Securing Modern Apps with Zero Trust and Next-Gen Web Application Firewall

SOFTWARE ENGINEER @ TETRATE José Carlos Chávez ● Open source enthusiast ● OWASP Coraza WAF Co-leader ● Zipkin core member ● Loving father @jcchavezs

WEB APPLICATION FIREWALL @jcchavezs WAF, for friends and family

WEB APPLICATION FIREWALL Traditionally a WAF: ● Helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. ● Protects web applications from malicious traffic such as cross-site forgery (CSRF), cross-site-scripting (XSS), file inclusion, and SQL injection, among others. ● It is a protocol layer 7 defense (in the OSI model) acting as a reverse-proxy having clients pass through the WAF before reaching the server. @jcchavezs

WEB APPLICATION FIREWALL @jcchavezs WAF SERVER ATTACKER APP DEVICE

IP FENCING Deny specific IP through a denylist. GEO-FENCING AND GEO-BLOCKING Creates a virtual perimeter around a specific geographical area using GeoIP databases. REQUEST/RESPONSE INSPECTION Examines request/response elements matching them with known malicious values to distinguish between legitimate and malicious requests. Avoids zero-day attacks, client-side attacks, bot attacks, virus files, etc. SECURITY RULES - SQL Injection - XSS Attacks - Local and Remote File Inclusion - Size Restrictions - Command Injection - Unknown Bad Inputs 6 @jcchavezs WEB APPLICATION FIREWALL FEATURES

ANOMALY SCORING If a rule matches, WAF applies a score for each deviation: - A simple deviation like a misspelled URL might only receive a low score. - A more serious one, e.g. an attempt to inject SQL code, receives a higher score. DDoS RATE LIMITING Restricts the number of requests that a particular IP address can send to a server within a given timeframe. The rate limit is typically set based on a predetermined threshold that is considered safe for normal traffic, and any requests that exceed this limit are blocked. BOT MITIGATION Analyzes cookies sent by the browser and check them to the databases of known bot cookies. Some examples: - CAPTCHA challenges - Bot Pretender - Web Scraping Protection - Bot Intelligence 7 @jcchavezs WEB APPLICATION FIREWALL FEATURES

“ There was a time when security was easy. “I need more security – I will just buy another firewall” @jcchavezs OH

PERIMETER SECURITY CHALLENGES ● There is no single, easily identifiable perimeter for the enterprise: cloud, on-prem, multi-cloud, third-party services, FaaS, artifact registries, etc. ● In the times of microservices the majority of the traffic is East-West whereas perimeter security focus on North-South. ● Gateways have to carry knowledge about the upstream components which ends up in adding more security policies on the perimeter firewall, leading to operational complexity, misconfigurations, change management, timely policy updates, etc. ● The guiding principle of perimeter security is "Trust but Verify" @jcchavezs

ZERO TRUST enabling the right user under the right conditions to gain the right access to the right data @jcchavezs

“ Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources @jcchavezs NIST 800-207 Zero Trust Architecture

ZERO TRUST DRIVER ASSUMPTIONS ● Trust can no longer be based on a network perimeter as perimeters can always be breached. ● Policies have to be defined based on the assumption that the attacker is already inside of the network. ● All access decisions have to rely on least-privilege, per-request, and context-based principles and on identities associated with users, services, and devices. ● Security and access state constantly change over time. @jcchavezs

ZERO TRUST TENETS 1. All data sources and computing services are considered resources: Networks today consist of a dynamic array of devices from traditional items such as servers and endpoints to more dynamic cloud computing services such as FaaS, which may execute with specific permissions to other resources in your environment. 2. Communications are secured regardless of location: The access policy should be a default-to-deny. Explicit access must be granted to specific resources. 3. Access to individual resources is granted on a per-session basis: Trust should not extend beyond a single session, each session should involve the same rigor to resolve access and permissions. @jcchavezs

ZERO TRUST TENETS 4. Access to resources is determined by dynamic policy and other behavioral and environmental attributes: several attributes come into play when evaluating access and policies should be open to such decision input. The more context, the better e.g. network, cluster, security group, tenant, etc. 5. Monitor and measure integrity and security posture of owned and associated assets: no device or asset is inherently trusted, every resource request should trigger a security posture evaluation. This includes continuously monitoring the state of system assets that have access to the environment. @jcchavezs

ZERO TRUST TENETS 6. Dynamic resource authentication and authorization strictly enforced before access allowed: granting access and trust is occurring in a dynamic and ongoing fashion. It is an iterative process with a myriad of factors coming into play with each policy enforcement decision on every request. 7. Collect info on current state of asset, network infrastructure, and communications to improve security posture: operators must run continuous monitoring capabilities to ensure they are aware of what is occurring in the system over the time and take actions when identify patterns. @jcchavezs

Security is a combination of multiple protection mechanism on multiple levels Logical Components of Zero Trust Architecture @jcchavezs Source: NIST 800-207, Zero Trust Architecture

WEB APPLICATION FIREWALL: AN OPPORTUNITY 7. COLLECT INFO ON CURRENT STATE OF COMMUNICATIONS - Continuous monitoring the audit logs from traffic and improve the security posture. 5. INTEGRITY AND SECURITY POSTURE - Every resource request should trigger a security posture evaluation. - When identify an attack, apply patches and vulnerability remediations. @jcchavezs

“ Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources @jcchavezs NIST 800-207 Zero Trust Architecture

ZERO TRUST WEB APPLICATION FIREWALL ● Protects workloads by filtering and monitoring incoming traffic between workloads at PEP. ● Protects workloads from attacks such as cross-site forgery (CSRF), cross-site-scripting (XSS), file inclusion, and SQL injection, among others.. ● Leverages wide network patches for zero day vulnerabilities (e.g. log4shell). ● Allows to on-board legacy applications in a lifted and shifted fashion. ● Provides audit logs for further analysis and improve security posture through adaptive rulesets. @jcchavezs

@jcchavezs

OWASP CORAZA WAF coraza.io | https://github.com/corazawaf/coraza @jcchavezs

CORAZA WEB APPLICATION FIREWALL ● Modsecurity compatible: modsec EOL is March 2024 ● Focused on Coreruleset v4: Newest and shiniest ruleset from OWASP. ● Multiplatform connectors: ○ Native Go, Caddy, ○ Envoy, Istio, Kong using proxy-wasm spec ● Pluggable Architecture: Experimental plugins API for extending functionality. ● High throughput: Performance driven, aimed to be run in critical path (e.g. PEP). @jcchavezs

CONCLUSIONS ● Zero trust isn’t incompatible with network based security approaches. ● No single component or function will be sufficient to achieve a good level of security alone, but collectively they need to enforce security patterns across different layers in the system. @jcchavezs

For any further queries, feel free to contact me at [email protected] Thank you everyone. jcchavezs jcchavezs www.tetrate.io

References PCI Web Application Security Requirements https://pcidssguide.com/pci-web-application-security-requirements/ NIST SP 800-207A: A Zero Trust Architecture (ZTA) Model for Access Control in Cloud Native Applications in Multi-Location Environments @jcchavezs NIST 800-207: Zero Trust Architecture WHAT YOU NEED TO KNOW ABOUT CLOUD LIFT & SHIFT MIGRATIONS https://f.hubspotusercontent10.net/hubfs/423210/cloud-lift-and-shift-migrations-whitepape r.pdf

Securing Modern Apps with Zero Trust and Next-Gen Web Application Firewall

SURVIVORSHIP BIAS @jcchavezs Source: Wikipedia