Re: [WEB SECURITY] Positive Security Model

["Ryan Barnett" <rcbarnett@xxxxxxxxx>]

------=_Part_36601_6278667.1219868038234
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On Wed, Aug 27, 2008 at 3:50 PM, Lee Sequeira <leeseq31@gmail.com> wrote:

> Hi all,
> I've been reading about the Positive Security Model for web application
> security and had some questions that I was hoping to get answered.  It
> sounds great in theory, but does it really work (WAFs or other solutions)?
> Does anyone have any (good or bad) experiences with it and can share their
> thoughts?  Is it easier to manage then the typical Negative Security Model?
>
>
> Thanks,
> Lee
>

Hey Lee,
There are a few different items to consider with positive security vs.
negative security.  Positive security is better from a security perspective
as you have less chance of false negatives/evasions.  The question that I
have for you is to clarify what you mean by "does it really work"?  There
are a number of ways to gauge if a WAF is "working" - take a look at my blog
post on WAF metrics -
http://tacticalwebappsec.blogspot.com/2008/05/whats-score-of-game-part-2-web-security.html
.

Back to your comment about managing positive vs. negative security - the
real issue that I see with positive security from a WAF's perspective is how
do you get there?  You can take the manual approach which would be using
targeted positive security when implementing virtual patches for identified
issues or you take the automated learning approach and let the WAF profile
the app and create a proper input validation filter for you.   Ivan Ristic
and Ofer Shezaf recently presented at Blackhat talking about ModProfiler,
which will allow a user to feed ModSecurity audit logs to it and then it
will automatically create positive security input validation rules.  This is
a bit of a middle ground approach between manual virtual patching for
identified vulns and continuous automated learning/profiling.

I would also recommend that you check out this site -
https://sites.google.com/a/wafreviews.com/home/Home.  Hopefully more people
will share ideas, stories, issues, etc... there.

Cheers.
-- 
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com/

------=_Part_36601_6278667.1219868038234
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<div dir="ltr"><br><div class="gmail_quote">On Wed, Aug 27, 2008 at 3:50 PM, Lee Sequeira <span dir="ltr">&lt;<a href="mailto:leeseq31@gmail.com";>leeseq31@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div dir="ltr"><p><span style="font-size: 10pt;">Hi all,</span><span style="font-size: 10pt;">&nbsp;</span></p>

<div><span style="font-size: 10pt;">I&#39;ve been reading about the Positive Security Model for web application security and had some questions that I was hoping to get answered. &nbsp;It sounds great in theory, but does it really work (WAFs or other solutions)?&nbsp; Does anyone have any (good or bad) experiences with it and can share their thoughts?&nbsp; Is it easier to manage then the typical Negative Security Model?&nbsp; </span></div>


<div><span style="font-size: 10pt;"></span>&nbsp;</div>
<div><span style="font-size: 10pt;">Thanks,</span></div>
<div><span style="font-size: 10pt;">Lee</span></div></div>
</blockquote></div><br>Hey Lee,<br>There are a few different items to consider with positive security vs. negative security.&nbsp; Positive security is better from a security perspective as you have less chance of false negatives/evasions.&nbsp; The question that I have for you is to clarify what you mean by &quot;does it really work&quot;?&nbsp; There are a number of ways to gauge if a WAF is &quot;working&quot; - take a look at my blog post on WAF metrics - <a href="http://tacticalwebappsec.blogspot.com/2008/05/whats-score-of-game-part-2-web-security.html";>http://tacticalwebappsec.blogspot.com/2008/05/whats-score-of-game-part-2-web-security.html</a>.<br>
<br>Back to your comment about managing positive vs. negative security - the real issue that I see with positive security from a WAF&#39;s perspective is how do you get there?&nbsp; You can take the manual approach which would be using targeted positive security when implementing virtual patches for identified issues or you take the automated learning approach and let the WAF profile the app and create a proper input validation filter for you.&nbsp;&nbsp; Ivan Ristic and Ofer Shezaf recently presented at Blackhat talking about ModProfiler, which will allow a user to feed ModSecurity audit logs to it and then it will automatically create positive security input validation rules.&nbsp; This is a bit of a middle ground approach between manual virtual patching for identified vulns and continuous automated learning/profiling.<br>
<br>I would also recommend that you check out this site - <a href="https://sites.google.com/a/wafreviews.com/home/Home";>https://sites.google.com/a/wafreviews.com/home/Home</a>.&nbsp; Hopefully more people will share ideas, stories, issues, etc... there.<br>
<br>Cheers.<br>-- <br>Ryan C. Barnett<br>Web Application Security Consortium (WASC) Member<br>Tactical Web Application Security<br><a href="http://tacticalwebappsec.blogspot.com/";>http://tacticalwebappsec.blogspot.com/</a><br>
<br>
</div>

------=_Part_36601_6278667.1219868038234--