FortiWeb Content

Fortinet PowerPoint Template
First Quarter, 2012
February 11, 2014

1
Fortinet Confidential
Xtreme Team:
Introduction to FortiWeb
And application layer attacks
February 11, 2014

2
AGENDA
Web Application Threads
Web Application Security
FortiWeb Overview
Features & Benefits
Deployment Modes
Product Family
FortiWeb Labs
Web Application Threats
What is a Web Application ?
Internet
Web Applications
Web applications are public and internet

facing applications
Web server data center
Accessed using a standard browser and

provide webmail, online retail sales,
online auctions, wikis and many other
functions
Data Center Perimeter
They provide major e-commerce and

business driving tools for organizations
Front End Web Servers
Written for efficient delivery of content
Database Servers
Web Applications Architecture
Web Application
HTTP
Network
Web Services
Web Servers
Wireless
Presentation
Layer
Media Store
Browser
Application
Server
Database
Server
Business
Logic
Customer
Identification
Content
Services
Access
Controls
Transaction
Information
Core Business
Data
Web Application Advantages
A Standard Web Browser acts

as the Application Client
Web Application Advantages

Creates a virtual hyperspace
Beyond geographical constraints
Break computer hardware and software obstacles
Bring the whole world together
A low cost way to Share, maintain, and distribute

Information Access
Intranet
Electronic commerce
Online Banking
Customer support
What about disadvantages ?

Hypertext Transfer Protocol
(HTTP) is a communications
protocol for the transfer of
information on intranets and
the World Wide Web
Its original purpose was to
provide a way to publish and
retrieve hypertext pages over
the Internet
10
The Web Application Security Gap

As an Application
Developer, I can
build great features
and functions while
meeting deadlines,
but I dont know
how to develop my
web application
with security as a
feature.
Security Professionals
Dont Know The
Applications
As a Network Security
Professional, I dont
know how my
companies web
applications are
supposed to work so I
deploy a protective
solutionbut dont
know if its protecting
what its supposed to.
11
Application
Developers Dont
Know Security
Web Apps breach the Perimeter Security Gap
Internet
IIS
SunOne
Apache
Trusted
Inside
DMZ
ASP
.NET
WebSphere
Java
SQL
Oracle
DB2
HTTP(S)
Browser
Allows HTTP port 80
Allows HTTPS port 443
12
Firewall only
allows applications
on the web server
to talk to
application server
Firewall only
allows application
server to talk to
database server
Corporate
Inside
Web Apps breach the Perimeter Security Gap
Talking about Web Applications,

Adversaries have fewer obstacles
when performing an attack
13
Always Remember
Every program has at least two purposes: the one for

which it was written, and another for which it wasn't.
-Alan J. Perlis
14
Knowing your enemy
15
Injections
User
Consists of including portions

of SQL / LDAP / Command
statements in an entry field in
an attempt to get the website
to pass a newly formed rogue
command to the database /
LDAP Server / Shell.
User
Pass
Firewall
Web Server
16
Form
DB Server
Case: SQL Injections

Attacker
1.
2.
3.
4.
5.
6.
App sends form to user

Attacker submits form with
SQL exploit data
Application builds string with
exploit data
Application sends SQL query
to DB
DB executes query, including
exploit, sends data back to
application
Application returns data to
user.
User
Pass or 1=1--
Firewall
Web Server
17
Form
DB Server
Case: SQL Injections (cont.)
18
XSS: Cross Site Scripting
Cross-Site Scripting attacks are a type of injection problem, in which

malicious scripts are injected into the otherwise benign and trusted
web sites.
Cross-site scripting (XSS) attacks occur when an attacker uses a web
application to send malicious code, generally in the form of a browser
side script, to a different end user.
19
XSS: About Javascript
JavaScript is an interpreted computer programming language,

implemented as part of web browsers so that client-side scripts
could interact with the user, control the browser, communicate
asynchronously, and alter the document content that was
displayed.
Used in a bad way, Javascript allows to:
20
Steal cookies
Hijack of users session
Alter the content of a web page
Spy on what you do
Map your Network
And a long etc
10
XSS Explained
21
Cross Site Request Forgery

