The Open Web Application Security Project (OWASP) is an open community dedicated to activities that improve software security, including projects that provide practical information about evaluating and implementing web application firewalls (WAFs). Here are three OWASP projects you can use and benefit from today.
When evaluating web application firewalls to determine which is best for your clients, you need to know the types of attacks the WAF needs to protect. The OWASP Top 10 was initially intended to raise awareness about common cybersecurity risks, but it’s become the industry standard for the risks that security solutions need to help prevent.
The most recent version of the OWASP Top 10 identifies the top 10 risks as:
- Broken access control
- Cryptographic failures
- Insecure design
- Security misconfiguration
- Vulnerable and outdated components
- Identification and authentication failures
- Software and data integrity failures
- Security logging and monitoring failures
- Server-side request forgery (SSRF)
As you evaluate a WAF, investigate how it provides security from these attacks and software vulnerabilities.
OWASP also recognizes that many WAFs are available to you and your clients, and criteria that standardize their evaluation can be a valuable tool for managed services providers and other IT security professionals. The OWASP project Web Application Firewall Evaluation Criteria (WAFEC) Version 1.0 provides a testing methodology that “can be used by any reasonably skilled technician to assess the quality of a WAF solution independently.”
The project, which you can access or download here, covers WAF evaluation criteria based on:
- Deployment architecture—Evaluation criteria in this project section include modes of operation, SSL, delivery method, availability, inline operation, and support for non-HTTP traffic.
- HTTP support—This section deals with supported HTTP versions and encoding types, protocol validation, HTML restrictions, file transfers, authentication, and response filtering.
- Detection techniques—This section evaluates how the WAF detects evasion attempts, normalizes data and stops known threats.
- Protection techniques—Use this section to determine how the WAF protects from brute force attacks, cookie tampering, session attacks and exploiting hidden forms.
- Logging—This evaluation criteria includes unique transaction IDs, access logs, event logs and notifications, full transaction logs, log access, log retention, and handling sensitive data.
- Reporting—The WAFEC project suggests you investigate the contents of event reports, report formats, and how reports are presented and distributed.
- Management—The WAF should enable policy “enforcement, refinement, and verification.”
- Performance—This section has you consider performance at the HTTP level (for example, maximum new connections per second, latency, and performance under load).
- XML—Does the WAF support XML Web Services protection? Can it restrict access, and does it perform validation? The OWASP Community is working on WAFEC Version 2.0 now, which will expand the scope and coverage of WAF evaluation criteria.
OWASP’s ModSecurity Core Rule Set (CRS) project gives you a pluggable set of generic attack detection rules that you can use with compatible web application firewalls. The CRS addresses various attacks, including the OWASP Top 10.
Don’t Stop There
In addition to resources related to WAFs, OWASP offers a variety of other resources on a wide range of security topics that you are free to use, such as cheat sheets, which help security professionals find problems and fix them, and testing tools that address a wide range of vulnerabilities.
You can learn more about OWASP and its resources by visiting the OWASP Wiki.