book

Web Application Firewalls

Name: Web Application Firewalls
Author: Chad Russell
ISBN: 9781492032304

by Chad Russell

April 2018

Intermediate to advanced

72 pages

1h 49m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Introduction
1. Current Application Threats and Challenges
Code Complexity, Microservices, and Third-Party LibrariesMicroservices and Container SecurityIndustrialization of Attacks Using BotnetsGaining Access to Data Through Code Manipulation or Sensitive Credential CompromiseEnd-User AccountsSensitive and Privileged Accounts
2. Types of Attacks
The OWASP Top 10A1: InjectionA2: Broken AuthenticationA3: Sensitive Data ExposureA4: XML External Entities (XXE) (New)A5: Broken Access ControlA6: Security MisconfigurationA7: Cross-Site Scripting (XSS)A8: Insecure Deserialization (New)A9: Using Components with Known VulnerabilitiesA10: Insufficient Logging and MonitoringBusiness Logic AttacksExamplePredictable User NamesAvoid Weak PasswordsAddress Security in the Design PhaseModel Threats During the Design PhaseDistributed Denial of Service AttacksQueue the Internet of ThingsOnline FraudSocial EngineeringMalware
3. Evolution of Firewall and Web Application Firewall Technology
Traditional Intrusion Detection System and Intrusion Prevention System TechnologyIDS/IPS Evasion TechniquesNext Generation FirewallsWAF TechnologyWAFs and Virtual PatchingDetecting and Addressing Application Layer Attacks (SQL Injection, Cross-Site Scripting, Session Tampering)Detecting SQL Injection AttacksEncoding and Whitespace DiversityCore WAF CapabilitiesWAF Rulesets and Heuristics to the RescueXSS Attacks and WAF ProtectionAnatomy of an XSS AttackWAF XSS Filters and RulesHow WAFs Can Protect Against Session AttacksMinimizing WAF Performance ImpactWAF Performance OptimizationWAF High-Availability ArchitectureWAF Management PlaneEmergent WAF CapabilitiesSecurity Information and Event Management IntegrationDevOps Security TestingSecurity Operation Center AutomationCybersecurity Skills ShortageWAFs and Their Part in SOC ModernizationWAF Threat Intelligence and Feed CorrelationWAFs Authentication CapabilitiesMalware Inspection and SandboxingDetecting and Addressing WAF/IDS Evasion TechniquesVirtual PatchingAdjacent Solutions and TechnologiesAPI GatewaysBot Management and MitigationRuntime Application Self-ProtectionContent Delivery Networks and DDoS AttacksData Loss PreventionData Masking and RedactionWAF Deployment ModelsOn-PremisesNative CloudCloud-VirtualIn-Line Reverse-ProxyTransparent Proxy/Network BridgeOut of BandMultitenancySingle TenancySoftware Appliance BasedHybrid
4. Designing a Comprehensive Network Security Solution
XYZ CorpA Note About Native Cloud Security Services versus Specialized Services
Afterword

Overview

Firewalls have traditionally focused on network traffic, but with the advent of cloud computing and DevOps, security and operations professionals need a more sophisticated solution to track session state and application layer activity. In this ebook, cyber security consultant Chad Russell covers the current application threat landscape for modern deployment architectures, and explains the evolution of web application firewall (WAF) technologies for countering these attacks.

Developers today increasingly rely on third-party libraries for application development, but many of these libraries include vulnerabilities that attackers actively exploit. With this ebook, you’ll explore the specifics of WAF functionality for filtering, monitoring, and blocking HTTP traffic to and from a web application, and learn how to incorporate WAFs into existing and planned infrastructure, whether it’s a cloud, on-premise, or hybrid deployment.

You’ll examine:

The Top 10 application layer attacks compiled by the Open Web Application Security Project (OWASP)
Security vulnerabilities, including business logic attacks, distributed denial of service, online fraud, social engineering, and malware
WAF core and emergent capabilities, such as XSS and sessions attack protection, SIEM integration, and malware inspection and sandboxing
Security solutions and technologies that work with WAF, including API gateways, and data loss prevention solutions

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781492032311

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills