Presentation is loading. Please wait.

Presentation is loading. Please wait.

The benefits of externalizing Web DMZ-as-a-Service in the Cloud James Smith, Sr. Security Sentrix

Published byDwight Richard Modified over 9 years ago

Similar presentations

Presentation on theme: "The benefits of externalizing Web DMZ-as-a-Service in the Cloud James Smith, Sr. Security Sentrix"— Presentation transcript:

1 The benefits of externalizing Web DMZ-as-a-Service in the Cloud James Smith, Sr. Security Consultant @ Sentrix James@Sentrix.com James@Sentrix.com

2 Copyright Sentrix 20152 State of App Sec 52% of organizations test less than half of their apps for vulnerabilities 66% report fixing less than 40% of vulnerabilities found 50% of organizations report taking over 3 months to fix vulnerabilities after they have been identified in production systems (Survey of over 100 Security executives at the 2015 Gartner Security Summit)

3 Copyright Sentrix 20153 Agenda The blind spots of web application security (often not covered by the SDLC processes) Uncontrolled areas of the code - web platform, 3 rd party plugins, 3 rd party embedded SaaS What do we traditionally do about them Cloud DMZ as an alternative architecture

4 Copyright Sentrix 20154 The Blind Spots of Web Application Security Web Platform Vulnerabilities Content Management Systems (WordPress, Drupal, Joomla) Application Servers (SharePoint, WebSphere) American Express Pfizer Pizza Hut Walmart...

5 Copyright Sentrix 20155 The Blind Spots of Web Application Security Web Platform Vulnerabilities Content Management Systems (WordPress, Drupal, Joomla) Application Servers (SharePoint, WebSphere) MTA Warner Music Timex The weather Channel...

6 Copyright Sentrix 20156 The Blind Spots of Web Application Security 3 rd Party Plugin Vulnerabilities NVidia NDA...

7 What Do We Traditionally Do About These Blind Spots

8 Copyright Sentrix 20158 First - Who Owns This? Network Team? App Development Team? Security Team?

9 Copyright Sentrix 20159 HTTP Server Application Server & Content Management System Application Operating System Network Firewall Secure Development Lifecycle Gap Exploited for 0-Days & Platform Vulnerabilities ShellShock (CVE-2014-6271) Drupal (CVE-2014-1475) WordPress (CVE-2014-5203) SharePoint (MS14-022) JAVA (CVE-2014-0410) WebSphere (CVE-2013-0462) Apache (CVE-2013-1777) MS-RPC SNMP Application Logic SQLi Application Logic XSS

10 Copyright Sentrix 201510 The traditional best practices Patching – A loosing battle - Attackers are likely to know about these vulnerabilities before a patch is available WAF-Based Signature Detection – Another loosing battle - Attackers find new attack signatures WAF-Based Whitelisting – Can help – But, labor intensive and not a fit for continuous developmentnot a fit for continuous development

11 Cloud DMZ as an Alternative Architecture

12 Copyright Sentrix 201512 What is a Cloud DMZ? Replica of the User Interface of a protected web system Having a well defined API through which it is permitted to communicate with the protected system ?

13 Active Learning Based Implementation of Cloud DMZ

14 Copyright Sentrix 201514 1: Scan Website to Understand its Functionality Proactive Learning Engine A proprietary proactive learning engine performs a deep scan of site to determine the optimal method of defense for each resource, according to its functionality.

15 Copyright Sentrix 201515 2: Analyze Scan Results Presentation Layer: Static resources, non- static forms and other components that can be served from the cloud, isolated from the back-end and fully excluded from the attack surface. Presentation Layer: Static resources, non- static forms and other components that can be served from the cloud, isolated from the back-end and fully excluded from the attack surface. Business Logic: Search Boxes, forms, and any assets that require access to the back end are classified and categorized based on the component's functionality as determined in the scan. Business Logic: Search Boxes, forms, and any assets that require access to the back end are classified and categorized based on the component's functionality as determined in the scan.

16 Copyright Sentrix 201516 3: Decouple Website Components Presentation Layer: Decoupled from the business logic Presentation Layer: Decoupled from the business logic

17 Copyright Sentrix 201517 4: Replicate

18 Copyright Sentrix 201518 5. Securing the Website White List Requests to the Business Logic: The Business Logic is tightly protected by a handful of easy to manage white list rules. Only valid requests are allowed to the back end Requests to the Business Logic: The Business Logic is tightly protected by a handful of easy to manage white list rules. Only valid requests are allowed to the back end Validated Requests Secure Replica Business Logic Web Server Back End

19 Copyright Sentrix 201519 White List Requests to the Presentation Layer Served from the cloud and never reach the back end, making this area of the back end immune to attacks. Unlike CDNs the replica intelligently serves requests and does not use caching, therefore it never has to access the back-end. Requests to the Presentation Layer Served from the cloud and never reach the back end, making this area of the back end immune to attacks. Unlike CDNs the replica intelligently serves requests and does not use caching, therefore it never has to access the back-end. 5. Securing the Website Web Server Back End

20 Copyright Sentrix 201520 White List 6. Elastic Scale Against DDoS Web Server Back End White List

21 Copyright Sentrix 201521 The Benefits Secure & Immediate Cloud Migration High Availability (SLA 99.99% Uptime) w/ Layer 7 Coverage Disaster Recovery + Business Continuity Assured Transfer of hosting cost CDN Performance Boost Geo-based global load balancing & Faster page load times Enterprise Grade Security Elastic scale against legitimate or malicious traffic spikes (DDoS) Automated stack hardening through proactive WAF (includes WP, Drupal, etc.) Real Time Synchronization Frictionless integration with current dev and content updates Reporting goes directly into existing tools (Splunk, Sourcefire, etc.)

