2. cross-site scripting (XSS)
3. broken authentication and session management
4. insecure direct object references 5. cross-site request forgery (CSRF)
6. security misconfiguration
7. insecure cryptographic storage
8. failure to restrict URL access
9. insufficient transport layer protection
10. unvalidated redirects and forwards
................
Why is this of interest to the WAF community? The naive answer would be that scanners and WAFs are alternatives. While they do not perform the same function, they compete for the same budget and are offered as alternatives by PCI DSS. If scanners are not as good as expected, WAF might be the right solution after all. This is especially important as WAFs are usually under more fire than scanners as it is much simpler to find a fault in a WAF - just find the right evasion vector. For a scanner a full analysis as done by Suto is required.
However the paper has other more far reaching conclusions on the state of security products in general and therefore WAFs:
No single security solution is sufficient. Only combining multiple defense mechanism would provide adequate security, which still does not imply 100%
Security products do differ in the security functionality they provide. Many times customers select security products according to every other feature but security assuming that the security aspect of the product are performed adequately by all. However Suto's paper shows that this may not be the case.
The lack of scrutiny of the security features drive security vendors to neglect security and focus on other areas such as GUI, reporting or manageability. This is shown in its extreme by the inability of some scanners to find existing vulnerabilities in sites provides for testing by the vendor itself.
All this is true for the WAF market as much as it is true to the scanner market. The WAF market is eagerly expecting its Larry Suto. Some vendors may bleed, but finally gold and iron would be differentiable.
.................
Obstacles for WAFs:
Web application firewalls (WAFs) take a different approach. WAFs inspect inbound and outbound traffic to an application and enforce a security policy meant to prevent attackers from compromising the site. Security techniques implemented by WAFs vary, but most WAFs will include positive security (allow only that which is known to be good usage) and negative security (block usage that is known to be malicious).
Advanced WAFs combine these two types of security rules as well as correlate multiple user behaviors to increase accuracy. Proponents of WAFs (and I am one of them) will argue that WAFs provide the most effective mechanism to immediately address security issues, as the security rule set can be adjusted to prevent new attack types without the time required to change application code. The common objections to WAF technology are:
• Some issues can only be corrected in code. The most commonly cited example is logical flaws in the application, meaning that if the application was intentionally built to do something insecure, only rewriting the application can fix this issue. This is true to some extent, but a good WAF will provide ongoing monitoring information that helps to identify when logical flaws are being exploited.
• WAFs can't understand enough about the application to be effective and accurate. The answer to this is that some WAFs indeed can't. As with any technology product, it's important to pick a good one.
What to Do?
Given these differences, how is someone faced with PCI's dilemma, false or not, to choose?
For those only concerned with compliance, the answer is simple: WAF. Because a WAF can be
deployed without affecting the application and without engaging outside consultants to review
application code, WAF is a faster and more costeffective approach to meeting the letter of the law.
For those concerned with actually doing the right thing and asking "which first?" rather than "which?" the answer is actually the same: WAF. That's because a WAF can be deployed to provide immediate protection, and a WAF can be quickly configured to adjust as applications and application attacks change. WAFs not only provide the most cost-effective first step, but a sound building block for the second step. Once a WAF is in place, code review projects can proceed at a controlled pace, reducing the risk of errors. WAFs also provide critical information on usage patterns and changes in usage patterns that can guide code review teams and point out obvious problems.
An instructive analogy can be found in application performance Verio brings something extra to Linux:
Reliability. Click to learn about free test.
Tuning. Re-coding slow parts of an application is a great way to improve system performance. However, finding those slow parts requires a performance measurement tool and sometimes a little extra help -- in the form of content acceleration techniques like caching and compression -- is warranted. WAFs serve a similar function for application vulnerability assessment by providing a roadmap that code reviewers can follow to find and fix underlying logical issues.
...............
WAFS concept (understanding) of:
Hacker's attackers / H TTP (port 80) and HTTPS (port 443) through channel attacks Web server, which was never designed for safety. Thus we often see Web server requests delivery strange SQL, authorization or cookie injection attack. Many cross the attack site. As a result, the security industry is a new field. Name of Web Application Firewalls (WAF), which means actually the Web. Demand, as more traditional network firewalls, which just looking at HTTP Or HTTPS (excellent), but it really does not understand the purpose and content.
WAF, on the other hand, web applications and learning HTTP / HTTPS understand
Traffic in strength and, as some web application will respond well to understand Question. WAFS is not easy to implement and the implementation plan for thought. And third-party developers, engineers, security, network engineers, includes all Managers and business owners.
Here are some web applications Firewalls problems:
1. Providing comprehensive network security.
2. Inform / improve security flaws.
3. The right speed, reliability, integrity, delivery and redundancy.
4. Management capacity of the ports.
5. The best investment in data and seal deals.
6. The search for protected area (IDS) system should work.
7. For the data theft, hacking, preventing holiday setting.
8. To effectively a high balance of cash and spirit.
9. Effectively protects the network from CSS, CSRF, SQL injection, buffer overflow Safe.
10. Continuously monitor network download the attached files
On Wed, Jan 11, 2012 at 4:42 AM, chriya <chriyachonchon@gmail.com> wrote:
kingly share the solution file of CS 507
--
--
You received this message because you are subscribed to the Google Groups "Pak Youth" group.
To post to this group, send email to pak-youth@googlegroups.com.
To unsubscribe from this group, send email to pak-youth+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pak-youth?hl=en.
--
You received this message because you are subscribed to the Google Groups "Pak Youth" group.
To post to this group, send email to pak-youth@googlegroups.com.
To unsubscribe from this group, send email to pak-youth+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pak-youth?hl=en.
No comments:
Post a Comment