Securing Modern Apps with Zero Trust and Next-Gen Web Application Firewall

Transcript

1. Securing Modern Apps with Zero Trust and Next-Gen Web Application

   Firewall

2. SOFTWARE ENGINEER @ TETRATE José Carlos Chávez • Open source

   enthusiast • OWASP Coraza WAF Co-leader • Zipkin core member • Loving father @jcchavezs

3. WEB APPLICATION FIREWALL @jcchavezs WAF, for friends and family

4. WEB APPLICATION FIREWALL Traditionally a WAF: • Helps protect web

   applications by filtering and monitoring HTTP traffic between a web application and the Internet. • Protects web applications from malicious traffic such as cross-site forgery (CSRF), cross-site-scripting (XSS), file inclusion, and SQL injection, among others. • It is a protocol layer 7 defense (in the OSI model) acting as a reverse-proxy having clients pass through the WAF before reaching the server. @jcchavezs

5. WEB APPLICATION FIREWALL @jcchavezs WAF SERVER ATTACKER APP DEVICE

6. IP FENCING Deny specific IP through a denylist. GEO-FENCING AND

   GEO-BLOCKING Creates a virtual perimeter around a specific geographical area using GeoIP databases. REQUEST/RESPONSE INSPECTION Examines request/response elements matching them with known malicious values to distinguish between legitimate and malicious requests. Avoids zero-day attacks, client-side attacks, bot attacks, virus files, etc. SECURITY RULES - SQL Injection - XSS Attacks - Local and Remote File Inclusion - Size Restrictions - Command Injection - Unknown Bad Inputs 6 @jcchavezs WEB APPLICATION FIREWALL FEATURES

7. ANOMALY SCORING If a rule matches, WAF applies a score

   for each deviation: - A simple deviation like a misspelled URL might only receive a low score. - A more serious one, e.g. an attempt to inject SQL code, receives a higher score. DDoS RATE LIMITING Restricts the number of requests that a particular IP address can send to a server within a given timeframe. The rate limit is typically set based on a predetermined threshold that is considered safe for normal traffic, and any requests that exceed this limit are blocked. BOT MITIGATION Analyzes cookies sent by the browser and check them to the databases of known bot cookies. Some examples: - CAPTCHA challenges - Bot Pretender - Web Scraping Protection - Bot Intelligence 7 @jcchavezs WEB APPLICATION FIREWALL FEATURES

8. “ There was a time when security was easy. “I

   need more security – I will just buy another firewall” @jcchavezs OH

9. PERIMETER SECURITY CHALLENGES • There is no single, easily identifiable

   perimeter for the enterprise: cloud, on-prem, multi-cloud, third-party services, FaaS, artifact registries, etc. • In the times of microservices the majority of the traffic is East-West whereas perimeter security focus on North-South. • Gateways have to carry knowledge about the upstream components which ends up in adding more security policies on the perimeter firewall, leading to operational complexity, misconfigurations, change management, timely policy updates, etc. • The guiding principle of perimeter security is "Trust but Verify" @jcchavezs

10. ZERO TRUST enabling the right user under the right conditions

    to gain the right access to the right data @jcchavezs

11. “ Zero trust (ZT) is the term for an evolving

    set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources @jcchavezs NIST 800-207 Zero Trust Architecture

12. ZERO TRUST DRIVER ASSUMPTIONS • Trust can no longer be

    based on a network perimeter as perimeters can always be breached. • Policies have to be defined based on the assumption that the attacker is already inside of the network. • All access decisions have to rely on least-privilege, per-request, and context-based principles and on identities associated with users, services, and devices. • Security and access state constantly change over time. @jcchavezs

13. ZERO TRUST TENETS 1. All data sources and computing services

    are considered resources: Networks today consist of a dynamic array of devices from traditional items such as servers and endpoints to more dynamic cloud computing services such as FaaS, which may execute with specific permissions to other resources in your environment. 2. Communications are secured regardless of location: The access policy should be a default-to-deny. Explicit access must be granted to specific resources. 3. Access to individual resources is granted on a per-session basis: Trust should not extend beyond a single session, each session should involve the same rigor to resolve access and permissions. @jcchavezs

