Prologue
In Part 1 I promised that Part 2 would be a good, wholesome write-up of how to get genuine value out of your WAF investment. And indeed, with a fresh coffee poured and a page of scribbled notes ready, I was set to launch into the various pros and cons of a WAF and how to overcome them and realise value... And then, the coffee kicked in and an epiphany was formed - Value is a product of many factors, therefore value will always be different to different organisations and most importantly - their use cases.
Assumptions
In that spirit, let's make some assumptions from which we can build our use cases:
- Our organisation - WolfCorp - is a medium sized business.
- WolfCorp has a healthy amount of developers who work on several ecommerce sites. Fairly standard architecture: Web servers > App Servers > SQL databases.
- WolfCorp's developers are skilled, but don't have any specific security training.
- WolfCorp have two Information Security analysts and an interim CISO, and they operate a SIEM.
- WolfCorp's Application Security programme is in its infancy. Pentests are performed regularly and before major releases and will almost always have at least one severe finding per application, and a few high/medium risk items.
- WolfCorp's applications are developed on modern platforms, they don't have legacy or out of support platforms.
- WolfCorp host their applications on leased servers, in a co-located data centre.
- WolfCorp are pursing their PCI accreditation this year...
- ...and last of all, they have purchased and installed a commercial WAF consisting of load-balanced appliances in their co-lo. It's installed and running in bypass mode, awaiting configuration.
Use Cases!
Protect WolfCorp's Web Applications from known attack types. Detect and block known web application attacks directed at WolfCorp's web applications:
Block attacks against known vulnerabilities present in the WC's applications prior to their resolution within the application itself, so that application teams are afforded more time to resolve vulnerabilities discovered during pre-release pen testing whilst maintaining the secure public-facing posture of the application.
Block attacks against known vulnerabilities that cannot be resolved, and/or unknown vulnerabilities that may be present in the applications.
Create a blocking strategy that balances usability/UX with security.
Supply data to inform Application Security strategy. Provide insight to Information Security, and the Developers/Application Owners into the types of attacks faced by WC's applications, and how the application reacts in order to inform better decisions on Application Security strategy.
Meet the requirements of PCI. (Copied directly from PCI-DSS 3.2):
Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
Installing an automated technical solution that detects and prevents web-based attacks (for example, a web- application firewall) in front of public-facing web applications, to continually check all traffic."
"6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
Epilogue
In part 3, we'll dig into each of these use cases, and I'll discuss and share some insight on how to go about configuring our WAF investment to deliver against each of our Use Cases. Or at least, that's the plan... ;-)
Comments
Post a Comment