Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Modern Apps with Zero Trust and Next-G...

Securing Modern Apps with Zero Trust and Next-Gen Web Application Firewall

In today's complex cybersecurity landscape, it is increasingly challenging to protect against ever more prevalent and sophisticated attacks. Securing modern applications requires implementing multiple layers of protection, not just at the network edge but throughout every component of the system. This talk will explore how Zero Trust principles are playing a critical role in the design of secure modern systems in the cloud era and how they are driving the evolution of Web Application Firewall (WAF) technology. We'll also introduce Coraza, a cutting-edge WAF library that leverages OWASP CoreRuleSet, and demonstrate how it, combined with a Zero Trust Architecture, is safeguarding web applications from a wide range of cyber attacks.

José Carlos Chávez

September 20, 2023
Tweet

More Decks by José Carlos Chávez

Other Decks in Technology

Transcript

  1. SOFTWARE ENGINEER @ TETRATE José Carlos Chávez • Open source

    enthusiast • OWASP Coraza WAF Co-leader • Zipkin core member • Loving father @jcchavezs
  2. WEB APPLICATION FIREWALL Traditionally a WAF: • Helps protect web

    applications by filtering and monitoring HTTP traffic between a web application and the Internet. • Protects web applications from malicious traffic such as cross-site forgery (CSRF), cross-site-scripting (XSS), file inclusion, and SQL injection, among others. • It is a protocol layer 7 defense (in the OSI model) acting as a reverse-proxy having clients pass through the WAF before reaching the server. @jcchavezs
  3. IP FENCING Deny specific IP through a denylist. GEO-FENCING AND

    GEO-BLOCKING Creates a virtual perimeter around a specific geographical area using GeoIP databases. REQUEST/RESPONSE INSPECTION Examines request/response elements matching them with known malicious values to distinguish between legitimate and malicious requests. Avoids zero-day attacks, client-side attacks, bot attacks, virus files, etc. SECURITY RULES - SQL Injection - XSS Attacks - Local and Remote File Inclusion - Size Restrictions - Command Injection - Unknown Bad Inputs 6 @jcchavezs WEB APPLICATION FIREWALL FEATURES
  4. ANOMALY SCORING If a rule matches, WAF applies a score

    for each deviation: - A simple deviation like a misspelled URL might only receive a low score. - A more serious one, e.g. an attempt to inject SQL code, receives a higher score. DDoS RATE LIMITING Restricts the number of requests that a particular IP address can send to a server within a given timeframe. The rate limit is typically set based on a predetermined threshold that is considered safe for normal traffic, and any requests that exceed this limit are blocked. BOT MITIGATION Analyzes cookies sent by the browser and check them to the databases of known bot cookies. Some examples: - CAPTCHA challenges - Bot Pretender - Web Scraping Protection - Bot Intelligence 7 @jcchavezs WEB APPLICATION FIREWALL FEATURES
  5. “ There was a time when security was easy. “I

    need more security – I will just buy another firewall” @jcchavezs OH
  6. PERIMETER SECURITY CHALLENGES • There is no single, easily identifiable

    perimeter for the enterprise: cloud, on-prem, multi-cloud, third-party services, FaaS, artifact registries, etc. • In the times of microservices the majority of the traffic is East-West whereas perimeter security focus on North-South. • Gateways have to carry knowledge about the upstream components which ends up in adding more security policies on the perimeter firewall, leading to operational complexity, misconfigurations, change management, timely policy updates, etc. • The guiding principle of perimeter security is "Trust but Verify" @jcchavezs
  7. ZERO TRUST enabling the right user under the right conditions

    to gain the right access to the right data @jcchavezs
  8. “ Zero trust (ZT) is the term for an evolving

    set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources @jcchavezs NIST 800-207 Zero Trust Architecture
  9. ZERO TRUST DRIVER ASSUMPTIONS • Trust can no longer be

    based on a network perimeter as perimeters can always be breached. • Policies have to be defined based on the assumption that the attacker is already inside of the network. • All access decisions have to rely on least-privilege, per-request, and context-based principles and on identities associated with users, services, and devices. • Security and access state constantly change over time. @jcchavezs
  10. ZERO TRUST TENETS 1. All data sources and computing services

