Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Your Web Application in Azure with a WAF

Published bySolomon McLaughlin Modified over 6 years ago

Similar presentations

Presentation on theme: "Securing Your Web Application in Azure with a WAF"— Presentation transcript:

1 Securing Your Web Application in Azure with a WAF
Christian Folini Jason Haley September 2017 Do you have a Web Application hosting in Azure using either IaaS or PaaS?  In this talk, we’ll start with a look at what a web application firewall (WAF) is and why you would want to use one.  Then once you understand what a WAF can do for you, we’ll then look at some options you have in Azure for adding a WAF in front of your application. For demos, we’ll take a look at adding a WAF in front of an App Service Web App and then a Web Application hosted on a VM in Azure.  If we have time we can see how the site handles some malicious requests with and without a WAF.

2 Jason Haley Jason Haley Consulting LLC
Salem, MA Azure & Angular Consultant Microsoft Azure Organize North Boston Azure and DevBoston User Groups Jason Haley Consulting LLC

3 Securing Your Web Application

4 OWASP OWASP (Open Web Application Security Project) Foundation is a not-for-profit international organization dedicated “enabling organizations to conceive, acquire, operate, and maintain applications that can be trusted”. - OWASP Top 10 Project - most critical web application security risks OWASP Application Security Verification Standard Project – provides developers with a list of requirements for secure development OWASP ModSecurity Core Rule Set (CRS) – pluggable set of generic attack detection rules that provide a base level of protection for any web application.

5 OWASP Top ten Project (2013)
Injection Broken Authentication and Session Management Cross-Site Scripting (XSS) Insecure Direct Object References Security Misconfigurations Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Known Vulnerable Components Unvalidated Redirects and Forwards

6 Penetration Test (Pen Test)
A penetration test, colloquially known as a pen test, is an authorized simulated attack on a computer system that looks for security weaknesses, potentially gaining access to the system's features and data. – Wikipedia

7 Penetration Test - Outcomes
Prioritized list of known vulnerabilities Steps in how to reproduce Steps in how to fix Retest to verify fixes

8 What Else can you do? Build security into the code from the start
OWASP ASVS can help Security reviews of the code Add security layers to the application

9 What is a WAF? Intrusion detection system – monitors a network for malicious activity or policy violations. Firewall – monitors and controls in/out traffic based on rules Web application firewall – monitors in/out HTTP traffic of a web application based on rules WAFs are a type of reverse proxy – it monitors traffic while it retrieves resources on behalf of a client from one or more servers.

10 What are the options if you are in Azure?
External to Azure (Akamai, CloudFlare, others) In the Azure Marketplace (Baracuda, F5, others) Azure networking product - Application gateway

11 What is application gateway?
HTTP (layer 7) load balancer Cookie affinity for session state SSL offload Private or Public (can also use with Web Apps) WAF using ModSecurity ModSecurity is the Engine OWASP Core Rule Set (CRS) are the rules Load Balancer is Layer 4 (transport): TCP/UDP

12 Web Applications in Azure
How can you add it to a Web App (PaaS)? Currently have to use custom ARM template or use PowerShell/CLI backendHttpSettingsCollection.pickHostNameFromBackendAddress=true Probe.pickHostNameFromBackendHttpSettings=true How can you add it to a Web App (IaaS)?

Download ppt "Securing Your Web Application in Azure with a WAF"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
Barracuda Web Application Firewall

Barracuda Web Application Firewall
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
The OWASP Way Understanding the OWASP Vision and the Top Ten.

The OWASP Way Understanding the OWASP Vision and the Top Ten.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.

Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.
Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.

Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.
Web Application Firewall (WAF) RSA ® Conference 2013.

Web Application Firewall (WAF) RSA ® Conference 2013.

Similar presentations

Ads by Google