Security Evaluations @ WAF

Security Controls Assessment (SCA) WAF is the ultimate security solution for Detecting and Mitigating attacks against web application. With proper configuration and solid process most Web Application Attacks can be prevented. How good is your security ? Security Production Life Cycle (SPLC) WAF Security Testing Visibility – Feedback loop Plan 1Visibility – triggering test, sending…
Read More

Evaluations – Web Application

Evaluations – Web Application Use cases TMA – Thread model assessment SDLC – software development life cycle SPLC – software Production life cycle Web Application Security Testing Testing Web Application Security ability to detect and prevent common attack vectors web application security testing use cases includes: before deploying a WAF – web app with out…
Read More

Terminology

Brute force – Application brute force DDoS – Application layer DDoS, floods with distbueted Vul hunting – any vulenrabilties rlated. XSS, SQLi, Full CAV bundle – includes all the main families above.
Read More

Application Common Attack Vectors (A-CAV)

Server Side Attacks – RequestHTTP Response SplittingInformation LeakageError messages dispalySession and cookiesCredential/Session PredictionNon-HttpOnly Session CookieUnsecured Session CookieInsufficient Session ExpirationSession FixationPersistent Session CookieServer Side Attacks – ResponseHTTP Response SplittingInformation LeakageError messages dispalySession and cookiesCredential/Session PredictionNon-HttpOnly Session CookieUnsecured Session CookieInsufficient Session ExpirationSession FixationPersistent Session CookieWeb Expolit – Request Directory TraversalPath TraversalBuffer OverflowSQL InjectionImproper Input HandlingServer MisconfigurationOS Command…
Read More

PE’s

•PE = traps to catch the attack Traffic footprint – elements of the rule – S/A/R/CI •Rule = combination  of PE to find and prevent a known footprint of attack •Policy = Set of Rules – rule sets
Read More

Web Security evaluation

 Evaluations:Evaluation provide a way to measure the hard work you invest in securing your web application asses  by reflecting the security level that indicated the your ability to overcome security incidents 
Read More

 Part 0 intro  – Web economy

Web applications are the ultimate free market to sell any goods, it is also open 24/7/365 for hacking The web application ecosystem  Web applications change the world and create the web application economy revolution where any one with a good idea can build a web application to provides products or services and monetize with end…
Read More

WAF types

 location mangment WAF type Screening WAF on perm / cloud / fully manageservice Perimeter WAF on perm / cloud / self manage monolity / microservices Mesh WAF on perm / cloud / self manage microservices 
Read More

WAF Workshop FAQ

WAF have many considerations throughout its life cycle. Getting your WAF to good enough security requires a solid review of Assents, Implementations and Response (AIR model) Workshops are small chunks of process that should be done when managing security deviceWorkshop is not a training. It is a hands-on workshop that is done with the customer.The…
Read More

WAF Vendor List

•According to Gartner, it is predicted that 80% of enterprises will have migrated away from traditional data centers and into the cloud within the next five years. With the ever-increasing adoption rate of web-based applications and API’s comes more security risks.The challenge with traditional Web Application Firewall (WAP) protection is that it cannot scale with…
Read More