Cross-site request forgery, also known as a one-click
attack or session riding, is a type of malicious exploit of a
website whereby unauthorized commands are transmitted
from a user that the website trusts.
Unlike cross-site
scripting (XSS), which
exploits the trust a
user has for a
particular site, CSRF
exploits the trust that
a site has in a user's
browser.
22
11
Cross Site Request Forgery: How it Works
23
Information Leaking
24
12
Misconfigurations
25
Web Site Defacement
26
13
Web Application DDoS
Doesnt trigger regular DDoS defenses

Oriented to Applications Flaws instead
of bandwidth consumption
Resource-intensive consumption over
Web / DB Servers
Slow attacks, based on legitimate
transactions
Based on botnets and automatic tools
Zombie Botnet
27
Real Case 1: Myspace Samy Worm

Samy Kamkars JS worm
Based on XSS on MS Profiles
Exponential growth
7 hours, ~200 infected
12 hours, ~10K infected
17 hours, >1M infected
MySpace shuts down
28
14
Real Case 2: Yahoo SQL Injection

D33Ds Company claimed the
breach was intended as a wakeup
call to Yahoos security team
Around 400,000 usernames and
passwords stolen, as well as the
full database architecture of the
web application
SQL injection vulnerability in an
undisclosed Yahoo! Web
Application
29
Real Case 3: Linkedin SQL Injection

SQL injection attack used over
company's website to get into
backend systems.
6.5 million user passwords
hacked and posted online
$5 million class-action lawsuit
for failing to use "basic
industry standard" security
practices
30
15
Real Case 4: Param Tampering - LATAM Bank

Online banking used hidden
parameters to maintain account info
between forms
Users were able to modify account
# using tools like Paros or
WebScarab and look into other
accounts
Vulnerability was identified on
time
31
Conclusions
32
16
Web Application Security
33
What is Application Security ?
Application security encompasses measures taken

throughout the application's life-cycle to prevent
exceptions in the security policy of an application or
the underlying system (vulnerabilities) through
flaws in the design, development, deployment,
upgrade, or maintenance of the application.
34
17
Application Security Approach

Application life-cycle focus:
Design
Development
Deployment
Upgrade
Maintenance
Ideal but too late

Difficult
Lengthy
Expensive
Apps Already into Production
Who has responsibility?

Proprietary Software
We need to live with what

weve got !!
Off the Shelf

Cloud Offering
35
We must look at threads
Application Security Needs New Approach
Network firewalls detect network attacks

Inspect IP and port
Network Firewall
IPS products detect known signatures only

Signature evasion is possible
No protection of SSL traffic
No real HTTP understanding (headers,
parameters, etc)
No application awareness
No user awareness
High rate of false positives
Only Web Application

Firewalls can detect and
block application
attacks!
36
IPS/Deep Packet
Inspection Firewalls
FortiWeb
Web Application Firewall
Network layer
(OSI 1-3)
Application layer
(OSI 4-7)
18
Owasp Top Ten - 2013
A1-Injection
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is
sent to an interpreter as part of a command or query. The attackers hostile data can
trick the interpreter into executing unintended commands or accessing unauthorized
data
A2Broken
Authentication and
Session Management
Application functions related to authentication and session management are often not
implemented correctly, allowing attackers to compromise passwords, keys, session
tokens, or exploit other implementation flaws to assume other users identities
A3Cross-Site
Scripting (XSS)
XSS flaws occur whenever an application takes untrusted data and sends it to a web
browser without proper validation or escaping. XSS allows attackers to execute scripts
in the victims browser which can hijack user sessions, deface web sites, or redirect the
user to malicious sites
A4Insecure Direct
Object References
A direct object reference occurs when a developer exposes a reference to an internal

