Presentation is loading. Please wait.

Presentation is loading. Please wait.

“New security software vendors are coming into the marketplace offering solutions that provide support to the development environment. Example vendors.

Published byPaul Chandler Modified over 6 years ago

Similar presentations

Presentation on theme: "“New security software vendors are coming into the marketplace offering solutions that provide support to the development environment. Example vendors."— Presentation transcript:

1 “New security software vendors are coming into the marketplace offering solutions that provide support to the development environment. Example vendors include CodeSealer,,,, “ Gartner Group

2 Architecture Attack Examples Protection Operating System
Browser Client - HTML - JavaScript - DOM - Plugins SSL Termination Network SSL Encrypted DMZ / Firewall HTTPS Gateway WSF Server Application Servers SSL Encryption WSF Protection Attack Examples - Virus - Trojan - Phishing - Root/Boot kit - Man-in-the-Browser - Injects - Phishing - Overlay - Form - Man-in-the-Middle after decryption - Manipulation of data - Session hijacking - Session injects DoS/DDoS DoS/DDoS DoS/DDoS DoS/DDoS Protection - Antivirus identifying and cleaning for known viruses - Firewall - Firewall - WSF monitoring & Integrity check identifying for any kind of manipulation - WAF protecting against known attacks - SSL Encryption - WAF protecting against known attacks and virus - WSF Client / Server Integrity check - Antivirus identifying and cleaning for known viruses WSF Bootloader - Dynamic obfuscation, additional encryption and session keys Hidden application code and URL’s WSF Client – WSF Server Integrity Check

3 Technical Specification – WSF 4 Server
An advanced, secure HTTP Proxy Built In Bootloader Secure JavaScript payload delivery system, hiding and protecting the application Dynamic obfuscation, with scripts replaced with new, uniquely obfuscated variants every 5 minutes Dynamic Keys Proprietary encryption protocols Diffie-Hellman key negotiation 128-bit key strength Rabbit as stream cipher, Badger as message authentication code No useful attacks known Decrypted in JavaScript, one step further than SSL/TLS (HTTPS) Bootloader Establishment of a Secure Session WSF Client WSF Server Front Page Request WSF Front Page referring to Boot Script Boot Script Request Dynamic Obfuscated Bootloader, incl. Unique Key Generator Key Exchange Request WSF Kernel Code Request Negotiate Encryption & Authentication Keys Encrypt and Authenticate WSF Kernel Code Verify, Decrypt and Execute WSF Kernel Code

4 Technical Specification – WSF 4 Client
JavaScript Secure and proprietary communication protocol Web page running protected in Sandbox Cookies protected in Sandbox DOM tree validation for detection of unauthorized page manipulation Checks 4 times per second Forensic Report generation Transmitted instantly or on next server communication event WSF Client HTML Request WSF Client WSF Server Setup of Sandbox Setup of DOM tree validation Encrypted Page Request Verify & Decrypt Page Request Obtain Page from Application Web Server Encrypted Page Response Verify & Decrypt Page Response Execute Page in Sandbox

5 Technical Specification – WSF 4 Supported
Operating systems Linux, kernel version 2.6+ Solaris 10/11+ Windows Server 2008+ Hardware At least 8GB of unused RAM At least 4 cores Supported web standards HTML 5 CSS 3 ECMAScript 5 Performance Initial request: < 1 second Later requests: < 0.5 seconds Max load: > Requests per second WSF Potential Attack Handling WSF Client WSF Server Detection of Illegal Action (DOM Manipulation) Create Forensic Report Encrypted Forensic Report Verify Defined Attack Action Disconnect Established Session Re-direct to a new Unsecured Session

6 Technical Specification – WSF 4 Devices
Supported browsers* Desktop Google Chrome Mozilla Firefox Safari 5+ Internet Explorer 9+ Opera Mobile (iOS, Android, WP, Blackberry) Safari IE for Windows Phone 7+ Dolphin Any device with a supported browser, regardless of form factor, will work. * All other browsers can operate unsecured if configured by the customer

7 WSF 4 – Technical Setup WSF Server installed behind Firewall and Load Balancer, in front of Web Server Installation on same or separate hardware, based on customer infrastructure WSF encrypt data on internal and external network Recommended that SSL/HTTPS is installed on external network Sticky Sessions recommended

