Web Application Firewalls

Book description

Firewalls have traditionally focused on network traffic, but with the advent of cloud computing and DevOps, security and operations professionals need a more sophisticated solution to track session state and application layer activity. In this ebook, cyber security consultant Chad Russell covers the current application threat landscape for modern deployment architectures, and explains the evolution of web application firewall (WAF) technologies for countering these attacks.

Developers today increasingly rely on third-party libraries for application development, but many of these libraries include vulnerabilities that attackers actively exploit. With this ebook, you’ll explore the specifics of WAF functionality for filtering, monitoring, and blocking HTTP traffic to and from a web application, and learn how to incorporate WAFs into existing and planned infrastructure, whether it’s a cloud, on-premise, or hybrid deployment.

You’ll examine:

  • The Top 10 application layer attacks compiled by the Open Web Application Security Project (OWASP)
  • Security vulnerabilities, including business logic attacks, distributed denial of service, online fraud, social engineering, and malware
  • WAF core and emergent capabilities, such as XSS and sessions attack protection, SIEM integration, and malware inspection and sandboxing
  • Security solutions and technologies that work with WAF, including API gateways, and data loss prevention solutions

Table of contents

  1. Introduction
  2. 1. Current Application Threats and Challenges
    1. Code Complexity, Microservices, and Third-Party Libraries
    2. Microservices and Container Security
    3. Industrialization of Attacks Using Botnets
    4. Gaining Access to Data Through Code Manipulation or Sensitive Credential Compromise
      1. End-User Accounts
      2. Sensitive and Privileged Accounts
  3. 2. Types of Attacks
    1. The OWASP Top 10
      1. A1: Injection
      2. A2: Broken Authentication
      3. A3: Sensitive Data Exposure
      4. A4: XML External Entities (XXE) (New)
      5. A5: Broken Access Control
      6. A6: Security Misconfiguration
      7. A7: Cross-Site Scripting (XSS)
      8. A8: Insecure Deserialization (New)
      9. A9: Using Components with Known Vulnerabilities
      10. A10: Insufficient Logging and Monitoring
    2. Business Logic Attacks
      1. Example
    3. Predictable User Names
    4. Avoid Weak Passwords
      1. Address Security in the Design Phase
    5. Model Threats During the Design Phase
    6. Distributed Denial of Service Attacks
      1. Queue the Internet of Things
    7. Online Fraud
    8. Social Engineering
    9. Malware
  4. 3. Evolution of Firewall and Web Application Firewall Technology
    1. Traditional Intrusion Detection System and Intrusion Prevention System Technology
      1. IDS/IPS Evasion Techniques
    2. Next Generation Firewalls
    3. WAF Technology
      1. WAFs and Virtual Patching
    4. Detecting and Addressing Application Layer Attacks (SQL Injection, Cross-Site Scripting, Session Tampering)
      1. Detecting SQL Injection Attacks
      2. Encoding and Whitespace Diversity
    5. Core WAF Capabilities
      1. WAF Rulesets and Heuristics to the Rescue
      2. XSS Attacks and WAF Protection
    6. Anatomy of an XSS Attack
    7. WAF XSS Filters and Rules
    8. How WAFs Can Protect Against Session Attacks
    9. Minimizing WAF Performance Impact
      1. WAF Performance Optimization
    10. WAF High-Availability Architecture
    11. WAF Management Plane
    12. Emergent WAF Capabilities
      1. Security Information and Event Management Integration
      2. DevOps Security Testing
      3. Security Operation Center Automation
      4. Cybersecurity Skills Shortage
    13. WAFs and Their Part in SOC Modernization
      1. WAF Threat Intelligence and Feed Correlation
    14. WAFs Authentication Capabilities
    15. Malware Inspection and Sandboxing
    16. Detecting and Addressing WAF/IDS Evasion Techniques
      1. Virtual Patching
    17. Adjacent Solutions and Technologies
      1. API Gateways
      2. Bot Management and Mitigation
      3. Runtime Application Self-Protection
      4. Content Delivery Networks and DDoS Attacks
      5. Data Loss Prevention
      6. Data Masking and Redaction
    18. WAF Deployment Models
      1. On-Premises
      2. Native Cloud
      3. Cloud-Virtual
      4. In-Line Reverse-Proxy
      5. Transparent Proxy/Network Bridge
      6. Out of Band
      7. Multitenancy
      8. Single Tenancy
      9. Software Appliance Based
      10. Hybrid
  5. 4. Designing a Comprehensive Network Security Solution
    1. XYZ Corp
      1. A Note About Native Cloud Security Services versus Specialized Services
  6. Afterword

Product information

  • Title: Web Application Firewalls
  • Author(s): Chad Russell
  • Release date: April 2018
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781492032304