTM automates the process of scanning and mitigating 80 percent of the most
commonly discovered vulnerabilities. These include those most likely to lead to a
breach: SQLi, XSS, and CSRF. PTM enables discovery of vulnerabilities, codification
of the appropriate policy (tailored to the application and organizational domain),
and automated deployment of that policy for prompt mitigation.
Users
BIG-IP
Application Security
Manager
Servers Web Apps
Persistent Threat Management
Vulnerability Scan
Cenzic
Qualys
IBM
WhiteHat
Servers Web Apps
Figure 2: Persistent Threat Management enables continuous scan and discovery of
vulnerabilities followed by automatic codification and deployment of appropriate policies
to a web application firewall for prompt mitigation of threats.
OY
PL
PRO
T
PTM benefits organizations by:
T
EC
DE
By automating protection against 80 percent of the most common vulnerabilities,
organizations can refocus security operations on mitigating the remaining 20
percent, confident in the ability of the web application firewall to detect and
protect against common persistent threats.
C
O
D
N
Persistent
Threat
Management
• Improving
operational
efficiency
by shifting burdens from people to
technology.
A
C
IF Y
Sprompt
• Decreasing risk by ensuring
mitigation of discovered vulnerabilities.
• Reducing impact on application lifecycle management by enabling
organizations to focus development resources only where absolutely
necessary to redress a vulnerability.
• Improving security posture.
• Increasing the days in a year that applications are secure by eliminating
threats that might otherwise have emerged between scheduled scans
through continuous scanning.
6
White Paper
How to Operationalize Web Application Security
PTM is an evolutionary operational model building upon successful techniques like
automation and virtual patching to create a more consistent, efficient process for
protecting all web applications under an organization’s control.
F5 and Persistent Threat
Management
F5 has partnered with WhiteHat Security and Cenzic to jointly execute on this
innovative security model by integrating Dynamic Application Security Testing
(DAST) solutions with F5® BIG-IP® Application Security Manager™ (ASM). This
integration enables the continuous, automated deployment of best practice security
solutions to combat the increasingly hostile environment to which web applications
are exposed.
Dynamic Application Security Testing Solutions
Dynamic Application Security Testing is a vulnerability assessment model focusing
on web applications currently deployed in production environments. Traditionally
performed by consultants using penetration testing tools, the explosive growth of
attacks has rendered manual methods ineffective.
Web application attacks comprise the majority of attacks on an organization’s web
presence, and attacks are continuous around the clock. Compounding the risk
is agile development methodologies, which prescribe frequent web application
updates that must be tested for potential vulnerabilities. Organizations can no
longer afford to put off testing or rely on manual methods that take days or weeks,
leaving existing and new updates potentially vulnerable.
A model based on continuous testing and the automated deployment of defensive
policies to immediately mitigate the risk associated with discovered vulnerabilities
is vital to maintaining a healthy security posture for all web applications. DAST
solutions continuously scan for the most common vulnerabilities such as OWASP
Top 10 and WASC vulnerabilities. With potentially hundreds or thousands of web
application URLs to protect, however, manually addressing any vulnerability
discovered by the DAST solution would be a Sisyphean task.
Integrating DAST solutions with BIG-IP ASM can relieve operations of the burden
imposed by manually addressing vulnerabilities by automatically deploying standard
7
White Paper
How to Operationalize Web Application Security
best practices that immediately protect applications from falling prey to persistent
attacks.
F5 BIG-IP Application Security Manager (ASM)
BIG-IP ASM is a web application firewall. As part of the BIG-IP product family, it is
based on F5’s integrated platform, TMOS®, and enabled with a standards-based
open API, iControl®. Through this interface, BIG-IP ASM can be managed,
configured, and updated dynamically.
Additionally, the BIG-IP platform is programmable. Through iRules®, F5’s eventdriven scripting language, any BIG-IP deployed solution can intercept, inspect, and
transform the payload of any traffic crossing its data plane. iRules enables zero-day
mitigation of zero-day attacks in addition to implementing custom security and
processing of data to secure any IP-based application.
Persistent Threat Management Solutions
F5 and DAST solutions operationalize web application security by applying the same
agile principles associated with devops: lifecycle management with the goal of
continuous application delivery achieved through the discovery, refinement, and
optimization of repeatable processes. In this case, F5 and its partners are focusing
on those processes related to web application security.
WhiteHat Sentinel and Cenzic software can deploy BIG-IP ASM policies that
encapsulate best practice mitigations as well as vetted iRules-based mitigations
for 80 percent of discovered vulnerabilities. These mitigations are deployed
automatically, as part of the continuous “scan and resolve” process executed by
WhiteHat and Cenzic on a configurable basis against large numbers of web
applications and sites.
