Vulnerability assessment integration with web application firewalls
Jeremiah Grossman, WhiteHat
Even for the most proactive organizations, finding and fixing flaws in website code is complex, time and resource intensive, and not immune to the accidental introduction of new risks. IT security often has difficulty convincing software development groups that feature enhancements or operational bug fixes should be disrupted to address security issues which may have yet to cause an incident. Additionally, for organizations that have outsourced part or all of their custom development efforts, this might result in the rehiring or attempt to rehire consultants that have long since moved on.
In another common scenario, the website code is supported by an unresponsive third-party vendor. Or, perhaps the website will be decommissioned “soon” and additional resource investment is unjustifiable. Irrespective, the code remains vulnerable, and the company's risk exposure increases daily. The IT security department can find itself in a difficult spot: all the responsibility for securing the website with limited authority to do so. Fortunately, there is a better way; Gartner calls it a “no brainer” – automatically converting vulnerability assessment results into actionable rules for web application firewalls (WAF).
Imagine a technology integration that closes the loop between vulnerability identification and mitigation without disrupting software development. Instead of the online business operations exposed for weeks, months, or more while waiting for code updates, vulnerabilities are “virtually patched” by WAF and/or Intrusion prevention systems (IPS) as they are identified.
Many organizations today are already finding that virtual patch deployments are measured in minutes or hours. The success has more vendors entering this rapidly expanding market because increased web security threats have customers demanding this new functionality. Unfortunately some vendors are literally years behind in their technology development, but this doesn't stop misleading and confusing marketing claims. The following must-have checklist is designed to arm organizations with the knowledge required to separate vendor fact from fiction and choose a solution that's right for them.
The must-have checklist
A successful VA+WAF integration assumes assessing production websites for vulnerabilities, which must be performed without causing business disruption. The challenge for many dynamic analysis scanners is that their testing methodology is invasive and resource intensive. Many desktop-based scanners are designed to run hard-and-fast to produce results quickly during the software development lifecycle. While risk of disruption may be acceptable in staging and QA environments, it is certainly not for production websites. Production-safe must be assured by an expert driven process, which is more than just manually disabling dangerous checks and slowing down scan speed; Web applications are mission-critical, they must be treated as such.
Accuracy, accuracy, accuracy
To effectively alert or block incoming attacks, vulnerability assessment reports must be extremely accurate. While in the past tolerant human operators allowed scanners to get away with less than ideal false-positive rates, WAFs (and IPS) are not so forgiving of a flood of bogus policy rules. Importing unverified and duplicate-ridden vulnerability data into a WAF could easily block legitimate traffic, flag a thousand false-positive alerts, and that's if the system even functions at all. With extremely accurate findings, attacks on known vulnerable locations can be isolated and mitigated.
Precise reporting format
Many dynamic analysis scanners are capable of exporting results into machine-readable formats, such as XML, which can be utilized by other systems. For WAFs & IPSs to convert this data into actionable rules, the reporting format must be acutely specific and of course supported by the WAF/IPS of choice. Not everything is interoperable. At the very least, the format must be able to be parsed at a specific enough level to isolate flaws down to the specific vulnerable URL, exact parameter name, and attack type. Anything generic or non-specific risks generating equally vague rules that will be prone to blocking legitimate traffic or raising false-positives.
A routine assessment schedule is essential to keep pace with website code updates and new attack technique discoveries. New vulnerabilities will be introduced, virtually patched, and later remediated in the code. This requires more repeatability than just an annual assessment or haphazard scans. This is especially true if virtual patches are expected to be removed when no longer necessary.
WAF/IDS SSL support
SSL is the most common form of encryption in use today. Most websites use SSL when there is a desire to prevent passive traffic monitoring. To be able effectively analyze incoming web traffic, WAFs and IPSs must be either positioned after SSL termination occurs or capable of analyzing the SSL traffic inline. The later means the device needs to support the loading of SSL certificates on the device directly. In practice, having certificates loaded directly onto the WAF or IPS is generally the most desirable solution.
Flexible and actionable rules
Some WAFs and IPSs only support global blocking or alerting policy functionality. Meaning, security is either “on” or “off.” Since security isn't binary, these solutions are simply too immature to be scalable in most situations. Additionally, with virtual patching, an all or nothing strategy simply does not provide enough flexibility. Devices must be able to independently configure each virtual patch rule to block, warn, log, etc.
WAFs and IPSs need to display clear security alerts containing all relevant information, including the entire request, server response code, the specific part of the request that instigated the alert, and a description of the type of violation with severity information.
In a perfect world developing 100 percent secure code would be possible and commonplace. In the rare case that a vulnerability is discovered, everything is dropped and it is fixed posthaste. While we strive for this long-term ideal, often immediate risk management is necessary. The integration of website vulnerability assessment and Web application firewalls allows IT Security professionals to gain control over website security. The right solution can measurably improve an organization's security posture, mitigate risk, drastically reduce the “time-to-fix”, help achieve PCI-DSS 6.6 compliance, ease WAF configuration and management, and demonstrate due care. While thousands of websites are still being compromised, security savvy organizations are taking advantage of these new technology advancements to protect their business.
Jeremiah Grossman (left), founder and CTO, WhiteHat Security, is a world-renowned web security expert. A co-founder of the Web Application Security Consortium (WASC), he has authored dozens of articles and whitepapers. Grossman is also an influential blogger who offers insight and encourages open dialogue regarding research and vulnerability trends.
Brian Contos (right), chief security strategist, Imperva, has more than 14 years of real-world security engineering and management expertise. He has written two security books, Enemy at the Water Cooler – Real Life Stories of Insider Threats and Physical and Logical Security Convergence, which was co-authored with the former deputy director of the NSA – Bill Crowell. He is an active security blogger, host of the Imperva Security Podcast, and has delivered countless speeches around the globe at shows like RSA, Interop, OWASP, CSI, and others.