ENSURE APPLICATION AVAILABILITY AND INTEGRITY WITH F5 BIG-IP APPLICATION SECURITY MANAGERAND IBM SECURITY APPSCAN
Ron Carovano, Manager, Business Development, F5 Networks
Diana Kelley, Application Security Strategist, IBM Security Systems
Shauntinez Jakab, Product Marketing Manager II, F5 Networks
Darren Conway, Business Development Manager, F5 Networks
2© F5 Networks, Inc.
Agenda
• F5 and IBM Partnership
• IBM Security AppScan Overview
• F5 BIG-IP Application Security Manager Overview
• Solution and Customer Profile
• Demo
• Professional Services
• Resources
• Questions-and-Answers Session
3© F5 Networks, Inc.
F5 AND IBM PARTNERSHIP
4© F5 Networks, Inc.
Application Delivery Networking
Optimizing and securing networks for delivery of applications
ApplicationDeliveryNetwork
Users Data Center
IBMAt HomeIn the OfficeOn the Road
5© F5 Networks, Inc.
F5 occupies strategic points of control with IBM Deployments
WebSphere
Lotus
Tivoli
Information Management
Security
Systems & Technologies
Industry Solutions
Application Server Virtualization
App. Server App. Server App. Server
Web Server Web Server Web Server
Web Server Virtualization
Database Server Virtualization
Database Server Database ServerDatabase Server
User User User
BIG-IP
BIG-IP
BIG-IP
6© F5 Networks, Inc.
F5 and IBM Software are Engineered to Perform Together
WebSphere
Lotus
Tivoli
Information Management
Security
Systems & Technologies
Industry Solutions
IBM F5WebSphere• Application Server• Portal Server• MQ• SIP Server
BIG-IP Local Traffic ManagerBIG-IP Global Traffic ManagerBIG-IP WebAcceleratorBIG-IP Application Security Manager
Lotus• Notes, iNotes, Domino• Sametime
BIG-IP Local Traffic ManagerBIG-IP WebAcceleratorBIG-IP Application Security Manager
Tivoli• Maximo Asset Management• Netcool Configuration Manager• Smart Cloud• Cloud Service Provider Platform• Service Automation Manager
BIG-IP Local Traffic ManagerBIG-IP Global Traffic ManagerBIG-IP WebAcceleratorBIG-IP WAN Optimization ManagerBIG-IP Application Security ManagerBIG-IP Access Policy Manager
Information Management• DB2• Cognos TM1• InfoSphere Guardium• FileNet
BIG-IP Local Traffic ManagerBIG-IP WAN Optimization ManagerBIG-IP Application Security Manager
Security• AppScan• Security Access Manager• QRadar
BIG-IP Local Traffic ManagerBIG-IP Application Security ManagerBIG-IP Access Policy Manager
Systems & Technologies• PureSystems• PowerVM• System Storage NAS
BIG-IP Local Traffic ManagerBIG-IP Global Traffic ManagerBIG-IP WAN Optimization Manager
Industry Solutions• Sterling Commerce Secure Proxy• Sterling Commerce QuickFile• Tealeaf
BIG-IP Local Traffic Manager
7© F5 Networks, Inc.
Gartner Magic Quadrant forApplication Delivery Controllers (ADC)
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from F5 Networks.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
8© F5 Networks, Inc.
APPSCAN OVERVIEW
9© F5 Networks, Inc.
Increased Security Awareness and Accuracy Detect and prevent advanced threats Increase visibility and situational awareness Conduct comprehensive incident investigations
Ease of Management Simplify risk management and decision-making Enhance auditing and access capabilities
Reduced Cost and Complexity Deliver fast deployment, increased value and lower TCO by working
with a single strategic partner with a broad, integrated portfolio
IBM Security delivers intelligence, integration and expertise across a comprehensive framework
IBM Security Framework
10© F5 Networks, Inc.
Application Security: The Source of Security Protection
1. Web application vulnerabilities dominate enterprise threat landscape.
2. Mobile Application Attacks are increasing rapidly.
3. Vulnerabilities are spread through a wide variety of applications (internal development / external in use without code).