22 Copyright Sentrix 201522 Results: Mid-Atlantic Based University Currently over 30,730 resources (Drupal Site Deployment) BUT, only 4 business logic transactions 99.99% offloaded from the security & hosting infrastructure Avg. 38% faster page load times Business Transactions -Search -Contact Us -How to Partner -Health Feedback Form

23 Copyright Sentrix 201523 Results: Currently over 56,000 user interaction types (WordPress Deployment) Only 2 business logic transactions identified, mitigated through WL rules 99.9% of attack surface automatically eliminated Including platform, application, and server vulnerabilities 54% faster page load times The 2 Business Transactions: Search Bar Contact Us Form

24 Demo

25 Copyright Sentrix 201525 Wrap Up Cloud DMZ architecture inherently reduces the attack surface resulting from usage of 3 rd party platforms and plug-ins Active learning based implementation can automate the process Cloud based deployment of the static DMZ (i.e. Cloud-DMZ) can in addition improve scalability and performance of the protected application

26 Q&A www.SENTRIX.com

Download ppt "The benefits of externalizing Web DMZ-as-a-Service in the Cloud James Smith, Sr. Security Sentrix"

Similar presentations

Thanks to Microsoft Azure’s Scalability, BA Minds Delivers a Cost-Effective CRM Solution to Small and Medium-Sized Enterprises in Latin America MICROSOFT.

Thanks to Microsoft Azure’s Scalability, BA Minds Delivers a Cost-Effective CRM Solution to Small and Medium-Sized Enterprises in Latin America MICROSOFT.
Internet Information Server 6.0. IIS 6.0 Enhancements  Fundamental changes, aimed at: Reliability & Availability Reliability & Availability Performance.

Internet Information Server 6.0. IIS 6.0 Enhancements  Fundamental changes, aimed at: Reliability & Availability Reliability & Availability Performance.
Acquia Cloud Drupal Platform-as-a-Service. Market Size [1,00,000+ sites] Innovation [10,000+ modules] Community [500,000+ members] “… is as much a Social.

Acquia Cloud Drupal Platform-as-a-Service. Market Size [1,00,000+ sites] Innovation [10,000+ modules] Community [500,000+ members] “… is as much a Social.
Unified Logs and Reporting for Hybrid Centralized Management

Unified Logs and Reporting for Hybrid Centralized Management
With the Help of the Microsoft Azure Platform, Devbridge Group Provides Powerful, Flexible, and Scalable Responsive Web Solutions MICROSOFT AZURE ISV PROFILE:

With the Help of the Microsoft Azure Platform, Devbridge Group Provides Powerful, Flexible, and Scalable Responsive Web Solutions MICROSOFT AZURE ISV PROFILE:
© 2013 Imperva, Inc. All rights reserved. Imperva Incapsula Confidential1 Doug Smith, Region Sales Mgr 416.574.2799.

© 2013 Imperva, Inc. All rights reserved. Imperva Incapsula Confidential1 Doug Smith, Region Sales Mgr
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
© 2011 MindTree Limited CONFIDENTIAL: For limited circulation only e-Commerce web app Architecture and Scalability Srinivas Bhagavatula.

© 2011 MindTree Limited CONFIDENTIAL: For limited circulation only e-Commerce web app Architecture and Scalability Srinivas Bhagavatula.
Making it easier to develop, deploy and maintain Drupal web sites Name, Title Date.

Making it easier to develop, deploy and maintain Drupal web sites Name, Title Date.
Using the Powerful Microsoft Azure Platform, e-SUAP Properly and Securely Manages All Steps for Customizable Business Activities Permissions MICROSOFT.

Using the Powerful Microsoft Azure Platform, e-SUAP Properly and Securely Manages All Steps for Customizable Business Activities Permissions MICROSOFT.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
® IBM Software Group © 2007 IBM Corporation J2EE Web Component Introduction 4.1.0.3.

® IBM Software Group © 2007 IBM Corporation J2EE Web Component Introduction
Master Thesis Defense Jan Fiedler 04/17/98

Master Thesis Defense Jan Fiedler 04/17/98
Next-Generation Formotus Forms Replace Paper and InfoPath with Mobile Business Applications Created and Deployed Using Microsoft Azure MICROSOFT AZURE.

Next-Generation Formotus Forms Replace Paper and InfoPath with Mobile Business Applications Created and Deployed Using Microsoft Azure MICROSOFT AZURE.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partners only. Do not distribute. C97-721796-00.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partners only. Do not distribute. C
SIGITE 2008: 16-18 Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.

SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.
Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.

Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.
Accumulus Delivers Enterprise Class Subscription Billing and Automation Solutions for Gaming, Retail, and More on the Scalable Microsoft Azure Platform.

Accumulus Delivers Enterprise Class Subscription Billing and Automation Solutions for Gaming, Retail, and More on the Scalable Microsoft Azure Platform.
Testing in the Cloud with Tosca Testsuite: A Comprehensive Test Management and Test Automation Suite Built on Microsoft Azure MICROSOFT AZURE ISV PROFILE:

Testing in the Cloud with Tosca Testsuite: A Comprehensive Test Management and Test Automation Suite Built on Microsoft Azure MICROSOFT AZURE ISV PROFILE:

Similar presentations

Ads by Google