OWASP top 10 Protection - Protection

Hi Nik,

 

 

See below for responses:

 

 

1) Broken Authentication and session management

 

 

Most enterprise applications provide valid session management. However, if you need to, you can enforce login URLs per the ASM config guide:

 

 

Configuring login URLs to prevent forceful browsing

 

https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/config_guide_asm_10_2_0/asm_security_policy.html

 

 

2) Insecure direct object reference

 

 

You can configure login URLs and/or application flows to ensure clients have successfully authenticated and/or follow an expected path through the application.

 

 

3) Security Misconfiguration

 

 

Here's a suggested list of possible issues. Which are you trying to address?

 

 

https://www.owasp.org/index.php/Top_10_2010-A6

 

 

4) Failure to restrict URL access

 

 

Again, as in 2, you can use login URLs and/or application flows to ensure clients have successfully authenticated and/or follow an expected path through the application. You can also use attack signatures and/or URLs to restrict which URLs clients can access.

 

 

5) Insufficient transport layer protection

 

 

You can easily redirect all HTTP requests to HTTPS using LTM. You can also restrict which SSL ciphers clients are allowed to use when accessing an HTTPS virtual server:

 

https://devcentral.f5.com/wiki/iRules.RedirectOnWeakEncryption.ashx

 

 

6) Unvalidated redirects and fowards

 

 

You can define valid redirects for specific parameter values either globally or per URL.

 

 

7) SQL injection (this is believe is protected through attack signatures , in policy->blocking )

 

 

ASM provides very complete SQLi protection through character set restrictions and attack signatures.

 

 

Aaron