Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
White Paper
How to Operationalize Web Application Security
Contents
The Threat from the Outside
Conclusion
White Paper
How to Operationalize Web Application Security
Frequency
seen
Web
transactions
per day
Percentage
change of a
breach (daily)
43%
2873
27%
SQL injection
14%
42%
2873
6%
Information leakage
64%
41%
2873
26%
WhiteHat Website
Security Statistics
Report
Applied Research
September 2011
Google Analytics
Benchmarks 2011
Possibility =
(TX * V% * F%) / TX
Figure 1: If a vulnerability exists, there is a chance it will be exploited. The higher the volume
of a site, the higher the risk.
Such attacks are persistent and frequent, fueled by massive botnets and automation.
Organizations cannot prevent these attacks from being launched in the first place.
While advice abounds on preventing an attack by hactivists for reasons other than
profit or fame, nothing short of cutting the hardline to the Internet can definitively
stop external agents from launching attacks.
The responsibility of security operations is to prevent those attacks from succeeding.
This, too, unfortunately, is an increasingly difficult task. While the benefits of using
White Paper
How to Operationalize Web Application Security
web application security solutions to detect and prevent the success of attacks is
now well understood and accepted, it is still widely underutilized due to the inability
to operationalize the processes required to continually scan, discover, and put into
place the policies required to do so.
3 4 Years and 4 Thousand Websites Worth of Vulnerability Assessments: What Have We Learned?
White Hat Security video, 2012.
White Paper
How to Operationalize Web Application Security
A better means of addressing this serious gap between discovery and deployment
of policies is required: an automated system that eliminates the man in the middle
that is slowing it down today and putting the entire organization at risk.
White Paper
How to Operationalize Web Application Security
PTM automates the process of scanning and mitigating 80 percent of the most
commonly discovered vulnerabilities. These include those most likely to lead to a
breach: SQLi, XSS, and CSRF. PTM enables discovery of vulnerabilities, codification
of the appropriate policy (tailored to the application and organizational domain),
and automated deployment of that policy for prompt mitigation.
Users
BIG-IP
Application Security
Manager
Vulnerability Scan
Cenzic
Qualys
IBM
WhiteHat
OY
PL
PRO
T
T
EC
DE
Persistent
Threat
Management
Improving
operational
efficiency
by shifting burdens from people to
technology.
A
C
IF Y
Sprompt
Decreasing risk by ensuring
mitigation of discovered vulnerabilities.
White Paper
How to Operationalize Web Application Security
White Paper
How to Operationalize Web Application Security
best practices that immediately protect applications from falling prey to persistent
attacks.
White Paper
How to Operationalize Web Application Security
Conclusion
The widespread use of vulnerability scans to detect potential vulnerabilities in web
applications and the constant attacks directed at organizations have resulted in a
silver lining: a set of nearly standardized attack patterns. Combining knowledge
from this set of attack patterns with best practices from OWASP and WASC has
netted a set of best practice defensive policies that protect against 80 percent of
the most common web application attacks.
The Persistent Threat Management model leverages modern integration and
automation principles to ensure the broadest coverage against attacks. Automation
through integration of DAST and BIG-IP ASM provides organizations with a
compelling, effective method of protecting web applications against exploitation of
common, well-understood attacks. An integrated, process-driven solution ensures
immediate and transparent mitigation of vulnerabilities that relieves pressure on
security and operational staff to prioritize and address the risks manually and
significantly improves the security posture of all protected web applications.
F5 Networks
Asia-Pacific
apacinfo@f5.com
888-882-4447
F5 Networks Ltd.
Europe/Middle-East/Africa
emeainfo@f5.com
www.f5.com
F5 Networks
Japan K.K.
f5j-info@f5.com
2012 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, and IT agility. Your way., are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified
at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. CS01-00120 1012