8
White Paper
How to Operationalize Web Application Security
Conclusion
The widespread use of vulnerability scans to detect potential vulnerabilities in web
applications and the constant attacks directed at organizations have resulted in a
silver lining: a set of nearly standardized attack patterns. Combining knowledge
from this set of attack patterns with best practices from OWASP and WASC has
netted a set of best practice defensive policies that protect against 80 percent of
the most common web application attacks.
The Persistent Threat Management model leverages modern integration and
automation principles to ensure the broadest coverage against attacks. Automation
through integration of DAST and BIG-IP ASM provides organizations with a
compelling, effective method of protecting web applications against exploitation of
common, well-understood attacks. An integrated, process-driven solution ensures
immediate and transparent mitigation of vulnerabilities that relieves pressure on
security and operational staff to prioritize and address the risks manually and
significantly improves the security posture of all protected web applications.
F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119
F5 Networks, Inc.
Corporate Headquarters
[email protected]
F5 Networks
Asia-Pacific
[email protected]
888-882-4447
F5 Networks Ltd.
Europe/Middle-East/Africa
[email protected]
www.f5.com
F5 Networks
Japan K.K.
[email protected]
©2012 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, and IT agility. Your way., are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified
at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. CS01-00120 1012
How to Operationalize Web
Application Security
Persistent Threat Management is an operational model
that eliminates the “man-in-the-middle” bottleneck
that prevents the scalability of web application security
solutions vital to preventing today’s pervasive attacks
from succeeding.
by Lori MacVittie
Sr. Technical Marketing Manager
White Paper
How to Operationalize Web Application Security
Contents
The Threat from the Outside
3
The Threat from the Inside
4
The Persistent Threat Management Model
5
F5 and Persistent Threat Management
7
Dynamic Application Security Testing Solutions
7
F5 BIG-IP Application Security Manager (ASM)
8
Persistent Threat Management Solutions
8
Conclusion
9
2
White Paper
How to Operationalize Web Application Security
The Threat from the Outside
“2011 continued the shift towards external agents’ involvement in a high percentage
of data breaches. Though we have always seen an external majority, never before
has any year been so one-sided.”1
In 2011, attacks by external agents grew 6 percent over previous years, comprising
98 percent of all breaches documented by the Verizon Business 2011 Data Breach
Investigations Report (DBIR). While many attacks continue to focus on network and
systems security, DBIR data points to web application security as an area of increasing
concern, with nearly 40 percent of breaches being due to web application issues.
More than half of the most frequent attacks cited by organizations in a September
2011 Applied Research2 survey were against web applications. Half of those attacks
are on the well-known OWASP Top Ten list: cross-site scripting (XSS), SQL injection
(SQLi), and cross-site request forgery (CSRF). These attacks are well-understood as
are respective proven methods of prevention.
Likelihood of
site to have
vulnerability
Frequency
seen
Web
transactions
per day
Percentage
change of a
breach (daily)
Cross-site scripting (XSS) 64%
43%
2873
27%
SQL injection
14%
42%
2873
6%
Information leakage
64%
41%
2873
26%
WhiteHat Website
Security Statistics
Report
Applied Research
September 2011
Google Analytics
Benchmarks 2011
Possibility =
(TX * V% * F%) / TX
Figure 1: If a vulnerability exists, there is a chance it will be exploited. The higher the volume
of a site, the higher the risk.
Such attacks are persistent and frequent, fueled by massive botnets and automation.
Organizations cannot prevent these attacks from being launched in the first place.
While advice abounds on preventing an attack by hactivists for reasons other than
profit or fame, nothing short of cutting the hardline to the Internet can definitively
stop external agents from launching attacks.
The responsibility of security operations is to prevent those attacks from succeeding.
This, too, unfortunately, is an increasingly difficult task. While the benefits of using
1 Verizon 2012 Data Breach Investigations Report (DBIR).
2 Study finds traditional security safeguards failing, Application Delivery Controllers viewed as an effective alternative.
November 8, 2011.
3
White Paper
How to Operationalize Web Application Security
web application security solutions to detect and prevent the success of attacks is
now well understood and accepted, it is still widely underutilized due to the inability
to operationalize the processes required to continually scan, discover, and put into
place the policies required to do so.
The Threat from the Inside
Conventional wisdom holds that employees are the greatest risk to the security of
an organization. This remains true—not necessarily because of intentional malice on
the part of employees, but rather due to the inability of operations to scale at a rate
equal to that of external threats.
