ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the “Swiss Army Knife” of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections.
Install this before web application. Access application through Mod Security and see the magic. Read above documentation. This is very useful in Dev/QA environments to test OWASP issues ahead of the time.
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.
IBM Cloud Catalog
Software Security Patterns
There is no one solution for all problems.
Use Case 1:
We run three instances in production, each instance serve one version of API and having three different passwords with same variables. We store them on each instance.
Use Case 2:
We run 100+ UI instances with same user id/password
Use Case 3: Time bound
We want to schedule password changes.
Use Password 1 until December 31st,
Use Password 2 from Jan 1st onwards.
Use Case 4: Versioning
When you rollback changes, we want to roll back passwords too.
We need to agree on Use case and design solution accordingly.
Using security as service – Means getting passwords from rest calls with token id too is going to cause single point of failure. We need to make sure that Vault or similar software is having high availability by running in more than one instance.
Development community develops web applications and deploys to server.
Later they do the same in production.
This will lead to potential security issues.
Things to consider/do
1. Use Charles Web Proxy and check entire traffic of site through testing.
1. Make sure that there is not 404, 500 related issues.
2. Identify duplicate calls
3. Minimize / reduce service calls
4. Protect important data
2. Out of the box, many servers comes with many URLs to manage them.
Identify all through admin manual and protect them with strict passwords.
Never expose admin URLs outside network
4. Undeploy sample applications, examples, settings from production servers
At the end attackers will get access to your system through default passwords or
They can do denial-of-service (DoS) attack.
Converting out of the box Tomcat to production ready is called “Hardening process” .
When security breach happens….it is loss to customer and company. We can handle this in two ways. Reactive: Wait until it happens and take care of it. Proactive: do software threat modeling, fix the issues before they surface, and cause trouble.
Many people think that threat is always outside firewall. Not true. It can happen from inside too in two ways. Attacker who penetrated firewall and access systems though compromised id/password. Frustrated employees or contractors who cause the trouble.
When it comes to security, prevention is better than cure. Many companies neglect security by looking at estimated budgets by security team. Please contact Software Architect / Security Architect who can help you to protect your customers and business.
When XML Payloads are permitted, system can be attacked through XML Data.
The Over sized Payload Attack: Sending huge files and causing DOS (Denial of Service).
The DOM Parser Attacks: Sending too complex lengthy data and causing out of memory in system.
SQL Injections: If data is used directly to insert into database through statements.
1. Define strict XSDs.
2. Avoid maxOccurs=”unbounded” and limit with max values
3. Don’t parse files/data if it exceeds configured size.
Better to use XML Firewalls
Forum Sentry API Gateway: http://www.forumsys.com/products/forum-sentry-api-gateway/
Cisco ACE XML Gateways