Lightboard Lessons: The BIG-IP ASM and WhiteHat Integration
Today’s web applications are under constant attack, and it’s critical to keep those applications secure at all times. One of the best ways to keep your applications secure is to protect them with a Web Application Firewall (WAF) and also scan them with a security vulnerability scanner. The BIG-IP ASM is a powerful and flexible WAF, and WhiteHat Sentinel is one of the best dynamic scanners on the market today. Check out this edition of Lightboard Lessons to learn how the ASM and WhiteHat Sentinel can secure your web applications. Read more aboutASM and WhiteHatIntegrating WhiteHat Scans With BIG-IP ASM
Today’s web applications are under constant attack, and it’s critical to keep those applications secure at all times for the protection of yourself and your customers. Ideally, you would utilize a team of perfect web developers who create perfectly secure applications that have no bugs and no security vulnerabilities. But that’s fantasy. In the real world, web applications are deployed every day with a litany of vulnerabilities that provide a target-rich environment for online adversaries. Fortunately, there are companies that specialize in securing web applications, and they provide a way to scan your applications and find critical vulnerabilities. WhiteHat Security has long been a leader in this space, and they protect organizations by identifying website vulnerabilities that the bad guys exploit to cause harm. WhiteHat employs a world-class team of security professionals who constantly research and monitor current threats to web applications. Using this expertise, they develop fully customized tests to run against any web application in the world. These robust tests can be run automatically or manually by the WhiteHat team, and -- rest assured -- if your web application has any vulnerability at all, WhiteHat will find it. WhiteHat offers custom remediation guidance as well as metrics and reports on all the vulnerabilities they find. This allows you to easily and confidently remediate the vulnerabilities as they are discovered. From personal experience, let me say that it’s much better to have a trusted partner like WhiteHat find a vulnerability before a nefarious attacker finds it first. WhiteHat Sentinel, the company’s flagship cloud-based application security product,offers a very user-friendly web interface that outlines all the findings from a given scan. The screenshot below shows an example list of vulnerabilities that were found from a WhiteHat security scan. Notice that WhiteHat ranks each finding with a “rating” scale that allows you to know how severe a particular vulnerability is. Also, notice that each finding receives a numeric score that shows how likely this vulnerability is to be exploited. So, if you have a finding with a high score and a critical vulnerability, it’s time to take some action on getting that one fixed! Imagine this scenario: WhiteHat Sentinel has done a fantastic job of scanning your web applications for current vulnerabilities, and you now have an awesome list of findings to mitigate. But, what if it takes some time to mitigate those findings? What if some of them are so extensive that you might not ever get time to fix them? How will your web application stay secure in the meantime? Of course, I’m glad you asked! F5’s BIG-IP Application Security Manager (ASM) is a Web Application Firewall that is specifically designed to protect your web applications from the exact threats that are found by these WhiteHat scans. One of the powerful features of the ASM is that it has the capability to talk directly to WhiteHat Sentinel via the WhiteHat API and build a custom security policy for your specific web application based on the results of your WhiteHat scan. Here’s how it works (also, see the picture below): The BIG-IP ASM sits in front of your web applications and protects them from attack WhiteHat Sentinel scans your web applications and sends a list of vulnerabilities to the BIG-IP ASM The BIG-IP ASM configures a security policy based on the actual findings from the WhiteHat scan When you create a security policy on the BIG-IP ASM, there are several options to choose from. This specific article won’t go into every detail of policy building because it can get fairly extensive, but you can read this article for more details on policy building. As you build a security policy, you can select the “Vulnerability Assessment Tool” option, and you can see in the screenshot below that one of the scanning tools that integrates with the BIG-IP ASM is the WhiteHat Sentinel tool. Simply select that option from the dropdown box and then you’ll have an option to add an IP address and Netmask for the scanner. This tells the BIG-IP ASM that it should not block that IP address because it’s the one used by the WhiteHat Sentinel scanner. Note: WhiteHat will need to give you the specific IP address and Netmask they will be using for their scans. After you set up the security policy on the BIG-IP ASM, you will need to load in the API key from WhiteHat. This allows