SECURING YOUR WEB APPLICATION IN AZURE WITH A

SECURING YOUR WEB APPLICATION IN AZURE WITH A WAF Christian Folini Jason Haley September 2017

JASON HALEY Salem, MA Azure & Angular Consultant Jason Haley Consulting LLC Microsoft Azure MVP @halejason http: //jasonhaley. com Organize North Boston Azure and Dev. Boston User Groups

SECURING YOUR WEB APPLICATION

OWASP (Open Web Application Security Project) Foundation is a not-for-profit international organization dedicated “enabling organizations to conceive, acquire, operate, and maintain applications that can be trusted”. - https: //www. owasp. org OWASP Top 10 Project - most critical web application security risks OWASP Application Security Verification Standard Project – provides developers with a list of requirements for secure development OWASP Mod. Security Core Rule Set (CRS) – pluggable set of generic attack detection rules that provide a base level of protection for any web application.

OWASP TOP TEN PROJECT (2013) 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfigurations 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Known Vulnerable Components 10. Unvalidated Redirects and Forwards

PENETRATION TEST (PEN TEST) A penetration test, colloquially known as a pen test, is an authorized simulated attack on a computer system that looks for security weaknesses, potentially gaining access to the system's features and data. – Wikipedia

PENETRATION TEST - OUTCOMES Prioritized list of known vulnerabilities Steps in how to reproduce Steps in how to fix Retest to verify fixes

WHAT ELSE CAN YOU DO? Build security into the code from the start OWASP ASVS can help Security reviews of the code Add security layers to the application

WHAT IS A WAF? Intrusion detection system – monitors a network for malicious activity or policy violations. Firewall – monitors and controls in/out traffic based on rules Web application firewall – monitors in/out HTTP traffic of a web application based on rules

WHAT ARE THE OPTIONS IF YOU ARE IN AZURE? External to Azure (Akamai, Cloud. Flare, others) In the Azure Marketplace (Baracuda, F 5, others) Azure networking product - Application gateway

WHAT IS APPLICATION GATEWAY? HTTP (layer 7) load balancer Cookie affinity for session state SSL offload Private or Public (can also use with Web Apps) WAF using Mod. Security is the Engine OWASP Core Rule Set (CRS) are the rules

WEB APPLICATIONS IN AZURE How can you add it to a Web App (Paa. S)? Currently have to use custom ARM template or use Power. Shell/CLI backend. Http. Settings. Collection. pick. Host. Name. From. Backend. Address=true Probe. pick. Host. Name. From. Backend. Http. Settings=true How can you add it to a Web App (Iaa. S)?