BIG-IP ASM Application Security Approach (Elevated)

Elevated Protection

• Bot defense
  • There is a significant increase in the use of automated scripts or programs (commonly known as bots), for a variety of malicious purposes, such as:
    • Denying legitimate users access to applications.
    • Extracting site information in ways unintended by application owners.
    • Seeking application vulnerabilities for exploitation.
  • At the same time, there are benign bots, of which you may be completely unaware, that have long automated essential internet tasks, such as crawling sites for search engines. Industry sources estimate bots comprise 50 percent of all internet traffic, 30 percent of which are malicious.
  • Identifying and classifying benign and malicious bot traffic is a delicate process requiring several tools. The BIG-IP ASM system has a bot detection engine, which uses a combination of known bot signatures, JavaScript, CAPTCHA, and rate limiting to disrupt programmatic access to applications by bots.
  • Analyzing bot traffic provides benefits beyond blocking attacks. Distinguishing bots early in the request process reduces the number of BIG-IP ASM alarms and false positives, improving application performance. You also reduce the amount of traffic that the application server must process. Lastly, BIG-IP ASM bot data aids administrators in creating and maintaining security policies.
  • Administrative effort required
    • Enable the Bot Defense profile (DoS Protection profile) for the virtual server; it requires little ongoing interaction, other than ensuring the signature database is updated.
    • When signatures fail to classify bots, use other methods to challenge the requestor.
• Web scraping protection
  • Web scraping is the programmatic extraction of information from a web application in a manner not intended by, and often contrary to the interest of the application owner. This type of attack requires targeted mitigation strategies, as web scraping is unlikely to trigger violations in other components of security policies.
  • Organizations that suspect or encounter web scraping often respond with heightened application layer security, including the use of CAPTCHA or request rate limiting, which can adversely impact user experience.
  • Using The BIG-IP ASM system, you typically detect web scraping using bot management capabilities in the Layer 7 (L7) DoS profile. To mitigate an attack, you iteratively configure, or tune, six different web scraping protection features—possibly to Alarm mode.
  • Administrative effort required
    • Configure and tune several security features in your security policy.
• L7 DoS attack protection
  • You need a capable WAF to block DoS attacks that employ an L7 attack vector, because the attacks are not entirely susceptible to L2, L3, and L4 mitigation approaches.
  • Meanwhile, attackers quickly respond to new L7 DoS protection measures by adjusting their methods.
  • To address these problems, the BIG-IP ASM system uses a comprehensive set of tools, which you can simultaneously enable to detect and avert L7 DoS attacks.
  • Administrative effort required
    • Start simply by trying bot signature and detection features.
    • If you need an application layer approach, provide the details necessary to configure and apply an L7 DoS profile for detection and mitigation.
• Disallowed file types
  • You can block HTTP requests based on a file extension used in a URL, such as .jsp. Because most web applications use a limited set of file types, creating a list of legal and illegal file types in your security policy is a simple exercise that reduces the application attack surface with a minimal chance of false positives.
  • Enabling disallowed file types alongside other security features constitutes a layered approach that decreases the risk of malicious requests reaching your applications.
  • Administrative effort required
    • Configure the lists of allowed and disallowed file types in your security policy.
    • Update the list, as needed.
• External logging
  • BIG-IP ASM logs are a valuable resource for reviewing security policy violation incidents.
  • At the same time, many organizations use a centralized security information and event management (SIEM) system for comprehensive logging of security events generated by all network and application security solutions. For these organizations, it’s critical that WAFs share event data to keep administrators apprised of incidents and possible attacks, and for long term log storage.
  • The BIG-IP ASM system has highly flexible logging capabilities, which you can configure to send detailed event data for each application to multiple locations, both local and external.
  • Administrative effort required
    • Define logging profiles for each intended destination, such as a SIEM platform.
    • Carefully ensure the proper logging profile is enabled on each application.
• CSRF protection
  • When an application has cross-site request forgery (CSRF) vulnerabilities, its authenticated users are exposed to fraudulent actions that can have serious consequences, such as money transfers, password changes, and unauthorized product purchases.
  • Fixing applications exposed to these attacks can require significant effort by developers. However, WAFs enable you to respond rapidly without application changes. With the BIG-IP ASM system, you can quickly protect applications using virtual patching until CSRF vulnerabilities can be fully addressed in application code.
  • Administrative effort required
    • Obtain the specific URLs that have vulnerabilities and add them to the URL list when configuring the CSRF protection feature.
    • Ensure the application functions properly after enabling the CSRF protection feature in your security policy.
• HTTP redirection protection
  • An “open redirect” attack occurs when hackers discover an application vulnerability and use it to defraud users by surreptitiously redirecting them to another site. For example, attackers redirect users to a forged page on a site that deceptively appears like the one they just left. There, users are required to enter their credentials, which hackers then steal.
  • These vulnerabilities are generally the result of faulty application coding, which developers must address upon discovery.
  • However, in the BIG-IP ASM system, you can build an accept list of approved domains to which an application can redirect users. Then, should you experience an open redirect attack, the BIG-IP ASM system detects and blocks redirects to unauthorized sites. This feature is an additional layer of protection and may also catch new variants of redirect exploits that can’t be detected by application-oriented security.
  • Administrative effort required
    • In organizations that do not expect redirects to any external domains, replace the default setting, which allows redirects to any domain, with your own domain, such as F5.com and all subdomains.
      Or,
    • In organizations with a finite number of domains, for example only subsidiaries and affiliated businesses, replace the default setting with those domains and subdomains.
      Or,
    • In any organization, let BIG-IP ASM Policy Builder learn and suggest the best configuration for redirect domains.
• Cookie tampering protection
  • Cookies provide critical functions for web applications, including state persistence and identifying users. When developers utilize cookies to store data used by applications, they sometimes overlook including input validation to prevent tampering with that data.
  • In these cases, attackers misuse cookies and their values for the following purposes:
    • Storing and submitting values that influence application behavior
    • Manipulating cookie values
    • Introducing new cookies
    • Introducing application vulnerabilities
    • Hijacking user sessions
  • Cookies arrive in HTTP requests in cookie headers, which WAFs scan for string violations. However, only sophisticated WAFs provide extended cookie protection capabilities.
  • The BIG-IP ASM system employs two additional features to inhibit cookie tampering. The system can “enforce” cookies, which means it can detect when attackers manipulate values set by the server, and then optionally block the corresponding requests. You typically apply this feature to cookies that contain sensitive data and influence application behavior.
  • Also, when examining requests, the BIG-IP ASM system can reference a accept list of “allowed” cookies that are legitimate for the application. The system detects and optionally blocks cookies that aren’t in the accept list. This is not a frequently used feature, but it’s particularly helpful for internal applications with singular security requirements and concerns about cookies.
  • Administrative effort required
    • Before enforcing cookies, enable the system to automatically build a list of candidates by detecting cookies that the server sets and return unmodified by clients.
      Or,
    • Before enforcing cookies, get a list of candidate cookies from your application development team, by completing a penetration test, or from an application security audit.
    • Provide the system with a accept list of allowed cookies (the BIG-IP ASM system does not automatically create it) and remove the default wildcard setting for allowed cookies.

Table of Content

• Main Bookmarks
• F5 Bookmarks
  • F5 BIG-IP ASM
• Next
  • BIG-IP ASM Application Security Approach
    • High Protection