The Open Web Application Security Project (OWASP), is an open community dedicated to activities that improve software security, including projects that provide practical information about evaluating and implementing web application firewalls (WAFs). Here are three OWASP projects that you can start using and benefitting from today.
When you’re evaluating web application firewalls to determine which is best for your clients, you need to know the types of attacks the WAF needs to provide protection from. The OWASP Top 10 was originally intended to raise awareness about common cybersecurity risks, but it’s become the industry standard for the risks that security solutions need to help prevent.
The most recent version of the OWASP Top 10 from 2017 identifies the top 10 risks as:
- Broken authentication
- Sensitive data exposure
- XML eternal entities (XXE)
- Broken access control
- Security misconfiguration
- Cross-site scripting
- Insecure deserialization
- Using components with known vulnerabilities
- Insufficient logging and monitoring
As you evaluate a WAF, investigate how it provides security from these attacks and software vulnerabilities. To see how the products in our web application firewall comparison address these risks, click here.
OWASP also recognizes that there are a multitude of WAFs available to you and your clients, and criteria that standardize their evaluation can be a useful tool for managed services providers and other IT security professionals. The OWASP project Web Application Firewall Evaluation Criteria (WAFEC) Version 1.0 provides a testing methodology that “can be used by any reasonably skilled technician to independently assess the quality of a WAF solution.”
The project, which you can access or download here, covers WAF evaluation criteria based on:
- Deployment architecture—Evaluation criteria in this section of the project includes modes of operation, SSL, method of delivery, availability, inline operation, and support for non-HTTP traffic.
- HTTP support—This section deals with supported HTTP versions and encoding types, protocol validation, HTML restrictions, file transfers, authentication, and response filtering.
- Detection techniques—Use this section to evaluate how the WAF detects evasion attempts, normalizes data and stops known threats.
- Protection techniques—Use this section to determine how the WAF protects from brute force attacks, cookie tampering, session attacks and exploiting hidden forms.
- Logging—This evaluation criteria includes unique transaction IDs, access logs, event logs and notification, full transaction logs, log access, log retention, and handling sensitive data.
- Reporting—The WAFEC project suggests you investigate the contents of event reports, report formats, how reports are presented and how they’re distributed.
- Management—The WAF should enable policy “enforcement, refinement, and verification.”
- Performance—This section has you consider performance at the HTTP level (for example, maximum new connections per second, latency, and performance under load).
- XML—Does the WAF support XML Web Services protection? Can it restrict access, and does it perform validation? The OWASP Community is working on WAFEC Version 2.0 now, which will expand the scope and coverage of WAF evaluation criteria.
OWASP’s ModSecurity Core Rule Set (CRS) project gives you a pluggable set of generic attack detection rules that you can use with compatible web application firewalls. The CRS addresses a wide range of attacks, including the OWASP Top 10.
Don’t Stop There
In addition to resources related to WAFs, OWASP offers a variety of other resources on a wide range of security topics that you are free to use such as cheat sheets, which help security professionals find problems and fix them and testing tools that address a wide range of vulnerabilities.
You can learn more about OWASP and its resources by visiting the OWASP Wiki.