Re: Web Security - what do you do?

[Jason Testart <jatestart () UWATERLOO CA>]

Defense in-depth aside, I agree with Karen that a web application 
firewall is not good enough as a compensating control for PCI DSS 
compliance.

jt

--
Jason A. Testart, BMath               | Voice: +1-519-888-4567 x38393
Manager, IT Security                  | Fax: +1-519-884-4398
Information Systems and Technology    | http://ist.uwaterloo.ca/security
University of Waterloo, Waterloo, Ontario  N2L 3G1 CANADA

Pace, Guy wrote:
> While, in principle, I agree that if applications were designed and 
> developed properly you would not need a web application firewall. 
> However, having lived with the reality for some time now, a web 
> application firewall in place as one part of a defense in depth approach 
> is a necessity. It doesn’t just look at the client, but at the traffic 
> that passes both directions between the client and the web application. 
> It provides protections against attacks or exploits that you cannot 
> program against (session hijacking, cookie tampering). It is also a 
> requirement in situations where a COTS or ERP is in place. What is your 
> confidence level of the COTS or ERP vendor with regard to secure 
> software development? What if they are a sole source and you’re stuck 
> with them? Or, you have other mandates that require the application, 
> even though you know it is riddled with XSS, SQL injection and other 
> issues? There are plenty of those out there.
>
> Yes, in a perfect world where Secure SDL is universally practiced and 
> programmers actually know how to build secure programs and commercial 
> vendors are responsible and produce only secure and solid packages, it 
> would not be needed.
>
>  
>
> Guy L. Pace, CISSP
> Security Administrator
>
> Information Technology Division
> WA State Board for Community and Technical Colleges (SBCTC)
> 3101 Northup Way, Suite 100
> Bellevue, WA 98004
> 425-803-9724
>
> gpace () cis ctc edu
>
>  
>
> *From:* The EDUCAUSE Security Constituent Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Karen Stopford
> *Sent:* Thursday, May 07, 2009 10:00 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Web Security - what do you do?
>
>  
>
> I don’t think installing a Web Application Firewall is an adequate 
> compensating control for vulnerable code.  Appropriate bounds setting, 
> input validation, use of stored procedures, etc. should be a requirement 
> for any in-house or COTS application.  I understand using the firewall 
> until the existing portfolio can be addressed and developers are 
> trained; however, I would be concerned about a false sense of security.  
> Building security in to the application’s functionality has a much 
> better chance of withstanding new attack vectors than a firewall that is 
> looking at the client, rather than the application, behavior.  Just my 
> two cents worth.
>
> Karen 
>
> /Faith is taking the first step even when you don't see the whole 
> staircase.// –Martin Luther King, Jr./
>
> /C. Karen Stopford, CISSP/
>
> /Associate Executive Officer for I.T. Security/
>
> /CT State University System/
>
> /39 Woodland Street/
>
> /Hartford, CT  06105/
>
> /(860) 493-0116/
>
>  
>
> *From:* The EDUCAUSE Security Constituent Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Hugh Burley
> *Sent:* Thursday, May 07, 2009 11:59 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Web Security - what do you do?
>
>  
>
> At TRU we had an external Web Penetration test completed in 2006.  This 
> allowed us to show that there were many vulnerabilities across our 
> various web portals and services which would allow privilege escalation 
> through XSS and SQL Injection attacks, among others. This drove the 
> implementation of a Web Application Firewall, which meets the PCI DSS 
> requirement for a compensating control for secure web coding.
>
>  
>
> A key issue with this implementation is ensuring that your institution 
> has adequate staffing to support implementation and management of this 
> new device. A rough estimate; two weeks for implementation/training, and 
> an hour per day for management.
>
>  
>
> Regards,
>
>  
>
>  
>
> Hugh Burley
>
> Thompson Rivers University
> ITS - Senior Technology Coordinator
>
> Information Security
> BCCOL - 222D
> 250-852-6351
>
>  
>
> > >> Greg Vickers <g.vickers () QUT EDU AU> 06/05/2009 6:25 pm >>>
> Hi all,
>
> The QUT IT Security Program is undertaking the Web Security project,
> which will review the security of the QUT web presence.  This project
> encompasses our current tools, procedures and practices (including
> development and training approaches).  We will investigate tools that
> could be leveraged to improve the security of the web presence at QUT,
> such as:
>
> * Web server scanning tools,
> * Tools to better manage web infrastructure, e.g., cPanel and other web
> host managers.
> * Web application development training and certification,
> * Other technologies to find web servers with vulnerabilities.
>
> This project is not looking directly at the security of the web servers
> themselves, (i.e. operating system level) but at the security of the web
> server applications and the actual web site code.  We would like to know
> what tools, training, standards and developmental activities, etc, that
> your University or higher education institution use in this space.
>
> If further clarification is required, please contact the project manager
> at QUT, Greg Vickers (+61 7 3138 6902), email: g.vickers () qut edu au
>
> Thanks,
> --
> Greg Vickers
> Phone: +61 7 3138 6902
> IT Security Engineer & Project Manager
> Queensland University of Technology, CRICOS No. 00213J