    are considered resources: Networks today consist of a dynamic array of devices from traditional items such as servers and endpoints to more dynamic cloud computing services such as FaaS, which may execute with specific permissions to other resources in your environment. 2. Communications are secured regardless of location: The access policy should be a default-to-deny. Explicit access must be granted to specific resources. 3. Access to individual resources is granted on a per-session basis: Trust should not extend beyond a single session, each session should involve the same rigor to resolve access and permissions. @jcchavezs
  11. ZERO TRUST TENETS 4. Access to resources is determined by

    dynamic policy and other behavioral and environmental attributes: several attributes come into play when evaluating access and policies should be open to such decision input. The more context, the better e.g. network, cluster, security group, tenant, etc. 5. Monitor and measure integrity and security posture of owned and associated assets: no device or asset is inherently trusted, every resource request should trigger a security posture evaluation. This includes continuously monitoring the state of system assets that have access to the environment. @jcchavezs
  12. ZERO TRUST TENETS 6. Dynamic resource authentication and authorization strictly

    enforced before access allowed: granting access and trust is occurring in a dynamic and ongoing fashion. It is an iterative process with a myriad of factors coming into play with each policy enforcement decision on every request. 7. Collect info on current state of asset, network infrastructure, and communications to improve security posture: operators must run continuous monitoring capabilities to ensure they are aware of what is occurring in the system over the time and take actions when identify patterns. @jcchavezs
  13. Security is a combination of multiple protection mechanism on multiple

    levels Logical Components of Zero Trust Architecture @jcchavezs Source: NIST 800-207, Zero Trust Architecture
  14. WEB APPLICATION FIREWALL: AN OPPORTUNITY 7. COLLECT INFO ON CURRENT

    STATE OF COMMUNICATIONS - Continuous monitoring the audit logs from traffic and improve the security posture. 5. INTEGRITY AND SECURITY POSTURE - Every resource request should trigger a security posture evaluation. - When identify an attack, apply patches and vulnerability remediations. @jcchavezs
  15. “ Zero trust (ZT) is the term for an evolving

    set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources @jcchavezs NIST 800-207 Zero Trust Architecture
  16. ZERO TRUST WEB APPLICATION FIREWALL • Protects workloads by filtering

    and monitoring incoming traffic between workloads at PEP. • Protects workloads from attacks such as cross-site forgery (CSRF), cross-site-scripting (XSS), file inclusion, and SQL injection, among others.. • Leverages wide network patches for zero day vulnerabilities (e.g. log4shell). • Allows to on-board legacy applications in a lifted and shifted fashion. • Provides audit logs for further analysis and improve security posture through adaptive rulesets. @jcchavezs
  17. CORAZA WEB APPLICATION FIREWALL • Modsecurity compatible: modsec EOL is

    March 2024 • Focused on Coreruleset v4: Newest and shiniest ruleset from OWASP. • Multiplatform connectors: ◦ Native Go, Caddy, ◦ Envoy, Istio, Kong using proxy-wasm spec • Pluggable Architecture: Experimental plugins API for extending functionality. • High throughput: Performance driven, aimed to be run in critical path (e.g. PEP). @jcchavezs
  18. CONCLUSIONS • Zero trust isn’t incompatible with network based security

    approaches. • No single component or function will be sufficient to achieve a good level of security alone, but collectively they need to enforce security patterns across different layers in the system. @jcchavezs
  19. For any further queries, feel free to contact me at

    [email protected] Thank you everyone. jcchavezs jcchavezs www.tetrate.io
  20. References PCI Web Application Security Requirements https://pcidssguide.com/pci-web-application-security-requirements/ NIST SP 800-207A:

    A Zero Trust Architecture (ZTA) Model for Access Control in Cloud Native Applications in Multi-Location Environments @jcchavezs NIST 800-207: Zero Trust Architecture WHAT YOU NEED TO KNOW ABOUT CLOUD LIFT & SHIFT MIGRATIONS https://f.hubspotusercontent10.net/hubfs/423210/cloud-lift-and-shift-migrations-whitepape r.pdf