14. ZERO TRUST TENETS 4. Access to resources is determined by

    dynamic policy and other behavioral and environmental attributes: several attributes come into play when evaluating access and policies should be open to such decision input. The more context, the better e.g. network, cluster, security group, tenant, etc. 5. Monitor and measure integrity and security posture of owned and associated assets: no device or asset is inherently trusted, every resource request should trigger a security posture evaluation. This includes continuously monitoring the state of system assets that have access to the environment. @jcchavezs

15. ZERO TRUST TENETS 6. Dynamic resource authentication and authorization strictly

    enforced before access allowed: granting access and trust is occurring in a dynamic and ongoing fashion. It is an iterative process with a myriad of factors coming into play with each policy enforcement decision on every request. 7. Collect info on current state of asset, network infrastructure, and communications to improve security posture: operators must run continuous monitoring capabilities to ensure they are aware of what is occurring in the system over the time and take actions when identify patterns. @jcchavezs

16. Security is a combination of multiple protection mechanism on multiple

    levels Logical Components of Zero Trust Architecture @jcchavezs Source: NIST 800-207, Zero Trust Architecture

17. WEB APPLICATION FIREWALL: AN OPPORTUNITY 7. COLLECT INFO ON CURRENT

    STATE OF COMMUNICATIONS - Continuous monitoring the audit logs from traffic and improve the security posture. 5. INTEGRITY AND SECURITY POSTURE - Every resource request should trigger a security posture evaluation. - When identify an attack, apply patches and vulnerability remediations. @jcchavezs

18. “ Zero trust (ZT) is the term for an evolving

    set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources @jcchavezs NIST 800-207 Zero Trust Architecture

19. ZERO TRUST WEB APPLICATION FIREWALL • Protects workloads by filtering

    and monitoring incoming traffic between workloads at PEP. • Protects workloads from attacks such as cross-site forgery (CSRF), cross-site-scripting (XSS), file inclusion, and SQL injection, among others.. • Leverages wide network patches for zero day vulnerabilities (e.g. log4shell). • Allows to on-board legacy applications in a lifted and shifted fashion. • Provides audit logs for further analysis and improve security posture through adaptive rulesets. @jcchavezs

20. @jcchavezs

21. OWASP CORAZA WAF coraza.io | https://github.com/corazawaf/coraza @jcchavezs

22. CORAZA WEB APPLICATION FIREWALL • Modsecurity compatible: modsec EOL is

    March 2024 • Focused on Coreruleset v4: Newest and shiniest ruleset from OWASP. • Multiplatform connectors: ◦ Native Go, Caddy, ◦ Envoy, Istio, Kong using proxy-wasm spec • Pluggable Architecture: Experimental plugins API for extending functionality. • High throughput: Performance driven, aimed to be run in critical path (e.g. PEP). @jcchavezs

23. CONCLUSIONS • Zero trust isn’t incompatible with network based security

    approaches. • No single component or function will be sufficient to achieve a good level of security alone, but collectively they need to enforce security patterns across different layers in the system. @jcchavezs

24. For any further queries, feel free to contact me at

    [email protected] Thank you everyone. jcchavezs jcchavezs www.tetrate.io

25. References PCI Web Application Security Requirements https://pcidssguide.com/pci-web-application-security-requirements/ NIST SP 800-207A:

    A Zero Trust Architecture (ZTA) Model for Access Control in Cloud Native Applications in Multi-Location Environments @jcchavezs NIST 800-207: Zero Trust Architecture WHAT YOU NEED TO KNOW ABOUT CLOUD LIFT & SHIFT MIGRATIONS https://f.hubspotusercontent10.net/hubfs/423210/cloud-lift-and-shift-migrations-whitepape r.pdf

26. Securing Modern Apps with Zero Trust and Next-Gen Web Application

    Firewall

27. SURVIVORSHIP BIAS @jcchavezs Source: Wikipedia