the BIG-IP and WhiteHat Sentinel to talk to one another and make updates automatically. The WhiteHat API is unique to your WhiteHat account and will not change. This is nice because you won’t ever need to reload this key once you initially set it up on the BIG-IP ASM. To retrieve the key, you login to your WhiteHat account and navigate to your profile page and you will see a link for the API key. The screenshot below shows the popup message you will see when displaying your API key. Now that you have your WhiteHat API key, you simply copy/paste it into the BIG-IP ASM (see screenshot below). Once you input the key, you should be able to click the “Refresh WhiteHat Site Names List” button and a list of all the sites on your WhiteHat account will auto-populate so that you can simply select the one(s) you want. You also have the option of selecting the “custom” option from the dropdown menu and typing in the site name yourself. When the BIG-IP ASM is protecting your web applications and WhiteHat Sentinel is constantly scanning them for new vulnerabilities, you can rest assured that your web applications are secure. WhiteHat will alert you when a vulnerability is found, and the BIG-IP ASM will protect that vulnerability from the bad guys. It’s a match made in heaven… Learn more about BIG-IP ASM and WhiteHat Sentinel by visiting these resources: https://f5.com/products/modules/application-security-manager https://f5.com/solutions/service-provider/reference-architectures/application-layer-security https://www.whitehatsec.com/offerings.html#sastDeploying a WhiteHat Security Satellite in Your Infrastructure
DevCentral uses WhiteHat Security's Sentinel service in our application development lifecycle as well as for production compliance. Beyond the direct benefits of improving our SDLC practices and reducing our window of exposure, F5 Networks and WhiteHat Security offer an integrated solution utilizing their tools and BIG-IP Application Security Manager with context-aware, adaptive, and instant virtual patching. Read here for more information on the solution overview. We recently eliminated public access to our pre-production test ground, so we had to come up with an alternative scanning solution for this environment. Thankfully, in addition to their internet-facing services, WhiteHat offers a satellite scanner in an appliance or virtual machine package that you can deploy behind your public infrastructure. These satellite scanners can perform the same duties as the scanners that hit your publicly available sites without exposing your pre-production development efforts to unnecessary risk. This article will demonstrate the steps required to get a WhiteHat Sentinel Satellite deployed, scanning, and communicating with the mother ship. Deploying the Satellite Virtual Machine The download for the VM is in OVA format, but the Bluelock virtual datacenters we're deployed in require an OVF template for upload. You can use VMware's ovftool for this, or if you have Workstation, you can just open the OVA in your Workstation app and then select that VM and export to OVF. Now that the VM is in the proper form for my environment, I can upload "To the Cloud!" (sorry, couldn't resist) to the virtual datacenter and build the VM. The OVF template should take care of your cpu, memory, and disk allocations, but if the cpu and memory are blank, you can just set to 1 cpu and 1G of RAM as shown in the hardware properties below. I attached the NIC to DMZ-1 and then powered the VM on. At boot, the only thing you have access to in the console is a configuration menu for the IP address, the mask, the gateway, and a DNS server. The first three were trivial, but the DNS requirement presented a challenge in our environment. Configuring the Infrastructure I wrote a blog last week about the DNS challenge presented with this solution, so I won't rehash that here, but you can see in the drawing below that step 1 for the scanner is to do a DNS lookup of the host. A virtual server has an iRule attached to provide a single response to queries from the Sentinel satellite, and then the rest of the app infrastructure is already in place for scanning. The only part left to handle is the communication between the satellite and WhiteHat. The support/operations teams within WhiteHat need to be able to control and report from the satellite, so I configured a virtual server that forwards on the required tcp port 5050 and snat the source to our external IP addresses. Immediately after activating that configuration the satellite synced up with WhiteHat's server and we were good to go.F5 Case Study: WhiteHat Security
