QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Application Firewall
38
Will Bechtel Director of Product Management WAS Steve McBride Director of Product Management – WAF Qualys Inc., April 2014 QualysGuard Web Applica@on Security Transforming IT Security & Compliance
-
Upload
risk-analysis-consultants-sro -
Category
Internet
-
view
115 -
download
5
description
Transcript of QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Application Firewall
Will Bechtel Director of Product Management -‐ WAS Steve McBride Director of Product Management – WAF
Qualys Inc., April 2014
QualysGuard Web Applica@on Security
Transforming IT Security & Compliance
DETECTION PREVENTION
R
EMED
IATI
ON
F O R E N S I C S
Web App Scanning Malware Detection Web Application Firewall
Explo
its
BU
RP Su
ite
Sou
rce Co
de
Log Analysis
WEB APPS
Qualys Strategy for Web App Security
• Detec@on – WAS, MDS
• Protec@on – WAF (GA 3/2014)
• Monitoring/Forensics – Log Analysis (Beta Q4/2014)
• Remedia@on – Interac>ve Tes>ng Tools* – Remedia>on Workflow* – SCA Correla>on*
2
*Services in development
DETECT ANALYZE
P
ROTE
CT
C O M P LY
Discovery Catolog Vuln App Scanning Malware Detection
W
eb Ap
p Fire
wall
PCI OWASP
WEB APPS
Benefits of QG WAS Approach QualysGuard plaHorm delivers integrated soluJons
• Distributed Scanning – Cloud/Internal/Virtual
• Highly Automated – Integrated Browser
• Accurate – Low False-‐PosiJve Rate
• Integrated – Reuse QA Selenium FuncJonal TesJng Scripts
3
Uses the Extensible QG Cloud PlaHorm
4
Expanding to Real-‐Time Big Data and CorrelaJon
QG WAS SoluJon QG WAS does for Web Apps what QG VM does for devices
5
Automated and conJnuous cycle
Web Applica@ons
MiJgate
Discover and Catalog
Remediate and Audit
RI SK
IdenJfy VulnerabiliJes
QG WAS Today Best PracJces Scanning SoluJon
• Collabora@on – Involve all the ApplicaJon Stakeholders
• Ease of Use – Dashboard/Wizards/Context sensiJve
• Vulnerability Metrics – Tag based reporJng – Configurable Formats
6
QG WAS + MDS Integrated Website Malware Monitoring – Completed!
• Malware Protec@on – Safeguard your website users and brand reputaJon
• 4 Detec@on Techniques – AnJvirus – for documents – HeurisJc – ReputaJon – Behavioral
• Addresses – Zero Day Risk
7
QG WAS A_ack Proxy IntegraJon – Phase 1 –Completed!
• Store and manage – Burp scan data – Share safely
• Act on Burp scan findings – Associate with web app – Mark as risk accepted, etc – Filter based on a_ributes
8
QG WAS Sitemap implementaJon – Completed!
• Visually Navigate Site – Drill in/Drill Out – Issue counts at each level – Filter
• Ac@ons – Create new web app – Black list – White list
9
QG WAS DirecJons in 2014 Full Web App TesJng SoluJon
• Addi@onal Interac@ve Tools Support (Burp/ZAP) – Store Manual Findings – Trend/Report with Automated findings
– Complete Web App TesJng Picture
– Send WAS A_ack Requests to a_ack proxies
• Remedia@on Workflow • SCA Correla@on
10
WAS Roadmap
WAS 3.3 Q2 2014
• Bulk Update • Update info across
multiple web apps • Easy to make partitioned
or global changes • Supports changing one or
many attributes • Ignore sensitive content
findings • Cancel scans in schedule
status • Check report quotas
WAS 3.4 Q3 2014
• Multi Scan/Schedule • Manages large scale scan
jobs • Scan jobs batched by tags • Groups scan data by job
WAS 3.5 Q4 2014
• Scheduled Reporting • Send on scheduled basis • Users sent link to report
• Report Templates • Save report options as
report template.
QG WAS Customers: • Deploy virtual patches to WAF using
the vulnerabiliJes idenJfied in WAS
– WAS already supports Imperva, F5, Citrix, Beeware
• Combine WAS and MDS scanning of sites
• WAF to provide WAS/MDS with site resource structure to ensure complete scanning coverage
WAS
VM
QualysGuard PlaHorm SoluJons Seamless integraJon with other Qualys services
12
MDS
WAF
LM
How OrganizaJons Leverage WAS
MicrosoY • BUSINESS CHALLENGE
– Assess the security of thousands of web apps/ short turn around @mes – h_p://www.qualys.com/customers/success-‐stories/reigning-‐in-‐global-‐
web-‐applicaJon-‐security-‐risk-‐at-‐microsoi/
• WHY THEY CHOSE QUALYSGUARD – Proven more accurate than other web applica@on scanners – Comprehensive reports -‐ acJonable informaJon – A highly accurate, extensive database of up to date security checks – Easiest to use
13
14
Why do we win? • Strengths
– Scale (We can easily handle about 10000 apps in a subscrip@on) – Most are seat licensed and installed in the enterprise (High TCO)
– Data Correla@on, single dashboard for DAST ac@vi@es – Not one at a Jme events, correlaJon done by default
– Cost, per app pricing beats out seat licenses for most compe@tors – No longer have to make the choice of what to scan
– TAM, we don’t sell and walk away! – Our people make a huge difference. We make the customer successful!