implementation object, such as a file, directory, or database key. Without an access
control check or other protection, attackers can manipulate these references to access
unauthorized data
A5Security
Misconfiguration
Good security requires having a secure configuration defined and deployed for the
application, frameworks, application server, web server, database server, and platform.
All these settings should be defined, implemented, and maintained as many are not
shipped with secure defaults. This includes keeping all software up to date
37
Owasp Top Ten - 2013
A6Sensitive Data
Exposure
Many web applications do not properly protect sensitive data, such as credit cards, tax ids, and
authentication credentials. Attackers may steal or modify such weakly protected data to conduct identity
theft, credit card fraud, or other crimes. Sensitive data deserves extra protection such as encryption at
rest or in transit, as well as special precautions when exchanged with the browser
A7Missing Function
Level Access Control
Virtually all web applications verify function level access rights before making that functionality visible in
the UI. However, applications need to perform the same access control checks on the server when each
function is accessed. If requests are not verified, attackers will be able to forge requests in order to
access unauthorized functionality
A8-Cross-Site Request
Forgery (CSRF)
A CSRF attack forces a logged-on victims browser to send a forged HTTP request, including the
victims session cookie and any other automatically included authentication information, to a vulnerable
web application. This allows the attacker to force the victims browser to generate requests the
vulnerable application thinks are legitimate requests from the victim
A9-Using Components
with Known
Vulnerabilities
Vulnerable components, such as libraries, frameworks, and other software modules almost always run
with full privilege. So, if exploited, they can cause serious data loss or server takeover. Applications
using these vulnerable components may undermine their defenses and enable a range of possible
attacks and impacts
A10Unvalidated
Redirects and
Forwards
Web applications frequently redirect and forward users to other pages and websites, and use untrusted
data to determine the destination pages. Without proper validation, attackers can redirect victims to
phishing or malware sites, or use forwards to access unauthorized pages
38
19
PCI DSS
Requirement 6: Develop and maintain secure systems and apps
39
Patching
Configuration
Development lifecycle
Testing
Production
PCI DSS (cont.)
Requirement 6.3: Develop software applications based on industry best

practices and incorporate information security throughout the software
development life cycle.
Requirement 6.6: Ensure that all web-facing applications are protected
against known attacks by applying either of the following methods:
Having all custom application code reviewed for common vulnerabilities by
an organization that specializes in application security
Installing an application layer firewall in front of web-facing applications.
40
20
FortiWeb Overview
41
Why Web Application Firewalls?
Applications are as critical as ever

But
49% of web apps contain high risk level
vulnerabilities prone to automatic tools*
80%-96% are vulnerable to detailed manual
attacks
99% of web apps are not compliant with PCI
DSS
The most common vulnerabilities are not
addressed by existing firewall technologies
o
o
o
o
Cross-site scripting
SQL injection
Information Leakage
HTTP Response Splitting
Business implications of attack:

Lost revenue 300$ per stolen record
Penalties for not meeting Regulatory compliance
Damage to company brand
42
21
An extra Layer of Protection
43
FortiWeb Web Application Firewall
WAF
Web Application Firewall - WAF

Secures web applications to help customers meet compliance requirements
Web Vulnerability Scanner

Scans, analyzes and detects web application vulnerabilities
Application Delivery
Assures availability and accelerates performance of critical web applications
Secures Web
Applications
44
Scans and Detects

Web Vulnerabilities
Optimizes Application
Delivery
22
Protection at all Layers
Advanced Protection Custom Security Policies

Custom policies to match on multiple elements URL, Source IP, Header type and value, Thresholds
Antivirus file upload scanning and Data Leak Prevention

Scans uploaded files for viruses and malware (FortiGuard updates)
Detects Information Disclosure, credit card and PII leakage
Application and Network Denial of Service Protection (DoS/DDos protection)

Detects and aggregates DoS attacks from multiple vectors
Auto Learn and Validation Rules

Deviations from normal user behavior, automated and customer rules
Application Attack Signatures

Detects known application attacks
FortiGuard updates
Protocol Validation
Validates HTTP RFC compliance
45
FortiGuard Subscription Services
Real-Time Security Protection
FortiWeb Security Service subscription keeps

your FortiWeb automatically up to date with:
Hundreds of application signatures
Updates with new application signatures,
Malicious robots, suspicious URL patterns and
web vulnerability scanner patterns
Global Distributed Network
100+ threat research professionals
Eight global locations
Automated updates to Fortinet customers
FortiWeb Antivirus Service subscription

automated content updates for file upload
scanning
Robust 24 x 7 x 365 Real-Time Global Intelligence
46
23
FortiWeb Customers
Government
47
Telco
Retail/Technology/Financial/Other
Features & Benefits
48
24
Known Attacks & Data Leaks

