Application security and more important – most security incidents on the Internet to see the basic and application security, especially security-related WEB application (Looking through wooyun like to know). In recent years the work of basic and application security relationship, but also to take this opportunity to summarize some of their views.
Common ideas WEB application security
Safety-related security services, in particular business feature or bring business rules; DDoS network layer is mainly to solve the problem, I did not discuss the WEB application security in this area – this article does not include business-related issues and DDoS the problem is not within the scope of this discussion.
Here are just a rough classification is not rigorous.
Through tools to enhance the security of WEB applications
Application development tools tend to affect very small, usually only needs to be done to configure to play a protective role in the deployment time. The main tool in the firewall, WAF and various scanning products. These products are usually based on features, is difficult to achieve in-depth understanding of the WEB application protection, these products often encounter many challenges.
Due to the protected WEB application for the purposes of these traditional tools belong to the black box, to be costly and effective protection. Personally believe that traditional products more suitable for bigger scope, simple, consistent control, as the infrastructure to deliver the same protection; also more suitable for emergency measures to shorten Heartbleed, Struts2 remote code execution response time of such vulnerability, to completely repair win enough time window.
False positives and false negatives: this we know everything, from antivirus software to IDS, IPS to the scanner to WAF, as long as the signature is based, basically go in this balance beam on, it is difficult to achieve both error reported low and fewer false negatives.
0day: 0day WEB applications too easy to find, WEB massive number of applications is truly and fully take into account the safety of WEB applications are even scarcer. Therefore, can not be found even 0day 0day is a fast response, it will be very uncomfortable, but found difficult to do simple rule-based unknown.
Universal and custom: the number of applications far more than the operating system, database, these common components, security checking tool or application layer protection is not possible to cover all applications (for example: wordpress and enterprise ERP is completely different application).
Difficult to eradicate vulnerabilities: they do not modify the code, not patched, this application will always be vulnerable. Once the blind spot, an attacker direct access to the protected WEB applications, security measures have lost their meaning (business systems are now distributed systems, very prone to blind spots; in particular the various CloudWAF, may be bypassed of the greater).
Enhanced security WEB application through the development of process control
Currently three new issues of information security products is more widespread: OEM production process, in fact, just replace the foreign direct product packaging and the software interface localization; borrow other products of software modules; source code just a face-lift, the actual not mastered the core technology.
SDLC is Secure Software Development Life Cycle shorthand, sometimes also referred to as SDL or SSDLC. SDLC is featured in the software development life cycle are embedded security genes of security software products have substantially improved on. The industry's most successful case is the Microsoft implementation by 10 years of continuous safety SDL let Windows products has been greatly improved.
SDLC security needs fully embedded in all the activities of software development, is very dependent on people and tools (vulnerability scanning, code audit, ……), also encountered some challenges.
In a sense, SDLC only apply to some companies, these companies tend to have stable development organization, processes; Business change is not so fast, relatively stable; business is very dependent on IT or software development. Further reading: How to use SDL in your organization.
Time: Business feature itself is developing very fast, the development of business properties are often the core of the entire development team output metrics (especially Internet companies). New security features will slow the progress of product development, so the development team will tend to post-repair; and sustained pressure on business and will repair problems left by history is difficult to obtain a high priority. Is a technical debt problem essentially.
Expertise: core competence development team is not secure. Even the SDLC training is only to solve common, common attack targets in the face of new attacks or complex attacks, the need for security in the field, with comprehensive and in-depth understanding. Difficult to keep up with the development of technology developers in the field of development, while also fill the security domain knowledge, and keep abreast of developments in the field of security.
Resources: Applications developed by large organizations often use very large building in the development process to make full SDLC most organizations either unbearable or technical level in the organization.
False positives: SDLC use a lot of tools often produce false positives, false positives these very reasons for developers to resist SDLC easily formed.
Process: SDLC essentially allow developers to pay attention to security, the more security-conscious developer company developed products more secure. But the downside is that, in most cases it was difficult to assess whether the security is sufficient (even went too far). Especially under time pressure and lack of expertise in a lot of cases, SDLC is very easy to become a mere formality.
By enhancing the application of enhanced awareness and continuous monitoring WEB application security
The core idea is the introduction of safety-related or Plugin SDK in the development process. These Plugin SDK or let the application with the default security features and allow security personnel continued to monitor application response (gain more insight into applications running time).
The key idea of a technology currently being defined by Gartner as RASP. RASP is Runtime Application Self-Protection Abbreviation, by embedding Application code so that the application itself have a certain perception of threat and protection. Typically RASP can naturally be integrated with other security products. Gartner summarizes this definition, and in the Hype Cycle for Application Security, 2014 to put him in the stage On the Rise (belonging to the new technologies are concerned, but no large-scale being validated and accepted). As early as in 2012, while Gartner in Runtime Application Self-Protection: A Must-Have, Emerging Security Technology introduced, and 2017 is expected to be 25% of the applications have this ability. There are already a number of vendors have introduced products, the open source community also has a corresponding implementation.
HP: HP Application Defender
Prevoty: Prevoty Runtime Application Security
waratek: Application Security for Java
OWASP: AppSensor is an open source program.
Shandowd: Shadowd is an open source program.
RASP related technologies
RASP is currently still in the stage of development, not yet as common firewalls and other security products, as there is a very clear functional boundaries (scope), I personally think that this technology is very likely and even a certain WAF integration. So here it is mainly to record their understanding based, taking into account AppSensor and Shadowd ideas are not the same, recorded separately.
Currently AppSensor developed to the second edition, OWASP goal of this project is to give a complete guide on the one hand, on the other hand also hope to provide a complete implementation. Currently AppSensor version 2.0 with Application-Specific Real Time Attack Detection & amp; Response core. The following are some of the core document AppSensor can see.
OWASP AppSensor Getting Started
OWASP AppSensor Guide v2.0.1 EN
OWASP AppSensor Reference Implementation
AppSensor DetectionPoints combed AppSensor integrated monitoring sites after applications implementation, security personnel can use to achieve real-time monitoring of the monitoring points attacks.
AppSensor ResponseActions combed AppSensor integrated monitoring sites after applications implementation, security personnel can use to achieve real-time monitoring points respond to attacks.
AppSensor beginning to comply with the design concept to include: language-agnostic, plug-in for As A Service design. Accordingly, each portion comprising Analysis Engine, including can be replaced.
AppSensor Core: Required components. This is the core AppSensor, and offers a variety of external interfaces AppSensor of.
Analysis Engine: Required components. This is used to determine whether aggressive behavior, how to conduct this core component of the response, there is only one example of realization.
Storage: store data for the component.
Configuration: Components used for client and server configuration.
Access Controller: Only use SOAP, REST time as necessary. The interfaces are mainly used for access control.
Reporting: optional components. This is for AppSensor be very important component of management, if you need to use other systems to obtain AppSensor data, you need to use Reporting components. Currently supports Simple Logging, WebSockets, REST API way to provide external data output.