Ivan Ristic, recognized for his work in building not only the ModSecurity tool, but also its community, today at the Black Hat briefings introduced ModProfiler. ModProfiler, he said, observes and analyzes application traffic and builds an application profile of accepted behavior. That intelligence is then fed to ModSecurity and written into its rules.
"The positive security model is safer because you don't need to know everything about attacks. You only have to understand your application," Ristic said. "We've felt some pressure from the community to solve this problem. Learning is the only [thing] ModSecurity doesn't do. By adding this one missing piece, we're completing the features of ModSecurity."
Web application firewalls (WAFs) are getting more attention than ever from businesses, especially those bound to comply with the Payment Card Industry Data Security Standard. PCI DSS Requirement 6.6 became mandatory on June 30, and it requires companies that accept and process credit card data and transactions to secure their Web applications, either with the installation of a Web application firewall or via a manual or automated source code review.
Web application firewalls are, in most cases, a quicker and cheaper road to a compliance checkmark, experts say. Deployments are challenging, however, and Ristic, vice president of security research at Breach Security Inc., said he's received plenty of questions about what Web application firewalls do, where they should sit and who should manage them.
"People focus ultimately on blocking, but people need to view WAFs as operational tools that provide situational awareness," Ristic said. "The most important thing WAFs do is provide visibility into what's happening. Only after you have visibility can you decide whether you want to block or just log traffic."
One feature unique to ModProfiler is the ability to write what Ristic calls a virtual patch. If ModProfiler detects behavior out of the ordinary, users can write a simple rule that only detects that one attack against one resource in one location. Virtual patches can mitigate an issue until developers have an opportunity to patch and quality assure (QA) the application for its next release. At that time, Ristic said, the virtual patch is no longer necessary.
Ristic, meanwhile, hopes ModProfiler's collaborative nature will resonate with users, especially those who don't understand the nuances of a Web application firewall or don't have the resources to invest in the tool.
"This is a research effort to help establish a good deployment practice for Web applications," Ristic said. "Bad guys collaborate very well. Good guys don't do as good of a job."
Ristic hopes the project will beef up ModSecurity's benefits, change the way Web applications are deployed, and secure them against zero-day attacks, for example, from Day 1.
"What we've found is that Web applications are deployed and written in a bad way where everything is allowed by default. The problem with that is that every day, there are new Web application attacks and attack types," Ristic said. "If you're writing an application today, you don't know tomorrow's attack type. We realized there's a great advantage to changing the way Web applications are deployed: deny by default and allow only what's safe. If you want an application to perform five functions, allow only those five.
"The end benefit," Ristic added, "is that you don't have to write the rules; just record traffic, have it write to ModProfiler and have a hosted ruleset to protect applications."
ModProfiler is expected to be released shortly after this week's Black Hat briefings.