SECURING YOUR WEB APPLICATION

IN AZURE WITH A WAF

Christian Folini

Jason Haley
September 2017
JASON HALEY

Salem, MA
Jason Haley Consulting LLC
Azure & Angular Consultant
Microsoft Azure MVP
@halejason
http://jasonhaley.com

Organize North Boston Azure and DevBoston User Groups

SECURING YOUR WEB
APPLICATION
OWASP

OWASP (Open Web Application Security Project) Foundation is a not-for-profit

international organization dedicated “enabling organizations to conceive, acquire,
operate, and maintain applications that can be trusted”. - https://www.owasp.org

OWASP Top 10 Project - most critical web application security risks

OWASP Application Security Verification Standard Project – provides developers
with a list of requirements for secure development
OWASP ModSecurity Core Rule Set (CRS) – pluggable set of generic attack
detection rules that provide a base level of protection for any web application.
OWASP TOP TEN PROJECT (2013)

1. Injection
2. Broken Authentication and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfigurations
6. Sensitive Data Exposure
7. Missing Function Level Access Control
8. Cross-Site Request Forgery (CSRF)
9. Using Known Vulnerable Components
10. Unvalidated Redirects and Forwards
PENETRATION TEST (PEN TEST)

A penetration test, colloquially known as a pen test, is an authorized simulated attack

on a computer system that looks for security weaknesses, potentially gaining access to
the system's features and data. – Wikipedia
PENETRATION TEST - OUTCOMES

 Prioritized list of known vulnerabilities

 Steps in how to reproduce
 Steps in how to fix
 Retest to verify fixes
WHAT ELSE CAN YOU DO?

 Build security into the code from the start

 OWASP ASVS can help
 Security reviews of the code
 Add security layers to the application
WHAT IS A WAF?

 Intrusion detection system – monitors a network for malicious activity or policy

violations.
 Firewall – monitors and controls in/out traffic based on rules
 Web application firewall – monitors in/out HTTP traffic of a web application based
on rules
WHAT ARE THE OPTIONS IF YOU ARE IN
AZURE?
 External to Azure (Akamai, CloudFlare, others)
 In the Azure Marketplace (Baracuda, F5, others)
 Azure networking product - Application gateway
WHAT IS APPLICATION GATEWAY?

 HTTP (layer 7) load balancer

 Cookie affinity for session state
 SSL offload
 Private or Public (can also use with Web Apps)
 WAF using ModSecurity
 ModSecurity is the Engine
 OWASP Core Rule Set (CRS) are the rules
WEB APPLICATIONS IN AZURE

 How can you add it to a Web App (PaaS)?

 Currently have to use custom ARM template or use PowerShell/CLI
 backendHttpSettingsCollection.pickHostNameFromBackendAddress=true
 Probe.pickHostNameFromBackendHttpSettings=true

 How can you add it to a Web App (IaaS)?