Positive changes coming to ModSecurity

By Michael S. Mimoso, Editor, Information Security magazine 07 Aug 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

This is a research effort to help establish a good deployment practice for Web applications. Bad guys collaborate very well. Good guys don't do as good of a job. Ivan Ristic VP, security research, Breach Security Inc.

Ivan Ristic, recognized for his work in building not only the ModSecurity tool, but also its community, today at the Black Hat briefings introduced ModProfiler. ModProfiler, he said, observes and analyzes application traffic and builds an application profile of accepted behavior. That intelligence is then fed to ModSecurity and written into its rules.

"The positive security model is safer because you don't need to know everything about attacks. You only have to understand your application," Ristic said. "We've felt some pressure from the community to solve this problem. Learning is the only [thing] ModSecurity doesn't do. By adding this one missing piece, we're completing the features of ModSecurity."

Web application firewalls (WAFs) are getting more attention than ever from businesses, especially those bound to comply with the Payment Card Industry Data Security Standard. PCI DSS Requirement 6.6 became mandatory on June 30, and it requires companies that accept and process credit card data and transactions to secure their Web applications, either with the installation of a Web application firewall or via a manual or automated source code review.

Web application firewalls are, in most cases, a quicker and cheaper road to a compliance checkmark, experts say. Deployments are challenging, however, and Ristic, vice president of security research at Breach Security Inc., said he's received plenty of questions about what Web application firewalls do, where they should sit and who should manage them.

"People focus ultimately on blocking, but people need to view WAFs as operational tools that provide situational awareness," Ristic said. "The most important thing WAFs do is provide visibility into what's happening. Only after you have visibility can you decide whether you want to block or just log traffic."

More from Black Hat 2008 Exclusive photos of Black Hat 2008. Windows Vista security 'rendered useless' by researchers Black Hat: Two researchers Thursday will demonstrate how to use Java, ActiveX controls and .NET objects to essentially bypass all the key security safeguards in Windows Vista. Researchers develop lightweight Cisco IOS rootkit Black Hat: Building on previous research against IOS, Core Security researchers have theoretically shown the plausibility of an IOS rootkit attack.     Bluetooth 2.1 is easy to crack Black Hat: A cryptographer for Aladdin Knowledge Systems says Bluetooth version 2.1, designed to be more secure than previous versions, is actually extremely vulnerable to attackers.

One feature unique to ModProfiler is the ability to write what Ristic calls a virtual patch. If ModProfiler detects behavior out of the ordinary, users can write a simple rule that only detects that one attack against one resource in one location. Virtual patches can mitigate an issue until developers have an opportunity to patch and quality assure (QA) the application for its next release. At that time, Ristic said, the virtual patch is no longer necessary.

Ristic, meanwhile, hopes ModProfiler's collaborative nature will resonate with users, especially those who don't understand the nuances of a Web application firewall or don't have the resources to invest in the tool.

"This is a research effort to help establish a good deployment practice for Web applications," Ristic said. "Bad guys collaborate very well. Good guys don't do as good of a job."

Ristic hopes the project will beef up ModSecurity's benefits, change the way Web applications are deployed, and secure them against zero-day attacks, for example, from Day 1.

"What we've found is that Web applications are deployed and written in a bad way where everything is allowed by default. The problem with that is that every day, there are new Web application attacks and attack types," Ristic said. "If you're writing an application today, you don't know tomorrow's attack type. We realized there's a great advantage to changing the way Web applications are deployed: deny by default and allow only what's safe. If you want an application to perform five functions, allow only those five.

"The end benefit," Ristic added, "is that you don't have to write the rules; just record traffic, have it write to ModProfiler and have a hosted ruleset to protect applications."

ModProfiler is expected to be released shortly after this week's Black Hat briefings.

Tags: Open Source Security Tools and Applications,  Web Application Security,  Application Firewall Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Open Source Security Tools and Applications Screencast: Samurai offers pen-testing nirvana Rootkit Hunter demo: Detect and remove Linux rootkits When to use open source security tools over commercial products Screencasts: On-screen demonstrations of today's IT tools Maltego demo: Identifying a website's trust relationships Free HP SWFScan tool detects Adobe Flash flaws L0phtCrack returns How to use (almost) free tools to find sensitive data Should open source disk-encryption software be used? Open source security concerns can trump cost savings Web Application Security Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Twitter bugs, DNSSEC and broswer security Month of Twitter Bugs project to document Twitter flaws Are Web application penetration tests still important? IT pros can detect, prevent website vulnerabilities, thwart attacks PCI compliance requirement 6: Systems and applications Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits XSS bugs, information leakage top list of website vulnerabilities Application Firewall Security Common PCI questions: Web application firewalls or source code review? Citrix virtual desktop, app delivery controller includes security benefits How to choose between source code reviews or Web application firewalls Check Point adds virtual firewall appliance Web application firewall deployments gain traction Best practices for application-level firewall selection and deployment PCI Council issues clarification on Web application security Will firewalls have to adapt to applications that use port 80? NAC, disk encryption gaining attention, survey shows Comparative Product Review: Six Web Application Firewalls

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Blowfish  (SearchSecurity.com) Kermit  (SearchSecurity.com) Open Source Hardening Project  (SearchSecurity.com) SnortSnarf  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary