Psilva's Prophecies

Peter Silva

Subscribe to Peter Silva: eMailAlertsEmail Alerts
Get Peter Silva: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Related Topics: Cloud Computing, Security Journal, IT Strategy, Secure Cloud Computing, F5 Networks, Internet of Things Journal

Cloud Computing: Blog Feed Post

The OWASP Top 10 – 2017 vs. BIG-IP ASM

With the release of the new 2017 Edition of the OWASP Top 10, we wanted to give a quick rundown of how BIG-IP ASM can mitigate these vulnerabilities.

First, here’s how the 2013 edition compares to 2017.

13to17

And how BIG-IP ASM mitigates the vulnerabilities.

Vulnerability BIG-IP ASM Controls
A1 Injection Flaws Attack signatures

Meta character restrictions

Parameter value length restrictions

A2 Broken Authentication and Session Management Brute Force protection

Session tracking

HTTP cookie protection

A3 Sensitive Data Exposure Data Guard
A4 XML External Entities (XXE) Attack signatures (see below)
A5 Broken Access Control File types

URL

URL flows

Session tracking

URL flows

Attack signatures (Directory traversal)

A6 Security Misconfiguration Attack Signatures
A7 Cross-site Scripting (XSS) Attack signatures

Parameter meta characters

Parameter value length restrictions

Parameter type definitions (such as integer)

A8 Insecure Deserialization Attack Signatures (see below)
A9 Using components with known vulnerabilities Attack Signatures integration
A10 Insufficient Logging and Monitoring BIG-IP ASM can help with the monitoring process to detect, alarm and deter attacks

Specifically, we have attack signatures for “A4:2017-XML External Entities (XXE)”:

  • 200018018           External entity injection attempt
  • 200018030           XML External Entity (XXE) injection attempt (Content)

Also, XXE attack could be mitigated by XML profile, by disabling DTDs (and of course enabling the “Malformed XML data” violation):

clip_image001

For “A8:2017-Insecure Deserialization” we have many signatures, which usually include the name “serialization” or “serialized object”, like:

  • 200004188           PHP object serialization injection attempt (Parameter)
  • 200003425           Java Base64 serialized object – java/lang/Runtime (Parameter)
  • 200004282           Node.js Serialized Object Remote Code Execution (Parameter)

A quick run-down thanks to some of our security folks.

ps

Related:


Read the original blog entry...

More Stories By Peter Silva

Peter is an F5 evangelist for security, IoT, mobile and core. His background in theatre brings the slightly theatrical and fairly technical together to cover training, writing, speaking, along with overall product evangelism for F5. He's also produced over 350 videos and recorded over 50 audio whitepapers. After working in Professional Theatre for 10 years, Peter decided to change careers. Starting out with a small VAR selling Netopia routers and the Instant Internet box, he soon became one of the first six Internet Specialists for AT&T managing customers on the original ATT WorldNet network.

Now having his Telco background he moved to Verio to focus on access, IP security along with web hosting. After losing a deal to Exodus Communications (now Savvis) for technical reasons, the customer still wanted Peter as their local SE contact so Exodus made him an offer he couldn’t refuse. As only the third person hired in the Midwest, he helped Exodus grow from an executive suite to two enormous datacenters in the Chicago land area working with such customers as Ticketmaster, Rolling Stone, uBid, Orbitz, Best Buy and others.

Writer, speaker and Video Host, he's also been in such plays as The Glass Menagerie, All’s Well That Ends Well, Cinderella and others.