Founder & CTO of WhiteHat Security, Jeremiah Grossman talks about the F5/WhiteHat partnership, the benefits of the WhiteHat Sentinel & BIG-IP ASM integration, the sophistication level of some of the recent attacks/breaches reported in the media, blocking SQL Injections and why organizations should consider an integrated WAF and Scanner like the WhiteHat/F5 solution. </p> <p><font size="2">ps</font></p> <p><font size="2">Related:</font></p> <ul> <li><a href="https://www.whitehatsec.com/index.html" _fcksavedurl="https://www.whitehatsec.com/index.html"><font size="2" face="Tahoma">WhiteHat Security</font></a></li> <li><a href="https://www.whitehatsec.com/resource/grossman.html" _fcksavedurl="https://www.whitehatsec.com/resource/grossman.html"><font size="2" face="Tahoma">WhiteHat Blog</font></a></li> <li><a href="http://jeremiahgrossman.blogspot.com/" _fcksavedurl="http://jeremiahgrossman.blogspot.com/"><font size="2" face="Tahoma">Jeremiah Grossman Blog</font></a></li> <li><a href="http://www.f5.com/solutions/technology-alliances/security/whitehat.html" _fcksavedurl="http://www.f5.com/solutions/technology-alliances/security/whitehat.html"><font size="2" face="Tahoma">F5/WhiteHat Partnership</font></a></li> <li><a href="http://www.youtube.com/user/f5networksinc" _fcksavedurl="http://www.youtube.com/user/f5networksinc"><font size="2" face="Tahoma">F5 Youtube Channel</font></a></li> </ul> <p>Technorati Tags: <a href="http://technorati.com/tags/F5" _fcksavedurl="http://technorati.com/tags/F5">F5</a>, <a href="http://technorati.com/tags/RSA" _fcksavedurl="http://technorati.com/tags/RSA">RSA</a>, <a href="http://technorati.com/tags/Pete+Silva" _fcksavedurl="http://technorati.com/tags/Pete+Silva">Pete Silva</a>, <a href="http://technorati.com/tags/security" _fcksavedurl="http://technorati.com/tags/security">security</a>, <a href="http://technorati.com/tag/business" _fcksavedurl="http://technorati.com/tag/business">business</a>, <a href="http://technorati.com/tag/education" _fcksavedurl="http://technorati.com/tag/education">education</a>, <a href="http://technorati.com/tag/technology" _fcksavedurl="http://technorati.com/tag/technology">technology</a>, <a href="http://technorati.com/tags/internet" _fcksavedurl="http://technorati.com/tags/internet">internet, </a><a href="http://technorati.com/tags/cybercrime" _fcksavedurl="http://technorati.com/tags/cybercrime">cybercrime</a><a href="http://technorati.com/tags/apple" _fcksavedurl="http://technorati.com/tags/apple">, </a><a href="http://technorati.com/tags/grossman" _fcksavedurl="http://technorati.com/tags/grossman">grossman</a></p> <table border="0" cellspacing="0" cellpadding="2" width="382"><tbody> <tr> <td valign="top" width="200">Connect with Peter: </td> <td valign="top" width="180">Connect with F5: </td> </tr> <tr> <td valign="top" width="200"><a href="http://www.linkedin.com/pub/peter-silva/0/412/77a" _fcksavedurl="http://www.linkedin.com/pub/peter-silva/0/412/77a"><img style="border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px" title="o_linkedin[1]" border="0" alt="o_linkedin[1]" src="http://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_linkedin.png" _fcksavedurl="http://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_linkedin.png" width="24" height="24" /></a> <a href="http://devcentral.f5.com/s/weblogs/psilva/Rss.aspx" _fcksavedurl="http://devcentral.f5.com/s/weblogs/psilva/Rss.aspx"><img style="border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px" title="o_rss[1]" border="0" alt="o_rss[1]" src="http://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_rss.png" _fcksavedurl="http://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_rss.png" width="24" height="24" /></a> <a href="http://www.facebook.com/f5networksinc" _fcksavedurl="http://www.facebook.com/f5networksinc"><img style="border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px" title="o_facebook[1]" border="0" alt="o_facebook[1]" src="http://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_facebook.png" _fcksavedurl="http://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_facebook.png" width="24" height="24" /></a> <a href="http://twitter.com/psilvas" _fcksavedurl="http://twitter.com/psilvas"><img style="border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px" title="o_twitter[1]" border="0" alt="o_twitter[1]" src="http://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_twitter.png" _fcksavedurl="http://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_twitter.png" width="24" height="24" /></a> </td> <td valign="top" width="180"> <a href="http://bitly.com/nIsT1z?r=bb" _fcksavedurl="http://bitly.com/nIsT1z?r=bb"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="o_facebook[1]" border="0" alt="o_facebook[1]" src="http://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_facebook.png" _fcksavedurl="http://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_facebook.png" width="24" height="24" /></a> <a href="http://bitly.com/rrAfiR?r=bb" _fcksavedurl="http://bitly.com/rrAfiR?r=bb"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="o_twitter[1]" border="0" alt="o_twitter[1]" src="http://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_twitter.png" _fcksavedurl="http://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_twitter.png" width="24" height="24" /></a> <a href="http://bitly.com/neO7Pm?r=bb" _fcksavedurl="http://bitly.com/neO7Pm?r=bb"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="o_slideshare[1]" border="0" alt="o_slideshare[1]" src="http://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_slideshare.png" _fcksavedurl="http://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_slideshare.png" width="24" height="24" /></a> <a href="http://bitly.com/mOVxf3?r=bb" _fcksavedurl="http://bitly.com/mOVxf3?r=bb"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="o_youtube[1]" border="0" alt="o_youtube[1]" src="http://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_youtube.png" _fcksavedurl="http://devcentral.f5.com/s/weblogs/images/devcentral_f5_com/weblogs/macvittie/1086440/o_youtube.png" width="24" height="24" /></a></td> </tr> </tbody></table></body></html> ps Related: WhiteHat Security WhiteHat Blog Jeremiah Grossman Blog F5/WhiteHat Partnership F5 Youtube Channel
