QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Application Firewall
2 likes•2,436 views
This document discusses Qualys' strategy and roadmap for its Web Application Scanning (WAS) product. It outlines Qualys' approach to web app security which includes detection, protection, monitoring/forensics, and remediation. It provides details on current and upcoming WAS features like integrated malware detection, attack proxy integration, and sitemap implementation. The document also discusses how organizations can leverage WAS and how it compares favorably to competitors in areas like scale, cost, and providing a complete picture of web app security risks.
![Why
worry
about
web
applicaJons?
“99%
of
all
applicaJons
tested
in
2012
have
one
or
more
serious
security
vulnerabiliJes.
And
with
a
median
number
of
vulnerabili@es
per
app
of
13,
it’s
no
wonder
that
applicaJon-‐level
a_acks
are
a
focus
for
hackers.”
“Only
13%
complied
[with
the
OWASP
Top
10]
on
first
submission.”](https://image.slidesharecdn.com/wasandwafroadmap20140506-140602085727-phpapp02/85/QualysGuard-InfoDay-2014-QualysGuard-Web-Application-Security-a-Web-Application-Firewall-23-320.jpg)
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Application Firewall
- 1. Will Bechtel Director of Product Management -‐ WAS Steve McBride Director of Product Management – WAF Qualys Inc., April 2014 QualysGuard Web Applica@on Security Transforming IT Security & Compliance
- 2. DETECTION PREVENTION REMEDIATION FORENSICS WebAppScanning MalwareDetection WebApplicationFirewall Exploits BURPSuiteSourceCode Log Analysis WEB APPS Qualys Strategy for Web App Security • Detec@on – WAS, MDS • Protec@on – WAF (GA 3/2014) • Monitoring/Forensics – Log Analysis (Beta Q4/2014) • Remedia@on – Interac>ve Tes>ng Tools* – Remedia>on Workflow* – SCA Correla>on* 2 *Services in development
- 3. DETECT ANALYZE PROTECT COMPLY Discovery Catolog VulnAppScanningMalwareDetection WebAppFirewall PCI OWASP WEB APPS Benefits of QG WAS Approach QualysGuard plaHorm delivers integrated soluJons • Distributed Scanning – Cloud/Internal/Virtual • Highly Automated – Integrated Browser • Accurate – Low False-‐PosiJve Rate • Integrated – Reuse QA Selenium FuncJonal TesJng Scripts 3
- 4. Uses the Extensible QG Cloud PlaHorm 4 Expanding to Real-‐Time Big Data and CorrelaJon
- 5. QG WAS SoluJon QG WAS does for Web Apps what QG VM does for devices 5 Automated and conJnuous cycle Web Applica@ons MiJgate Discover and Catalog Remediate and Audit RI SK IdenJfy VulnerabiliJes
- 6. QG WAS Today Best PracJces Scanning SoluJon • Collabora@on – Involve all the ApplicaJon Stakeholders • Ease of Use – Dashboard/Wizards/Context sensiJve • Vulnerability Metrics – Tag based reporJng – Configurable Formats 6
- 7. QG WAS + MDS Integrated Website Malware Monitoring – Completed! • Malware Protec@on – Safeguard your website users and brand reputaJon • 4 Detec@on Techniques – AnJvirus – for documents – HeurisJc – ReputaJon – Behavioral • Addresses – Zero Day Risk 7
- 8. QG WAS A_ack Proxy IntegraJon – Phase 1 –Completed! • Store and manage – Burp scan data – Share safely • Act on Burp scan findings – Associate with web app – Mark as risk accepted, etc – Filter based on a_ributes 8
- 9. QG WAS Sitemap implementaJon – Completed! • Visually Navigate Site – Drill in/Drill Out – Issue counts at each level – Filter • Ac@ons – Create new web app – Black list – White list 9
- 10. QG WAS DirecJons in 2014 Full Web App TesJng SoluJon • Addi@onal Interac@ve Tools Support (Burp/ZAP) – Store Manual Findings – Trend/Report with Automated findings – Complete Web App TesJng Picture – Send WAS A_ack Requests to a_ack proxies • Remedia@on Workflow • SCA Correla@on 10
- 11. WAS Roadmap WAS 3.3 Q2 2014 • Bulk Update • Update info across multiple web apps • Easy to make partitioned or global changes • Supports changing one or many attributes • Ignore sensitive content findings • Cancel scans in schedule status • Check report quotas WAS 3.4 Q3 2014 • Multi Scan/Schedule • Manages large scale scan jobs • Scan jobs batched by tags • Groups scan data by job WAS 3.5 Q4 2014 • Scheduled Reporting • Send on scheduled basis • Users sent link to report • Report Templates • Save report options as report template.