4. Common questions: Where are your vulnerabilities and how do you validate risk?
5. Many organizations still don’t understand the importance of Application Security in their environments.
11© F5 Networks, Inc.11
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose
Magic Quadrant for Application Security TestingNeil MacDonald, Joseph Feiman July 2, 2013
This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The link to the Gartner report is available upon request from IBM.
Gartner has recognized IBM as a leader in the Magic Quadrant for Application Security Testing (AST)
“The market for application security testing is changing rapidly. Technology trends, such as mobile applications, advanced Web applications and dynamic languages, are forcing the need to combine dynamic and static testing capabilities, which is reshaping the overall market.”
12© F5 Networks, Inc.
Adopt a Secure by Design Approach• Build security into your application
development process
• Efficiently and effectively address security defects prior to deployment
• Collaborate effectively between Security and Development
• Provide Management visibility
Deliver New Services More Quickly
Reduce Costs
InnovateSecurely
Proactively address vulnerabilities early in the development process
13© F5 Networks, Inc.
Application Security Testing across Development Cycle
• Training – Applications Security & Product ( Instructor-led , self-paced – classroom & web-based)• Test policies, test templates and access control• Dashboards, detailed reports & trending• Manage regulatory requirements such as DIACAP, PCI, GLBA and HIPAA (40+ out-of-the-box compliance reports)
Scanning Techniques
Applications
Governance & Collaboration
Web Applications Web Services
• Web 2.0\HTML5• AJAX• Java Script• Adobe Flash & Flex
Mobile Applications
• iPhone ObjectiveC• Android Java
Programming Languages• C#• ASP.NET• VB.NET• Classic ASP• ColdFusion• VB6, VBScript
• HTML• PHP• Perl• PL/SQL, T-SQL• Client-side JavaScript• Server-side JavaScript
Build Systems improve scan efficiencies
Integrated
Audience Development teams Security Teams Penetration Testers
CODING BUILD QA SECURITY PRODUCTION
Static analysis(white box)
SDLC
• Java/Android • JSP• C, C++• COBOL• SAP ABAP
(Rational Build Forge, Rational Team Concert, Hudson, Maven)
Defect Tracking Systems track remediation
(Rational Team Concert, Rational ClearQuest, HP QC, MS Team Foundation Server)
IDEs remediation assistance
(RAD, Rational Team Concert,Eclipse, Visual Studio
Security Intelligence raise threat levels
(SiteProtector, QRadar, Guardium)
Source code vulnerabilities & code quality risksData & Call Flow analysis tracks tainted data
Dynamic analysis(black box)
Live Web ApplicationWeb crawling & Manual testing
Hybrid Glass Box analysis
PurchasedApplications
14© F5 Networks, Inc.
IBM Security AppScan finds more vulnerabilities, by utilizing advanced techniques (Note from Neil: Graphic needs some additional editing).
Static Analysis
- Analyzes Source Code- Utilized during development- Leverages Taint Analysis /
Pattern Matching
Dynamic Analysis
- Correlates Dynamic and Static results- Assists remediation by identification of
line of code
Hybrid Analysis
14
- Analyzes Live Web Application- Utilized during testing- Leverages HTTP tampering
Client-Side Analysis
- Analyzes downloaded Javascript code, which runs in client
- Unique in the industry
Run-Time Analysis
- Combines Dynamic Analysis with run-time agent
- More results, better accuracy
Total PotentialSecurity Issues
15© F5 Networks, Inc.
AppScan Components
16© F5 Networks, Inc.
40 out-of-the-box compliance reportsExtensive Reporting capabilities Covering: PCI DSS, HIPAA, EU Data Protection
Directive, ISO 27001, OWASP Top Ten 2013 and more
What is Privacy? Personally identifiable information (PII) Ensuring secure collection and storage of PII Informing people how their PII is used
AppScan Enterprise provides information about: What kind of PII your web site collects How the PII is collected (forms, cookies, etc.) If the PII is collected in a secure manner If the PII is shared with 3rd parties If the user is provided with a privacy statement
Compliance Health Insurance Portability and Accountability Act (HIPAA) Children Online Privacy Protection Act (COPPA) US "Safe Harbor" Rules (EU Harmonization)
17© F5 Networks, Inc.
Remediation Assistance• Details on Located Vulnerabilities
• Explanations of Vulnerabilities
• Fix Recommendations
18© F5 Networks, Inc.
