This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Project Information:template Best Practices: Use of Web Application Firewalls"

From OWASP
Jump to: navigation, search
(New page: ---- {| style="width:100%" border="0" align="center" ! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''PROJECT INFORMATION''' |- | style="widt...)
 
 
(15 intermediate revisions by the same user not shown)
Line 4: Line 4:
 
  |-
 
  |-
 
  | style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
 
  | style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
  | colspan="7" style="width:85%; background:#cccccc" align="left"|<font color="black">'''OWASP Wapiti Project'''<br>Web application vulnerability scanner / security auditor
+
  | colspan="7" style="width:85%; background:#cccccc" align="left"|<font color="black">'''OWASP Best Practices: Use of Web Application Firewalls'''
 
  |-
 
  |-
 
  | style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''  
 
  | style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''  
 
  | colspan="7" style="width:85%; background:#cccccc" align="left"|
 
  | colspan="7" style="width:85%; background:#cccccc" align="left"|
Wapiti allows to audit the security of web applications in an easy way. It performs  a "black-box" scans acting like a fuzzer, injecting payloads to see if an application is vulnerable. It has two principal parts, a crawler that explores the pages of the application and the attack module that injects the payloads and evaluates their responses. Wapiti is easy to use and it can detect the most common vulnerabilities (XSS, SQL Injection, File Handler Errors...). It provides to the user a complete report (html format) with the found vulnerabilities.
+
Web applications of all kinds, whether online shops or partner portals, have in recent years increasingly become the target of hacker attacks. The attackers are using methods which are specifically aimed at exploiting potential weak spots in the web application software itself - and this is why they are not detected, or are not detected with sufficient accuracy, by traditional IT security systems such as network firewalls or IDS/IPS systems. OWASP develops tools and best practices to support developers, project managers and security testers in the development and operation of secure web applications. Additional protection against attacks, in particular for already productive web applications, is offered by what is still a emerging category of IT security systems, known as Web Application Firewalls (hereinafter referred to simply as WAF), often also called Web Application Shields or Web Application Security Filters.
 +
 
 +
One of the criteria for meeting the security standard of the credit card industry currently in force (PCI DSS - Payment Card Industry Data Security Standard v.1.1) for example, is either a regular source code review or the use of a WAF.
 +
 
 +
The document is aimed primarily at technical decision-makers, especially those responsible for operations and security as well as application owners (specialist department, technical application managers) evaluating the use of a WAF. Special attention has been paid - wherever possible - to the display of work estimates - including in comparison to possible alternatives such as modifications to the source code.
 +
 
 +
In addition to the importance of the web application regarding turnover or image - the term access to a web application used in this document can be a good criterion in the decision-making process relating to the use of WAFs. Specifically, the access to a web application, measures the extent to which the required changes to the application source code are actually carried out in-house, on time,or can be carried out by third parties. As illustrated by the graph below, a web application to which there is no access, can only be protected sensibly by a WAF (additional benefit of the WAF),.Even with an application in full access, a WAF can be used as a central service point for various services such as secure session management, which can be implemented for all applications equally, and as a suitable means for proactive safety measures such as URL encryption
 
  |-
 
  |-
 
  | style="width:15%; background:#7B8ABD" align="center"|'''Key Project Information'''
 
  | style="width:15%; background:#7B8ABD" align="center"|'''Key Project Information'''
  | style="width:14%; background:#cccccc" align="center"|Project Leader<br>[mailto:nicolas.surribas(at)gmail.com '''Nicolas Surribas''']
+
  | style="width:14%; background:#cccccc" align="center"|Project Leader<br>[[:Germany|'''OWASP Germany Local Chapter''']]
  | style="width:14%; background:#cccccc" align="center"|Project Contibutors<br>[mailto:apastorn(at)grupogesfor.com '''Alberto Pastor Nieto''']<br>[mailto:dpozog(at)grupogesfor.com '''David del Pozo González''']
+
  | style="width:14%; background:#cccccc" align="center"|Project Contibutors<br>[[:Category:OWASP Best Practices: Use of Web Application Firewalls Contributors|'''See here''']]  
| style="width:14%; background:#cccccc" align="center"|Mailing List<br>[https://lists.owasp.org/mailman/listinfo/owasp-wapiti-project '''Subscribe here''']<br>[mailto:owasp-wapiti[email protected] '''Use here''']
+
| style="width:14%; background:#cccccc" align="center"|Mailing List<br>[https://lists.owasp.org/mailman/listinfo/owasp-firewalls-project '''Subscribe here''']<br>[mailto:owasp-firewalls[email protected] '''Use here''']
  | style="width:14%; background:#cccccc" align="center"|License<br>[http://www.gnu.org/copyleft/lesser.html '''GNU Lesser General Public License''']
+
  | style="width:14%; background:#cccccc" align="center"|License<br>[http://creativecommons.org/licenses/bysa/2.0/de/ '''Creative Commons International/Germany License''']
  | style="width:14%; background:#cccccc" align="center"|Project Type<br>[[:Category:OWASP_Project#Alpha_Status_Projects|'''Tool''']]
+
  | style="width:14%; background:#cccccc" align="center"|Project Type<br>[[:Category:OWASP_Project#Alpha_Status_Projects|'''Documentation''']]
 
