dubai web applications and api
TRANSCRIPT
Qualys Security Conference Dubai
Dave Ferguson
Director of Product Management, Qualys, Inc.
Web Applications & APIs The Soft Belly of the Cloud
Insecure Apps & APIs
are a Problem
Your business depends on web applications
Any app or API can be a foothold into your
organization
Developers are not incentivized for security
Cloud-based apps are easy for developers to
deploy
Qualys Security Conference 20192 April 29, 2019
➢
➢
U.S. Postal Service (API) . . . . . .
Facebook (API) . . . . . . . . . . . . .
Google+ (API) . . . . . . . . . . . . . .
MyFitnessPal (API?) . . . . . . . . .
Equifax . . . . . . . . . . . . . . . . . . . .
Yahoo . . . . . . . . . . . . . . . . . . . . .
* Source: 2018 Verizon DBIR
Apps & APIs are
Everywhere
April 29, 2019Qualys Security Conference 20193
Public-Facing
Web Apps
Internal Web Apps
Apps in Public Clouds
New Apps
under Development
REST APIs
Qualys Web Application Scanning (WAS)
A leading dynamic application security testing
(DAST) tool
Identifies app-layer vulnerabilities
OWASP Top 10
CWEs
Web-related CVEs
Automated crawling
Supports Selenium scripts
Scans REST APIs
Malware scanning as a bonus
April 29, 2019Qualys Security Conference 20195
Recent Enhancements
Aug 2018
Sept 2018
Nov 2018
Dec 2018
2018 2019
Jan 2019
Mar 2019
April 29, 2019Qualys Security Conference 20196
29.04.197
Staging Environment
SourceCode
Repository
Test / QA Environment
Scan
Qualys ScannerAppliance
WASEngine
Dev Environment
API
Scanning with WAS in DevOps
Qualys Security Conference 20197
Manual Testing Complements WAS
Dynamic application scanning is one piece of the AppSec puzzle
Manual penetration testing important for your business-critical apps
Qualys WAS offers:
Bugcrowd integration
Burp Suite integration
Partnerships with consulting companies
9 April 29, 2019Qualys Security Conference 20199
Qualys WAS Burp Extension
10
Burp Suite
A quick, intuitive way to send Burp-discovered issues into WAS
Provides centralized viewing/reporting of WAS detections + Burp issues
Available today in Burp's BApp Store
April 29, 2019Qualys Security Conference 201910
WAS Roadmap
12
April 2019
Q3 2019 * 2019 2020
May-June 2019 Q4 2019 *
* Tentative
April 29, 2019Qualys Security Conference 201912
Qualys WAF
Virtual (inline) reverse-proxy deployed alongside web servers.
Inspects HTTP/S traffic, including Web Services and REST APIs.
Protect against numerous types of attacks including OWASP Top 10.
Out-of-the-box security policies for various application types
User-defined Custom Rules
HTTP profiles (protocol shaping)
April 29, 2019Qualys Security Conference 201914
Built-in Security Policies
Out-of-the-box rulesets written by Qualys security researchers
April 29, 2019Qualys Security Conference 201916
User-Defined Custom Rules
Adjust your security policy manually
April 29, 2019Qualys Security Conference 201917
Load-Balancing and SSL-Offloading
To ease integration with the network environment
April 29, 2019Qualys Security Conference 201918
WAS / WAF Integration: ScanTrust
20
ScanTrust : Challenge your WAF protection with WASAssess both the application and the policy that protects it
HTTP/S
1. Request inspected and forwarded to backend server
2. WAF annotates HTTP response
April 29, 2019Qualys Security Conference 201920
WAS / WAF Integration: Virtual Patch
Virtual Patch : One-click mitigation toolPush a custom rule to WAF to block exploit on known vulnerability
April 29, 2019Qualys Security Conference 201921
Container Considerations
Server pools need to be maintained on WAF
Identifying a backend container in advance can be tedious
Need of scalability
Need of automation
Need of security
April 29, 2019Qualys Security Conference 201923
Virtual Firewall Container (QVFC)
24
Lightweight sensor (350 MB)
Integrates with Docker Service
Dynamic pool automation = Scalability
Orchestration via Qualys API
April 29, 2019Qualys Security Conference 201924
Benefits of the Docker Integration
Rapid deployment
Bring elasticity to the server pool
Automate with Kubernetes
Secure dynamic assets, dynamically
Simplify backend maintenance operations
April 29, 2019Qualys Security Conference 201925
Or Deploy on PaaS via Kubernetes
27
Kubernetes
Cluster
Container EngineMultiple Instances
April 29, 2019Qualys Security Conference 201927