Enterprise Dashboards – Measuring Progress • Compare the number of issues
across teams and applications
• Identify top security issues and risks
• View trending of number of issues by severity, over time
• Monitor progress of issue resolution
19© F5 Networks, Inc.
APPLICATION SECURITY MANAGER OVERVIEW
20© F5 Networks, Inc.
Who’s Responsible for Application Security?
Clients
Network
Applications
Developers
Infrastructure
Engineering services
Storage
DBA
21© F5 Networks, Inc.
Who’s Responsible for Application Security?
Clients ApplicationsInfrastructure Storage
DevelopersEngineering
servicesDBA
Network security
22© F5 Networks, Inc.
What’s an Application Security Manager (ASM)? • Allows security team to secure a website, without changing
application code
• Provides comprehensive protection for all web application vulnerabilities, including DDoS
• Logs and reports all application traffic, attacks and user names
• Educates admin. on attack-type definitions and examples
• PCI compliance activities
23© F5 Networks, Inc.
Full Proxy Security
Network
Session
Application
Web application
Physical
Client / server
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
SSL inspection and SSL DDoS mitigation
HTTP proxy, HTTP DDoS, and application security
Application health monitoring and performance anomaly detection
Network
Session
Application
Web application
Physical
Client / server
24© F5 Networks, Inc.
How Does It Work?Security at application, protocol and network level
Request made
Enforcement Content scrubbingApplication cloaking
Security policy checked
Server response
Response delivered
Security policy applied
BIG-IP enabled us to improve security instead of having to invest time and money to develop a new, more secure application.
Actions: Log, block, allow
25CONFIDENTIAL © F5 Networks, Inc.
Multiple Security Layers
RFC enforcement
• Various HTTP limits enforcement
Profiling of good traffic• Defined list of allowed file types, URIs, parameters
Each parameter is evaluated separately for:• Predefined value• Length• Character set• Attack patterns
• Looking for pattern matching signatures
Responses are also checked
26© F5 Networks, Inc.
For mission-critical applications: Any custom application:
HR APPS
FinanceAPPS
SalesAPPS
MarketingAPPS
Streamlined Deployment Options
Prebuilt app policy Rapid deployment policy
Out-of-the-box protection
Pre-built, pre-configured and validated policies
Immediate security with 80% of events
Minimal configuration time, and starting point for more advanced policy creation
27© F5 Networks, Inc.
Detailed Logging with Actionable Reports
At-a-glance PCI compliance reports Drill-down for information on security posture
28CONFIDENTIAL © F5 Networks, Inc.
Attack Expert System in ASM
1. Click on info tooltip
Attack expert system makes responding to vulnerabilities faster and easier: Violations are represented graphically, with a tooltip to explain the violation. The entire HTTP payload of each event is logged.
29© F5 Networks, Inc.
Application attacksNetwork attacks Session attacks
OWASP Top 10 (SQL Injection, XSS, CSRF, etc.), Slowloris, Slow Post, HashDos, GET Floods
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks
BIG-IP ASMPositive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection
DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation
BIG-IP LTM and GTMHigh-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation
BIG-IP AFMSynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding.
Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions.
F5
mit
iga
tio
n t
ec
hn
olo
gie
s
Application (7)Presentation (6)Session (5)Transport (4)Network (3)Data Link (2)Physical (1)
Increasing difficulty of attack detection
F5
mit
iga
tio
n t
ec
hn
olo
gie
s
OSI stackOSI stack
DDoS Mitigation
30© F5 Networks, Inc.
Automatic HTTP/S DoS Attack Detection and Protection • Accurate detection technique—based on latency
• Three different mitigation techniques escalated serially
• Focus on higher value productivity while automatic controls intervene
Drop only the attackers
Identify potential attackers
Detect a DoS condition
31© F5 Networks, Inc.
Automated Bot and Scanner Prevention
Website
BOT
User
$
ASM
32© F5 Networks, Inc.
Scan application with:Configure vulnerability
policy in BIG-IP ASMMitigate web app attacks
Identify, Virtually Patch & Mitigate Vulnerabilities
Clients
Hacker
Tim
ely
thre
at m
itig
atio
n
Assurance
Manual
WAF
Scan
33© F5 Networks, Inc.
SOLUTION AND CUSTOMER PROFILE
34© F5 Networks, Inc.