15
WAS Benefits Integration with QualysGuard Platform Reduced TCO Scan Everything
Total Cost of Ownership (TCO) • Understanding the components for AppSec
– People – Keeping it simple, $140,000 salary + benefits – Able to complete ~40 ApplicaJon Assessments per year
– Tools – A_ack Proxy – Legacy ApplicaJon Scanner with maintenance and a server to run it on $10,000
• TCO = Total Cost/Total Produc@vity
– 150,000/40= $3750 Per ApplicaJon
16
Why do we lose? • Improvement Opportuni@es
– Head to Head comparisons against known vulnerable apps – We don’t play that game. Don’t let them.
– Difficult to manage at scale – Bulk Edits and Scans are coming soon.
– Technologies we don’t support – Adobe Flash, Oracle Java, Silverlight etc … (appx 3% of sites on the Internet)
– OTHERS???
17
WAS ASV Growth -‐ Aggregate
18
WAS Subscriber Growth -‐ Aggregate
19
Summary
• Most scalable, automated and cost effecJve DAST soluJon on the market today.
• QualysGuard plaHorm integrates web applicaJon security into the enterprise.
20
21
Web Applica@on Firewall GA announced at RSA 2014
3/2014
Are everywhere.
Web ApplicaJons
HTTP Powers Your Business
Do everything.
HTTP
Why worry about web applicaJons?
“99% of all applicaJons tested in 2012 have one or more serious security vulnerabiliJes.
And with a median number of vulnerabili@es per app of 13, it’s no wonder that applicaJon-‐level a_acks are a focus for hackers.”
“Only 13% complied [with the OWASP Top 10] on first submission.”
We’re vulnerable. Now what?
Suto, Larry, Analyzing the EffecJveness of Web ApplicaJon Firewalls, Nov. 2011. h_p://www.slideshare.net/lbsuto/analyzing-‐the-‐effecJvess-‐of-‐web-‐applicaJon-‐firewalls
TEKSystems Network Services. h_p://www.teksystems.com/resources/pressroom/2013/teksystems-‐cyber-‐security-‐month.
“WAF solu@ons must be tuned by a trained professional.” (Suto, 4)
“Only 15% were very confident they have security-‐related skill sets…”
“Half of respondents believe the lack of
qualified security talent...”
what if I had…
• Adap@ve, responsive security that updates itself
• Near-‐immediate deployment
• Minimal administra@ve overhead
• No security exper@se required
• Mul@ple architectures
Qualys Approach
Always the best protec@on Qualys WAF expert security ruleset is built and maintained by dedicated security researchers based upon the latest intel and trends across the Qualys customer base. WAF sensors self-‐update with latest soiware and rules.
Scalable Deploy as many WAF sensors as you need, on mulJple datacenter and Cloud plaHorms Manage your protected sites, WAF clusters, and security events from a single UI
26
Integrated in QualysGuard
Automated setup from WAS QualysGuard WAS and WAF share informaJon about web sites and their weaknesses, speeding deployment of personalized security policies.
Correlated events QualysGuard WAS and VM can conJnuously scan your sites to find vulnerabiliJes WAF sensors bring visibility to live threats
27
Single SaaS Administra@on Point
Enforcement Points As Needed
Qualys’ Distributed SoluJon
28
WAF
WAF
WAF
WAF
QualysGuard Cloud PlaHorm
WAF
WAF
SoluJon Architecture
29
WAF
WAF
WAF
WAF
“clean” traffic
Reverse Proxy OperaJon
• Direct traffic to WAF – DNS – Load Balancer ConfiguraJon
• WAF sensor inspects all traffic and forwards to origin
• Server responses are inspected upon egress
Security Ruleset
31
SQL Injection
Cross Site Scripting
Information leakage
Command Injection
Remote File Inclusion
LDAP Injection
SSI Injection Xpath Injection
Local File Inclusion
Three-‐Step ConfiguraJon
Define your Site Shared site profile with WAS
Associate a WAF (cluster)
Associate a Security Policy
32
Building a Security Policy
Built around expert rules for known threats
User adjusts sensi@vity according to their business context and tolerance
33
Defining and Deploying a WAF Cluster
Give it a name
Copy your “personaliza@on code”
Paste the code when deploying your appliances
34
Available for mulJple plaHorms
35
Amazon EC2 -‐ GA VMware vCenter -‐ Beta
Exchange & Sharepoint Edi>on (TBD)
MicrosoD Hyper-‐V and Azure (H2 2014)
New HW Appliance ?
Pricing
• Priced per Applica@on protected – Includes 2 virtual appliances
• Express Lite – Starts at 1,995 EUR for one applicaJon
• Express – Starts at 2,995 EUR for one applicaJon
• Enterprise – Starts at 9,995 EUR for one applicaJon
WAF Roadmap
WAF 1.1 (Portal 2.4) Q2 2014
• VMware image provisioning
• Support for non-standard HTTP ports
• Workflow improvements (site and policy components)
WAF 1.2 (Portal 2.5) Q3 2014
• UI improvements • Tab management on event
pages • Improved dashboard
functionality
• Improved SSL certificate support
• Improved appliance support and support for additional virtualization platforms
WAF 1.3 (Portal 2.6) Q4 2014
• WAS Results influence WAF security engine
• Support for customized block pages
• Improved visibility into appliance networking and troubleshooting
