To wit, to WAF? Part 2.

on


Prologue

In Part 1 I promised that Part 2 would be a good, wholesome write-up of how to get genuine value out of your WAF investment. And indeed, with a fresh coffee poured and a page of scribbled notes ready, I was set to launch into the various pros and cons of a WAF and how to overcome them and realise value... And then, the coffee kicked in and an epiphany was formed - Value is a product of many factors, therefore value will always be different to different organisations and most importantly - their use cases. 

Assumptions

In that spirit, let's make some assumptions from which we can build our use cases:

  • Our organisation - WolfCorp - is a medium sized business.
  • WolfCorp has a healthy amount of developers who work on several ecommerce sites. Fairly standard architecture: Web servers > App Servers > SQL databases.
  • WolfCorp's developers are skilled, but don't have any specific security training. 
  • WolfCorp have two Information Security analysts and an interim CISO, and they operate a SIEM.
  • WolfCorp's Application Security programme is in its infancy. Pentests are performed regularly and before major releases and will almost always have at least one severe finding per application, and a few high/medium risk items.
  • WolfCorp's applications are developed on modern platforms, they don't have legacy or out of support platforms.
  • WolfCorp host their applications on leased servers, in a co-located data centre. 
  • WolfCorp are pursing their PCI accreditation this year...
  • ...and last of all, they have purchased and installed a commercial WAF consisting of load-balanced appliances in their co-lo. It's installed and running in bypass mode, awaiting configuration.
Ok, given what we now know, what should WolfCorp's Business* and Use Cases look like for their WAF service?

*I'm going to skip over the Business Case part of this problem for now. Why? They've already purchased the WAF, so we can assume that a satisfactory Business Case exists - probably with a basic value statement along the lines of "Protect WolfCorp's information assets from malicious disclosure, tampering, estimated at a cost of (n) per event" and requiring the WAF capability for PCI compliance. This sets us up with a fairly broad objective which fits with the aims of this blog - how to achieve value from our WAF investment.

So faced with our valid, but very high level Business Case - "Stop costly bad stuff happening and help get us PCI compliant" how do we demonstrate value? We'll accomplish this by creating Use Cases. The Use Cases will set forth a roadmap on how we deliver against the Business Case within the context of WolfCorp's landscape.

Use Cases!

  1. Protect WolfCorp's Web Applications from known attack types. Detect and block known web application attacks directed at WolfCorp's web applications:

    1. Block attacks against known vulnerabilities present in the WC's applications prior to their resolution within the application itself, so that application teams are afforded more time to resolve vulnerabilities discovered during pre-release pen testing whilst maintaining the secure public-facing posture of the application.

    2. Block attacks against known vulnerabilities that cannot be resolved, and/or unknown vulnerabilities that may be present in the applications.

    3. Create a blocking strategy that balances usability/UX with security. 

  2. Supply data to inform Application Security strategy. Provide insight to Information Security, and the Developers/Application Owners into the types of attacks faced by WC's applications, and how the application reacts in order to inform better decisions on Application Security strategy.

  3. Meet the requirements of PCI. (Copied directly from PCI-DSS 3.2):

    "6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:

    • Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes

    • Installing an automated technical solution that detects and prevents web-based attacks (for example, a web- application firewall) in front of public-facing web applications, to continually check all traffic."

Epilogue

In part 3, we'll dig into each of these use cases, and I'll discuss and share some insight on how to go about configuring our WAF investment to deliver against each of our Use Cases. Or at least, that's the plan... ;-)





Comments

Post a Comment