  | style="width:15%; background:#cccccc" align="center"|Sponsors<br>if any, add link
 
  | style="width:15%; background:#cccccc" align="center"|Sponsors<br>if any, add link
 
  |}
 
  |}
Line 23: Line 29:
 
  ! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Related Projects'''  
 
  ! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Related Projects'''  
 
  |-
 
  |-
  | style="width:29%; background:#cccccc" align="center"|Provisory '''[[:Category:OWASP Project Assessment#Alpha Quality Tool Criteria|Apha Quality]]'''<br>(under review)<br>[[:OWASP Wapiti Project - Assessment Frame|Please see here for complete information.]]
+
  | style="width:29%; background:#cccccc" align="center"|
 +
'''[[:Category:OWASP_Project_Assessment#Alpha_Quality_Documentation_Criteria|Apha Quality]]'''<br>[[:OWASP Best Practices: Use of Web Application Firewalls - Assessment Frame|Please see here for complete information.]]
 
  | style="width:42%; background:#cccccc" align="center"|
 
  | style="width:42%; background:#cccccc" align="center"|
[http://www.ict-romulus.eu/web/wapiti '''OWASP Wapiti Project''']<br>
+
OWASP Best Practices: Use of Web Application Firewalls Project:<br>[[:Best Practices: Web Application Firewalls|Deutsch and French Versions]]  
[http://sourceforge.net/projects/wapiti/ '''Project's Sourceforge Repository''']
+
  | style="width:29%; background:#cccccc" align="center"|
  | style="width:29%; background:#cccccc" align="center"|[http://www.ict-romulus.eu '''ICT Romulus Project''']
 
 
  |}
 
  |}
 
----
 
----

Latest revision as of 15:50, 14 January 2009


PROJECT INFORMATION
Project Name OWASP Best Practices: Use of Web Application Firewalls
Short Project Description

Web applications of all kinds, whether online shops or partner portals, have in recent years increasingly become the target of hacker attacks. The attackers are using methods which are specifically aimed at exploiting potential weak spots in the web application software itself - and this is why they are not detected, or are not detected with sufficient accuracy, by traditional IT security systems such as network firewalls or IDS/IPS systems. OWASP develops tools and best practices to support developers, project managers and security testers in the development and operation of secure web applications. Additional protection against attacks, in particular for already productive web applications, is offered by what is still a emerging category of IT security systems, known as Web Application Firewalls (hereinafter referred to simply as WAF), often also called Web Application Shields or Web Application Security Filters.

One of the criteria for meeting the security standard of the credit card industry currently in force (PCI DSS - Payment Card Industry Data Security Standard v.1.1) for example, is either a regular source code review or the use of a WAF.

The document is aimed primarily at technical decision-makers, especially those responsible for operations and security as well as application owners (specialist department, technical application managers) evaluating the use of a WAF. Special attention has been paid - wherever possible - to the display of work estimates - including in comparison to possible alternatives such as modifications to the source code.

In addition to the importance of the web application regarding turnover or image - the term access to a web application used in this document can be a good criterion in the decision-making process relating to the use of WAFs. Specifically, the access to a web application, measures the extent to which the required changes to the application source code are actually carried out in-house, on time,or can be carried out by third parties. As illustrated by the graph below, a web application to which there is no access, can only be protected sensibly by a WAF (additional benefit of the WAF),.Even with an application in full access, a WAF can be used as a central service point for various services such as secure session management, which can be implemented for all applications equally, and as a suitable means for proactive safety measures such as URL encryption

Key Project Information Project Leader
OWASP Germany Local Chapter
Project Contibutors
See here
Mailing List
Subscribe here
Use here
License
Creative Commons International/Germany License
Project Type
Documentation
Sponsors
if any, add link
Release Status Main Links Related Projects

Apha Quality
Please see here for complete information.

OWASP Best Practices: Use of Web Application Firewalls Project:
Deutsch and French Versions