F5 ASM and IBM Security AppScan Solution
Protection in three easy steps:1. Perform vulnerability
scan with IBM SecurityAppScan and exportresults into an XML file
2. Import AppScan XMLfile into ASM viaadministrative console
3. Mitigate threats by usingthe ASM Wizard togenerate and deploysecurity policies
35© F5 Networks, Inc.
Solution and Customer Profile
This provided the enablement their network security team needed to move forward with a mitigation strategy without having to rely entirely on the applications teams to configure ASM suitably”
When we told them that ASM can leverage the data obtained from IBM Appscan to build the ASM security policies to mitigate the vulnerabilities in play, they were palpably relieved
Of course we can, but one of the major challenges for their network security team, not being savvy with the applications themselves, is how to configure ASM to mitigate these vulnerabilities
They turned to F5, inquiring if our ASM product could potentially help mitigate these vulnerabilities
With a slow and sometimes challenging SDLC, mitigation has proven to be an ongoing challenge
They are an IBM Appscan customer and Appscan has given their network security team visibility into these vulnerabilities
“A branch of the Canadian Government has an array of web applications, some public, some private, that suffer from various vulnerabilities
36© F5 Networks, Inc.
DEMO
37© F5 Networks, Inc.
PROFESSIONAL SERVICES
38© F5 Networks, Inc.
“ Would you like to know how many of your open
vulnerabilities can be mitigated through virtual patching on your F5 BIG-IP ASM gateway device?
39© F5 Networks, Inc.
F5 ASM Vulnerability Mitigation Assessment Service • We can help your organization form a remediation roadmap to address web application
vulnerabilities with BIG-IP ASM Gateway
• IBM teams up with IBM Security AppScan
Web AppsVULNERABILITY
MITIGATION ASSESSMENT REPORT
BIG-IP ASM
PROFESSIONAL SERVICESIBM SECURITY
APPSCAN
40© F5 Networks, Inc.
• Scan finding data collected
• Findings imported into ASM
• Report Creation
• Deliverables
• Vulnerability Remediation Roadmap
• Performed periodically & remotely
• Findings imported into ASM
• Report Creation
• Deliverables
• Vulnerability Mitigation Report
• 4 hours tuning ASM to remediate findings (beyond that will be a custom SoW)
ASM VMAS ASM VMAS-S
Remediation Roadmap Deliverable
ASM Out of Box Remediation
ASM Custom Config Remediation
ASM iRules Remediation
Traditional SDLC Remediation
• ASM Vulnerability Mitigation Assessment Service (ASM VMAS)
• ASM Vulnerability Mitigation Assessment Service - Subscription (ASM VMAS-S)
F5 ASM Vulnerability Mitigation Assessment Service
41© F5 Networks, Inc.
RESOURCES
42© F5 Networks, Inc.
Resources
• Solution White Paper: Vulnerability Assessment with Application Securityhttp://www.f5.com/pdf/white-papers/vulnerability-assessment-asm-wp.pdf
• Solution Technical Manual: Using Vulnerability Assessment Tools for a Security Policyhttp://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-getting-started-11-3-0/4.html
• Solution Video Overviewhttps://devcentral.f5.com/articles/appscan-redux#.Ul2nCFAgfAk
• IBM Security AppScanhttp://www-03.ibm.com/software/products/us/en/appscan
• F5 BIG-IP Application Security Managerhttp://www.f5.com/products/big-ip/big-ip-application-security-manager/overview/
• F5 Professional Serviceshttp://www.f5.com/pdf/professional-services/big-ip-asm-mitigation-assessment-sd.pdf
43© F5 Networks, Inc.
Resources
• F5.com: http://www.f5.com/products/technology/ibm/ibm-security-systems/
• IBM.com: http://ibm.com/developerworks/connect/F5
• E-mail• [email protected]• Ron Carovano, Manager, Business Development, F5 Networks, [email protected]• Diana Kelley, Application Security Strategist, IBM Security Systems, [email protected]• Shauntinez Jakab, Product Marketing Manager II, F5 Networks, [email protected]• Darren Conway, Business Development Manager, F5 Networks, [email protected]
44© F5 Networks, Inc.
QUESTIONS-AND-ANSWERS SESSION
45© F5 Networks, Inc.
THANK YOU!