- 12. QG WAS Customers: • Deploy virtual patches to WAF using the vulnerabiliJes idenJfied in WAS – WAS already supports Imperva, F5, Citrix, Beeware • Combine WAS and MDS scanning of sites • WAF to provide WAS/MDS with site resource structure to ensure complete scanning coverage WAS VM QualysGuard PlaHorm SoluJons Seamless integraJon with other Qualys services 12 MDS WAF LM
- 13. How OrganizaJons Leverage WAS MicrosoY • BUSINESS CHALLENGE – Assess the security of thousands of web apps/ short turn around @mes – h_p://www.qualys.com/customers/success-‐stories/reigning-‐in-‐global-‐ web-‐applicaJon-‐security-‐risk-‐at-‐microsoi/ • WHY THEY CHOSE QUALYSGUARD – Proven more accurate than other web applica@on scanners – Comprehensive reports -‐ acJonable informaJon – A highly accurate, extensive database of up to date security checks – Easiest to use 13
- 14. 14
- 15. Why do we win? • Strengths – Scale (We can easily handle about 10000 apps in a subscrip@on) – Most are seat licensed and installed in the enterprise (High TCO) – Data Correla@on, single dashboard for DAST ac@vi@es – Not one at a Jme events, correlaJon done by default – Cost, per app pricing beats out seat licenses for most compe@tors – No longer have to make the choice of what to scan – TAM, we don’t sell and walk away! – Our people make a huge difference. We make the customer successful! 15 WAS Benefits Integration with QualysGuard Platform Reduced TCO Scan Everything
- 16. Total Cost of Ownership (TCO) • Understanding the components for AppSec – People – Keeping it simple, $140,000 salary + benefits – Able to complete ~40 ApplicaJon Assessments per year – Tools – A_ack Proxy – Legacy ApplicaJon Scanner with maintenance and a server to run it on $10,000 • TCO = Total Cost/Total Produc@vity – 150,000/40= $3750 Per ApplicaJon 16
- 17. Why do we lose? • Improvement Opportuni@es – Head to Head comparisons against known vulnerable apps – We don’t play that game. Don’t let them. – Difficult to manage at scale – Bulk Edits and Scans are coming soon. – Technologies we don’t support – Adobe Flash, Oracle Java, Silverlight etc … (appx 3% of sites on the Internet) – OTHERS??? 17
- 18. WAS ASV Growth -‐ Aggregate 18
- 19. WAS Subscriber Growth -‐ Aggregate 19
- 20. Summary • Most scalable, automated and cost effecJve DAST soluJon on the market today. • QualysGuard plaHorm integrates web applicaJon security into the enterprise. 20
- 21. 21 Web Applica@on Firewall GA announced at RSA 2014 3/2014
- 22. Are everywhere. Web ApplicaJons HTTP Powers Your Business Do everything. HTTP
- 23. Why worry about web applicaJons? “99% of all applicaJons tested in 2012 have one or more serious security vulnerabiliJes. And with a median number of vulnerabili@es per app of 13, it’s no wonder that applicaJon-‐level a_acks are a focus for hackers.” “Only 13% complied [with the OWASP Top 10] on first submission.”
- 24. We’re vulnerable. Now what? Suto, Larry, Analyzing the EffecJveness of Web ApplicaJon Firewalls, Nov. 2011. h_p://www.slideshare.net/lbsuto/analyzing-‐ the-‐effecJvess-‐of-‐web-‐applicaJon-‐firewalls TEKSystems Network Services. h_p://www.teksystems.com/resources/pressroom/2013/teksystems-‐cyber-‐security-‐month. “WAF solu@ons must be tuned by a trained professional.” (Suto, 4) “Only 15% were very confident they have security-‐related skill sets…” “Half of respondents believe the lack of qualified security talent...”
- 25. what if I had… • Adap@ve, responsive security that updates itself • Near-‐immediate deployment • Minimal administra@ve overhead • No security exper@se required • Mul@ple architectures
- 26. Qualys Approach Always the best protec@on Qualys WAF expert security ruleset is built and maintained by dedicated security researchers based upon the latest intel and trends across the Qualys customer base. WAF sensors self-‐ update with latest soiware and rules. Scalable Deploy as many WAF sensors as you need, on mulJple datacenter and Cloud plaHorms Manage your protected sites, WAF clusters, and security events from a single UI 26
- 27. Integrated in QualysGuard Automated setup from WAS QualysGuard WAS and WAF share informaJon about web sites and their weaknesses, speeding deployment of personalized security policies. Correlated events QualysGuard WAS and VM can conJnuously scan your sites to find vulnerabiliJes WAF sensors bring visibility to live threats 27
- 28. Single SaaS Administra@on Point Enforcement Points As Needed Qualys’ Distributed SoluJon 28 WAF WAF WAF WAF QualysGuard Cloud PlaHorm WAF WAF
- 29. SoluJon Architecture 29 WAF WAF WAF WAF “clean” traffic
- 30. Reverse Proxy OperaJon • Direct traffic to WAF – DNS – Load Balancer ConfiguraJon • WAF sensor inspects all traffic and forwards to origin • Server responses are inspected upon egress
- 31. Security Ruleset 31 SQL Injection Cross Site Scripting Information leakage Command Injection Remote File Inclusion LDAP Injection SSI Injection Xpath Injection Local File Inclusion
- 32. Three-‐Step ConfiguraJon Define your Site Shared site profile with WAS Associate a WAF (cluster) Associate a Security Policy 32
- 33. Building a Security Policy Built around expert rules for known threats User adjusts sensi@vity according to their business context and tolerance 33
- 34. Defining and Deploying a WAF Cluster Give it a name Copy your “personaliza@on code” Paste the code when deploying your appliances 34
- 35. Available for mulJple plaHorms 35 Amazon EC2 -‐ GA VMware vCenter -‐ Beta Exchange & Sharepoint Edi>on (TBD) MicrosoD Hyper-‐V and Azure (H2 2014) New HW Appliance ?
- 36. Pricing • Priced per Applica@on protected – Includes 2 virtual appliances • Express Lite – Starts at 1,995 EUR for one applicaJon • Express – Starts at 2,995 EUR for one applicaJon • Enterprise – Starts at 9,995 EUR for one applicaJon
- 37. WAF Roadmap WAF 1.1 (Portal 2.4) Q2 2014 • VMware image provisioning • Support for non-standard HTTP ports • Workflow improvements (site and policy components) WAF 1.2 (Portal 2.5) Q3 2014 • UI improvements • Tab management on event pages • Improved dashboard functionality • Improved SSL certificate support • Improved appliance support and support for additional virtualization platforms WAF 1.3 (Portal 2.6) Q4 2014 • WAS Results influence WAF security engine • Support for customized block pages • Improved visibility into appliance networking and troubleshooting