Attacks and Data Leaks can be
detected by FortiWeb signatures
FortiWeb scans
parameters in the URL of HTTP GET
requests
parameters in the body of HTTP POST
requests
XML in the body of HTTP POST requests
Cookies
FortiWeb monitors all outgoing

traffic and protects against
Information Disclosure
Credit Card theft/misuse
49
Zero-day Attacks Input Validation

Input validation can help to
defend against zero-day
attacks, not yet identified
Buffer overflow
Shell code
Other injection attacks
FortiWeb will sanitize

inputs at web application
level
50
25
Zero-day Attacks Protocol Constraints

Protocol constraints allows to
prevent attacks such as buffer
overflows by restricting
elements of the HTTP protocol
to acceptable lengths
51
Parameter Tampering
Hidden field rules prevent
tampering by caching the values
of a sessions hidden inputs as
they pass from the server to the
client, and verifying that they
remain unchanged when the
client submits the form to its
POST URL
52
26
Access Control
Control clients access to Web applications
and limit the rate of requests
Restricting access to specific URLs
Enforce page order that follows application
logic
Specify URLs allowed to initiate sessions
Specify allowed HTTP methods
53
Blacklisting & Whitelisting

Block requests based on source
IP address, reputation, or which
country or region the IP address
is associated with
FortiGuard IP Reputation
Intelligence Service (IRIS)
Botnets
Phishers
Spiders/Crawlers
Virus-infected clients
Anonymizing proxies
DDoS participants
54
27
AV File Scanning and Upload Restriction
Scan file uploads using

Fortinets Antivirus engine
Regular and extended virus
database
Updates via FortiGuard with
Antivirus service
Restricts file type/size uploads
55
Advanced Rewriting Capabilities

Content Routing - route traffic based on:
IP
Host
URL
Rewriting and Redirection

capabilities
Host
URL
Referrers
HTTP HTTPs Redirection
Rewrite reply content

Absolute links
Any required content
Multiple content types supported
56
28
DoS/DDoS Protection
Requests originated from different users are
analyzed, based on different characteristics
such as IP and cookie
FortiWeb detects are real users or automated
attacks (HOIC, LOIC tools)
Application layer policies
Amount of HTTP requests per second from a certain IP

Number of TCP connections with the same session cookie
Number of HTTP requests x sec with the same session cookie
Number of HTTP requests per TCP connection, per second, to
a specific URL before FortiWeb issues a script to the client to
validate whether this is a real browser or an automated tool
Network layer
Number of TCP connections from the same source IP address
SYN flood attacks
57
Web Site Anti-Defacement

Monitors application files
at specified time
intervals
Upon file change
detection FortiWeb:
Alert
Automatically restore files
58
29
FortiWeb Auto Learn

FortiWeb understands Application Structure
Models elements from actual traffic
Builds baseline based on URLs, parameters,
HTTP methods
Automatically Understands Real behavior

Can form fields/parameters be modified by users?
What are the length and type of each form field?
What characters are acceptable (min, max,
average)?
Is a form field required or optional?
Provides recommendations and graphs

Policies can be built based on the learned
behavior
59
Web Application Scanner
Scan your applications for web

vulnerabilities
Common vulnerabilities
SQL Injection
Cross Site Scripting
Source code disclosure
OS Commanding
Enhanced/Basic Mode
Authentication options
Granular crawling capabilities
Schedule and on demand
scanning
60
30
Web Application Scanner (cont.)

Vulnerability Reports
Scan summary
Vulnerability by severity
Vulnerability by categories
Application Vulnerabilities
Common Vulnerabilities
Server Information
Crawling information
URLs accepting input
External Links
Reports could be
automatically emailed
Updates via FortiGuard
61
ADN - Load Balancing

Application Aware Load Balancing
Support for HTTP/HTTPS
Variety of Load Balancing algorithms
Round Robin
Weighted Round Robin
Least Connection
HTTP Session Based Round Robin
Connection persistence
Persistence timeout value
Flexible health checks

Physical Server monitoring via HTTPS, HTTP, TCP, Ping
Content based health checks with regex support
Web Services balancing