While attackers are able to scale out thanks to scripting, automation, and a plethora
of services at their command, security operations continue to struggle with processes
involving manual codification and configuration. This impedes agility and degrades
the security posture of an organization such that its web application presence is, on
average, free from vulnerabilities for only 30 days during the year.3
Coupling an inability to scale with the tendency for IT to simply turn off or disable
security services that interfere with its ability to meet demanding business
requirements for application performance puts the entire organization at a much
higher risk of experiencing firsthand the direct and indirect consequences of an
attack succeeding.
The biggest disconnect for security operations lies between discovery of
vulnerabilities—particularly those most likely to lead to a breach—and remediation.
Vulnerability scanning services have proven that discovery can be easily automated.
Web application firewalls (WAFs) can mitigate across the entire application
deployment domain. But it is often the case that the policies required to mitigate
discovered vulnerabilities take as much time to create, test, and deploy as it would
for developers to address in application code.
Codifying the policies necessary to mitigate even the most common vulnerabilities
takes time. It is a manual process and the larger the attack surface of an application,
the more time it takes. The process does not scale any better than hand-to-hand
passing of buckets of water scaled to put out serious fires. Even adding people to
such processes often has the inverse effect.
3 4 Years and 4 Thousand Websites Worth of Vulnerability Assessments: What Have We Learned?
White Hat Security video, 2012.
4
White Paper
How to Operationalize Web Application Security
A better means of addressing this serious gap between discovery and deployment
of policies is required: an automated system that eliminates the man in the middle
that is slowing it down today and putting the entire organization at risk.
The Persistent Threat Management
Model
Persistent Threat Management (PTM) is a new operational model that takes
advantage of integration and automation capabilities between vulnerability
scanning services and web application firewalls.
In the past, virtual patching has provided the ability to automatically deploy web
application firewall policies appropriate to specific vulnerabilities from within
vulnerability scanning services. This process has been largely manual, requiring
operations to deploy the policies necessary to protect web applications from attack.
The time investment in reviewing and deploying policies led to decisions on the
part of IT and business stakeholders to scan only periodically and deploy policies
to protect only those applications critical to the business.
But in recent years, the increasing persistence and rapid evolution of attacks and
attack methods have created an environment in which vulnerability scanning
services are an invaluable resource in managing web application security for all
applications, all the time. Scan continuously, mitigate promptly is an apropos
mantra for those professionals now fully focused on web application security.
To meet this need, vulnerability scanning services can now scale to provide
continuous scanning of all organizational domains. A disconnect has remained
with the requirement to manually deploy policies to a web application firewall to
promptly mitigate those vulnerabilities discovered.
This disconnect is fueled in part by a lack of confidence in operators to properly
configure and deploy the appropriate policies based on discovered vulnerabilities.
Based on years of experience, WhiteHat Security has found that 80 percent of the
most common vulnerabilities in web applications can be mitigated promptly with
the same basic rule. Those variables specific to a web application and organization
can be automatically adjusted by the vulnerability scanning service, and thus enable
the emergence of a new operational model: PTM.
5
White Paper
How to Operationalize Web Application Security
PTM automates the process of scanning and mitigating 80 percent of the most
commonly discovered vulnerabilities. These include those most likely to lead to a
breach: SQLi, XSS, and CSRF. PTM enables discovery of vulnerabilities, codification
of the appropriate policy (tailored to the application and organizational domain),
and automated deployment of that policy for prompt mitigation.
Users
BIG-IP
Application Security
Manager
Servers Web Apps
Persistent Threat Management
Vulnerability Scan
Cenzic
Qualys
IBM
WhiteHat
Servers Web Apps
Figure 2: Persistent Threat Management enables continuous scan and discovery of
vulnerabilities followed by automatic codification and deployment of appropriate policies
to a web application firewall for prompt mitigation of threats.
OY
PL
PRO
T
PTM benefits organizations by:
T
EC
DE
By automating protection against 80 percent of the most common vulnerabilities,
organizations can refocus security operations on mitigating the remaining 20
percent, confident in the ability of the web application firewall to detect and
protect against common persistent threats.
C
O
D
N
Persistent
Threat
Management
• Improving
operational
efficiency
by shifting burdens from people to
technology.
A
C
IF Y
Sprompt
• Decreasing risk by ensuring
mitigation of discovered vulnerabilities.
• Reducing impact on application lifecycle management by enabling
organizations to focus development resources only where absolutely
necessary to redress a vulnerability.
• Improving security posture.