8 WSF 4 – Dashboard Server Monitoring & Heartbeat Forensic Reports
Attack Types Dashboard

9 WSF 4 – Technical Pre-requisites
Unsupported client-side VBScript or JScript Limited support for ActiveX Unsupported position-dependent document.write (such operations may be performed out of order) Unsupported array-style indexing of native object attributes (such as innerHTML or appendChild) on objects other than window or document Unsupported showModalDialog and showModelessDialog Limited support for custom document.domain values (some combinations of IE and custom document.domain might cause the browser to enter Quirks mode which is not a valid execution environment for the WSF 4.1 Client) Full support for direct eval calls (such as ‘eval(“2 + 2”)’) but limited support for indirect eval calls (such as ‘window.eval(“2+2”)’ or ‘eval.call(window, “2+2”)’)

10 WSF 4.1 Installed behind Firewall & Load Balancer (Standard Preferred Setup) HTTP(S) traffic to/from WSF 4.1 Server Load Balancer WSF 4.1* / Web Server SSL/HTTPS Encryption/Decryption WSF 3.0 Encryption/Decryption * It is recommended to have one WSF 4.1 Server per Web Server

11 WSF 4. 1 Installed behind Firewall & Load Balancer. WSF 4
WSF 4.1 Installed behind Firewall & Load Balancer. WSF 4.1 on dedicated HW Server, SSL Encrypted Monitoring / Analytics HW Server HW Server Load Balancer HW Server HW Server Web Server WSF 4.1* WAF WEB SERVER SSL/HTTPS Encryption/Decryption WSF 4.1 / SSL/HTTPS Encryption/Decryption * One or more WSF 4.1 Servers. 1:1 relation between WSF 4.1 and Web Server

12 WSF 4. 1 Installed behind Firewall & Load Balancer. WSF 4
WSF 4.1 Installed behind Firewall & Load Balancer. WSF 4.1 on shared HW Server, SSL Encrypted Monitoring / Analytics HW Server 1 SSL & WSF Encrypted WSF 1 WEB 1 SSL Encrypted Load Balancer & Network Switch WSF 2 WEB 2 WAF HW Server 2 WSF 3 WEB 3 Monitoring / Analytics WSF 4 WEB 4 Traffic from Network Switch to WSF 4.1 SSL/HTTPS & WSF Encryption WSF 1 connected to WEB 3 WSF 2 connected to WEB 4 WSF 3 connected to WEB 1 WSF 4 connected to WEB 2 Traffic sent from HW 1 to HW 2 vv., using IP and Network Switch Traffic between HW Servers protected by SSL/HTTPS WAF and Monitoring sniffing on SSL/HTTPS between HW Servers WSF 4.1 / SSL/HTTPS Encryption/Decryption * One or more WSF 4.1 Servers. 1:1 relation between WSF 4.1 and Web Server

13 Contacts: Tonny Rabjerg

Download ppt "“New security software vendors are coming into the marketplace offering solutions that provide support to the development environment. Example vendors."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Facts about Welcome to this video from Ozeki. In this video I will present what makes Ozeki Phone System XE the Worlds best on-site software PBX for Windows.

Facts about Welcome to this video from Ozeki. In this video I will present what makes Ozeki Phone System XE the Worlds best on-site software PBX for Windows.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Lesson 4: Web Browsing.

Lesson 4: Web Browsing.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
ITM352 Javascript and Dynamic Web Pages: Client Side Processing.

ITM352 Javascript and Dynamic Web Pages: Client Side Processing.
It’s World Wide! I NTRODUCTION TO T HE WEB 1 Photo courtesy:

It’s World Wide! I NTRODUCTION TO T HE WEB 1 Photo courtesy:
WEB DESIGN SOME FOUNDATIONS. SO WHAT IS THIS INTERNET.

WEB DESIGN SOME FOUNDATIONS. SO WHAT IS THIS INTERNET.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.

Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.
Internet Business Foundations © 2004 ProsoftTraining All rights reserved.

Internet Business Foundations © 2004 ProsoftTraining All rights reserved.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Mobile App Support Jacob Poirier Geri Hengesbach Andrea Menke Erin Rossell.

Mobile App Support Jacob Poirier Geri Hengesbach Andrea Menke Erin Rossell.
Access Gateway Operation

Access Gateway Operation
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Similar presentations

Ads by Google