WSDL or Content routing statements
62
31
ADN - Data Compression

Compress poorly optimised content to
minimise impact on network resources
and reduce application delivery latency
Allows efficient bandwidth utilization and
response time to users by compressing
data retrieved from servers
Compresses files using gzip
Compression rate depends on data type
and character redundancy
63
ADN SSL Offloading

Integrated ASIC based
hardware
SSL offloading offload CPU
intensive SSL computing from
server to FortiWeb
Hardware-based key exchange and
bulk encryption
Purpose built SSL processing
Full certificate management
Advanced certification verification
and revocation capabilities
TCP Connection Multiplexing

PKI Client Authentication
64
32
Authentication Offloading
Offload your web server authentication to
FortiWeb
Support of different authentication
schemes
Locally-defined accounts
LDAP
RADIUS
NTLM
Based upon the:

End-users confirmed identity
URL she or he is requesting
FortiWeb applies rules to determine

whether or not to authorize users
HTTP/HTTPS requests.
65
Real Time Dashboard
Traffic monitor per application

Attack Event history per
application
Latest Alerts
Appliance state
66
33
Geo IP Analysis & Security

Analyses web app usage
based on geographic location
and server access
Dissect traffic based on Hit,
Data and Attack type
Easily block access from a
country using right click
Map view or List view
Provides a graphical interface
that helps organizations
understand application trends
both from a user and server
perspective
67
Event/Attack/Traffic Alerts
Attack Alerts
Full HTTP request
Traffic Alerts
Any access to web
applications
Event Alerts
Any action on
FortiWeb device
68
34
Reports - Attacks
Out of the box rich and
graphical reports
Custom reports
Scheduled daily,
weekly, Monthly or
on demand
PDF, HTML, Word,
TXT, MHT formats
69
Reports Traffic and Events

Report on any
access to the
application
Application Hits
Service type
usage (HTTP/HTTPS)
Top sources
Report on any
access or change
to the FortiWeb
device
70
35
Deployment Modes
71
FortiWeb Flexible Deployment Options
Transparent Inspection and True

Transparent Proxy
FortiWeb
Easy deployment - No need to re-architect

network, full transparency
Fail Open Interface
Web Application
Servers
Reverse Proxy
Supports content modification for both requests

and replies from the server
Advanced URL rewriting capabilities
HTTPS offloading
Enhanced load balancing schemes
FortiWeb
Non Inline Deployment SPAN port
72
Zero network latency

Blocking capabilities using TCP resets
Ideal for initial product evaluations, non-intrusive
network deployment
36
How to select the right mode ?

Selecting the right mode of operation will depend of
many things, including:
Supported FortiWeb features
Required network topology
Positive/negative security model
Web Server configuration
73
Features by Mode
Operation Mode
Feature
Reverse
Proxy
True Transparent
Proxy
HTTP
Transparent
Inspection
Offline
Protection
HTTPS
Bridges / V-zones
Client Certificate Verification
Config. Sync (Non-HA)
Cookie Poisoning Prevention
DoS Protection
Error Page Customization
Fail-to-wire
File Compression
Hidden Input Constraints
HA
Information Disclosure Prevention
Page Order Rules
74
37
Features by Mode (cont.)

Operation Mode
Feature
Reverse
Proxy
True Transparent
Proxy
HTTP
Transparent
Inspection
Offline
Protection
HTTPS
Rewriting / Redirection
Session Management
SSL/TLS Offloading
SSLv3 Support
SSLv2 Support
Start Page Enforcement
User Authentication
X-Forwarded-For: Support
XML Protection
75
Reverse Proxy Mode

The default operation mode, with most of
the features supported
Requests are destined for a virtual
servers on the FortiWeb appliance.
FortiWeb applies full NAT
Servers will see the IP of FortiWeb, not
the source IP of clients
The appliance will not forward nonHTTP/HTTPS traffic to protected servers
76
38
Reverse Proxy Mode Architecture
77
Reverse Proxy Mode Architecture (HA)
78
39
Transparent Mode
No changes to the IP address scheme
of the network are required
Fewer features than reverse proxy
mode
Web Servers will see the source IP
address of clients.
The appliance will forward nonHTTP/HTTPS protocols.
79
Transparent Mode Architecture
80
40
Transparent Mode Architecture (Config Sync)
81
Transparent Inspection & Transparent Proxy