• Increasing the days in a year that applications are secure by eliminating
threats that might otherwise have emerged between scheduled scans
through continuous scanning.
6
White Paper
How to Operationalize Web Application Security
PTM is an evolutionary operational model building upon successful techniques like
automation and virtual patching to create a more consistent, efficient process for
protecting all web applications under an organization’s control.
F5 and Persistent Threat
Management
F5 has partnered with WhiteHat Security and Cenzic to jointly execute on this
innovative security model by integrating Dynamic Application Security Testing
(DAST) solutions with F5® BIG-IP® Application Security Manager™ (ASM). This
integration enables the continuous, automated deployment of best practice security
solutions to combat the increasingly hostile environment to which web applications
are exposed.
Dynamic Application Security Testing Solutions
Dynamic Application Security Testing is a vulnerability assessment model focusing
on web applications currently deployed in production environments. Traditionally
performed by consultants using penetration testing tools, the explosive growth of
attacks has rendered manual methods ineffective.
Web application attacks comprise the majority of attacks on an organization’s web
presence, and attacks are continuous around the clock. Compounding the risk
is agile development methodologies, which prescribe frequent web application
updates that must be tested for potential vulnerabilities. Organizations can no
longer afford to put off testing or rely on manual methods that take days or weeks,
leaving existing and new updates potentially vulnerable.
A model based on continuous testing and the automated deployment of defensive
policies to immediately mitigate the risk associated with discovered vulnerabilities
is vital to maintaining a healthy security posture for all web applications. DAST
solutions continuously scan for the most common vulnerabilities such as OWASP
Top 10 and WASC vulnerabilities. With potentially hundreds or thousands of web
application URLs to protect, however, manually addressing any vulnerability
discovered by the DAST solution would be a Sisyphean task.
Integrating DAST solutions with BIG-IP ASM can relieve operations of the burden
imposed by manually addressing vulnerabilities by automatically deploying standard
7
White Paper
How to Operationalize Web Application Security
best practices that immediately protect applications from falling prey to persistent
attacks.
F5 BIG-IP Application Security Manager (ASM)
BIG-IP ASM is a web application firewall. As part of the BIG-IP product family, it is
based on F5’s integrated platform, TMOS®, and enabled with a standards-based
open API, iControl®. Through this interface, BIG-IP ASM can be managed,
configured, and updated dynamically.
Additionally, the BIG-IP platform is programmable. Through iRules®, F5’s eventdriven scripting language, any BIG-IP deployed solution can intercept, inspect, and
transform the payload of any traffic crossing its data plane. iRules enables zero-day
mitigation of zero-day attacks in addition to implementing custom security and
processing of data to secure any IP-based application.
Persistent Threat Management Solutions
F5 and DAST solutions operationalize web application security by applying the same
agile principles associated with devops: lifecycle management with the goal of
continuous application delivery achieved through the discovery, refinement, and
optimization of repeatable processes. In this case, F5 and its partners are focusing
on those processes related to web application security.
WhiteHat Sentinel and Cenzic software can deploy BIG-IP ASM policies that
encapsulate best practice mitigations as well as vetted iRules-based mitigations
for 80 percent of discovered vulnerabilities. These mitigations are deployed
automatically, as part of the continuous “scan and resolve” process executed by
WhiteHat and Cenzic on a configurable basis against large numbers of web
applications and sites.
8
White Paper
How to Operationalize Web Application Security
Conclusion
The widespread use of vulnerability scans to detect potential vulnerabilities in web
applications and the constant attacks directed at organizations have resulted in a
silver lining: a set of nearly standardized attack patterns. Combining knowledge
from this set of attack patterns with best practices from OWASP and WASC has
netted a set of best practice defensive policies that protect against 80 percent of
the most common web application attacks.
The Persistent Threat Management model leverages modern integration and
automation principles to ensure the broadest coverage against attacks. Automation
through integration of DAST and BIG-IP ASM provides organizations with a
compelling, effective method of protecting web applications against exploitation of
common, well-understood attacks. An integrated, process-driven solution ensures
immediate and transparent mitigation of vulnerabilities that relieves pressure on
security and operational staff to prioritize and address the risks manually and
significantly improves the security posture of all protected web applications.
F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119
F5 Networks, Inc.
Corporate Headquarters
[email protected]
F5 Networks
Asia-Pacific
[email protected]
888-882-4447
F5 Networks Ltd.
Europe/Middle-East/Africa
[email protected]
www.f5.com
F5 Networks
Japan K.K.
[email protected]
©2012 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, and IT agility. Your way., are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified
at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. CS01-00120 1012
