Web Application Firewalls Research Articles

Protecting Web Based Applications: A Best Practices Guide

Organizations handling credit cards feel pressure building as the deadline for PCI Requirement 6.6 compliance [1] has passed and well documented breaches have heightened the public and regulatory agencies' concerns about how well companies are securing consumer-specific information. Despite some initial advances, sensitive information is still frequently stolen. Internal threat an issue, magnified by extended partnerships which ultimately lead to more tasks will be performed outside company facilities. Web Application Firewalls (WAF) are the most effective mechanisms to immediately address security issues since the security rule set can be adjusted to stop new attack types without the time required to change the application code. Time is a critical factor in selecting solutions to prevent breaches. WAF will give a quick solution for PCI 6.6. WAF can protect custom applications, 3rd party applications, and legacy applications - even in cases where the organization does not control the source code (as for SAP, Oracle, PeopleSoft web applications and portals) and where the people who understand the application are no longer accessible. It is also important to minimize the number of bugs in applications. No matter what tool used, this should be accompanied with code reviews, appropriate testing including such as fuzzy testing, code standards that are followed, and proper education. No matter what tool configuration selected, manual code reviews, education, coding standards and proper testing must also be applied.

Enterprise Application Security - How to Balance the Use of Code Reviews and Web Application Firewalls for PCI Compliance

Organizations handling credit cards feel pressure building as the deadline for PCI Requirement 6.6 compliance [1] has passed and well documented breaches have heightened the public and regulatory agencies' concerns about how well companies are securing consumer-specific information. Despite some initial advances, sensitive information is still frequently stolen. Internal threat an issue, magnified by extended partnerships which ultimately lead to more tasks will be performed outside company facilities. In increasingly complex technical and business environments, no one security approach can deal with all the new and innovative intrusions. But the lack of a security silver bullet doesn't mean data security is impossible. It simply means that businesses have to take a multi-pronged approach to data security. This article is based on a project case study in protecting an enterprise application environment, including web-oriented applications. The article is PCI 6.6-oriented and compares the use of Web Application Firewalls (WAF) or code reviews for web-facing applications. It also addresses code scanning that is not web related. Extending the code reviews into the non-web applications, we also briefly discuss other types of protections. Other articles already discussed how to protect from SQL Injection into the database, or internal threats, including a DBA that impersonates a user. The section Protecting the Data Flow includes a few pointers to resources discussing protection of the enterprise data flow. The code review section is longer since this is an evolving area from a PCI perspective focusing on WAF and complementary code scanning. This article will compare WAF and web-based code reviews, and point to resources [15] discussing the whole data flow, which then involves much more than C/C code scanning. The part concerning code analysis isn't web-oriented, but it's about C/C /Java source code scanning, though it has some general parts. The case study from company ABC recommended using both WAF and coding reviews.

Payment Card Data - Know Your Defense Options

With the advent of the Payment Card Industry Data Security Standard (PCI DSS), protecting stored credit card numbers is no longer optional. Any company that stores, processes, or transmits credit card information - regardless of size or volume of transactions - must secure stored credit card data or face serious consequences for non-compliance, including fines, higher transaction fees, the loss of brand integrity, and erosion of market value. But while the PCI standard offers broad guidance - featuring rules on the proper use of firewalls, web application firewalls, computer access controls, antivirus software, and more - encryption requirements are proving to be among the most difficult for organizations to address. And to complicate the situation even further the compensating controls defined in PCI DSS 1.1 are not fully addressing the growing threat from data level attacks. This article will review different approaches to protect credit card data that can be combined to significantly strengthen an organization's security posture, while minimizing the cost and effort of PCI compliance.

Protecting Your Internal Resources with Intranet Application Firewalls

Web application firewalls (WAFs) are rapidly becoming a key component of end-to-end network security. Although the market is still struggling to move beyond the early adopter stages, WAF placement in the network is now well known and generally accepted as a necessary requirement. When looking at total security architecture, securing public Web applications over ports 80 and 443 is the next logical step to perimeter security: the concept of restricting access from the outside to the resources on the inside. Coupled with network firewalls, HTTP application firewalls can close perimeter security holes opened by allowing unrestricted access to public Web servers. Bui focusing solely on external, public application security is only half of the solution. Internal Web-based applications, such as corporate intranets, HR systems, CRM systems, HTTP-based databases, and report management applications, can also be al risk for the same open-access reasons, but from trusted internal attackers.