Virtual Patching: What is it and why you should be doing it
Yesterday I was privileged to co-host a webinar with WhiteHat Security's Jeremiah Grossman on preventing SQL injection and Cross-Site scripting using a technique called "virtual patching". While I was familiar with F5's partnership with WhiteHat and our integrated solution, I wasn't familiar with the term. Virtual patching should put an end to the endless religious warring that goes on between the secure coding and web application firewall camps whenever the topic of web application security is raised. The premise of virtual patching is that a web application firewall is not, I repeat is not a replacement for secure coding. It is, in fact, an augmentation of existing security systems and practices that, in fact, enables secure development to occur without being rushed or outright ignored in favor of rushing a fix out the door. "The remediation challenges most organizations face are the time consuming process of allocating the proper personnel, prioritizing the tasks, QA / regression testing the fix, and finally scheduling a production release." -- WhiteHat Security, "WhiteHat Website Security Statistic Reports", December 2008 The WhiteHat report goes on to discuss the average number of days it took for organizations to address the top five urgent - not critical, not high, but urgent - severity vulnerabilities discovered. The fewest number of days to resolve a vulnerability (SQL Injection) was 28 in 2008, which is actually an improvement over previous years. 28 days. That's a lifetime on the Internet when your site is vulnerable to exploitation and attackers are massing at the gates faster than ants to a picnic. But you can't rush finding and fixing the vulnerability, and the option to shut down the web application may not be an option at all, especially if you rely on that application as a revenue stream, as an integration point with partners, or as part of a critical business process with a strict SLA governing its uptime. So do you leave it vulnerable? According to White Hat's data, apparently that's the decision made for many organizations given the limited options. The heads of many security professionals just exploded. My apologies if any of the detritus mussed your screen. If you're one of the ones whose head is still intact, there is a solution. Virtual patching provides the means by which you can prevent the exploitation of the vulnerability while it is addressed through whatever organizational processes are required to resolve it. Virtual patching is essentially the process of putting in place a rule on a web application firewall to prevent the exploitation of a vulnerability. This process is often times a manual one, but in the case of WhiteHat and F5 the process has been made as easy as clicking a button. When WhiteHat's Sentinel, which provides vulnerability scanning as a service, uncovers a vulnerability the operator (that's you) can decide to virtually patch the hole by adding a rule to the appropriate policy on F5's BIG-IP Application Security Manager (ASM) with the click of a button. Once the vulnerability has been addressed, you can remove the rule from the policy or leave it in place, as is your wont. It's up to you. Virtual patching provides the opportunity to close a vulnerability quickly but doesn't require that you necessarily abandon secure coding practices. Virtual patching actual enables and encourages secure coding by giving developers some breathing room in which to implement a thorough, secure solution to the vulnerability. It isn't an either-or solution, it's both, and leverages both solutions to provide the most comprehensive security coverage possible. And given statistics regarding the number of sites infected of late, that's something everyone should be able to get behind. Virtual patching as a technique does not require WhiteHat or F5, but other solutions will require a manual process to put in place rules to address vulnerabilities. The advantage of a WhiteHat-F5 solution is its tight integration via iControl and ability to immediately close discovered security holes, and of course a lengthy list of cool security options and features to further secure web applications available with ASM. You can read more about the integration between WhiteHat and F5 here or here or view a short overview of the way virtual patching works between Sentinel and ASM.