True transparent proxy and transparent inspection mode are the same in topology aspect,
but differ in the mode of interception, and the behavior is not the same:
True transparent proxy
FortiWeb transparently proxies the traffic arriving on a port that belongs to a L2 bridge
Applies the first applicable policy, and lets permitted traffic pass through.
FortiWeb logs, blocks, or modifies violations
This mode supports user authentication via HTTP but not HTTPS.
Transparent inspection
FortiWeb asynchronously inspects traffic arriving on a port that belongs to a L2 bridge
Applies the first applicable policy, and lets permitted traffic pass through.
(Because it is asynchronous, it minimizes latency.)
FortiWeb logs or blocks traffic but does not otherwise modify it
(It cannot offload SSL, load-balance connections, or support user authentication)
82
41
Offline Protection Mode
Minimal changes required and it does not introduce

any latency
Several features are not supported
Allows organizations to learn about their web servers
vulnerabilities without production impact
Traffic is duplicated from the flow and sent to the
FortiWeb through a switched port analyzer (SPAN)
83
Offline Protection Architecture
84
42
Product Family
85
FortiWeb 400c
Hardware Performance
Throughput
SSL Throughput
100 Mb
70Mb
Connections x Second
10000 HTTP tx/Sec
SSL Connections x Second
8100 HTTPs tx/Sec
Form Factor
Storage Capacity
Interfaces
86
1U
1 TB
4 x 10/100/1000
43
FortiWeb 1000c
Throughput
SSL Throughput
500 Mb
400Mb
27000 HTTP tx/Sec
17000 HTTPs tx/Sec
Form Factor
Storage Capacity
Interfaces
87
1U
1 TB
4 x 10/100/1000 (2x bypass)
FortiWeb 3000c
Throughput
SSL Throughput
1 Gb
630 Mb
40000 HTTP tx/Sec
31000 HTTPs tx/Sec
Form Factor
Storage Capacity
Interfaces
88
2U
2 TB
6 x 10/100/1000 (2x bypass)
44
FortiWeb 4000c
Throughput
2 Gb
SSL Throughput
1 Gb
70000 HTTP tx/Sec
36000 HTTPs tx/Sec
Form Factor
2U
Storage Capacity
2 TB
Interfaces
89
6 x 10/100/1000 (2x bypass)
FortiWeb VM Series
FortiWeb
Throughput
Max HTTP transactions
/ Sec
Max vCPU Supported
90
FWB-VM02
FWB-VM04
FWB-VM08
100 Mbps
500 Mbps
1 Gbps
8,000
24,000
36,000
Memory required (Min)
1 GB
Storage capacity (Min)
40 GB
45
91
46

FortiWeb Content

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiWeb Content

Uploaded by

Copyright:

Available Formats

Fortinet PowerPoint Template

First Quarter, 2012

February 11, 2014

February 11, 2014

Web Application Threads

Web Application Security

Features & Benefits

Web Application Threats

What is a Web Application ?

Web applications are public and internet

Web server data center

Accessed using a standard browser and

Data Center Perimeter

They provide major e-commerce and

Front End Web Servers

Written for efficient delivery of content

Web Applications Architecture

Web Application Advantages

A Standard Web Browser acts

Web Application Advantages

A low cost way to Share, maintain, and distribute

What about disadvantages ?

The Web Application Security Gap

Web Apps breach the Perimeter Security Gap

Web Apps breach the Perimeter Security Gap

Talking about Web Applications,

Every program has at least two purposes: the one for

Knowing your enemy

Consists of including portions

Case: SQL Injections

App sends form to user

Case: SQL Injections (cont.)

XSS: Cross Site Scripting

Cross-Site Scripting attacks are a type of injection problem, in which

XSS: About Javascript

JavaScript is an interpreted computer programming language,

Cross Site Request Forgery

Cross Site Request Forgery: How it Works

Web Site Defacement

Web Application DDoS

Doesnt trigger regular DDoS defenses

Real Case 1: Myspace Samy Worm

Real Case 2: Yahoo SQL Injection

Real Case 3: Linkedin SQL Injection

Real Case 4: Param Tampering - LATAM Bank

Web Application Security

What is Application Security ?

Application security encompasses measures taken

Application Security Approach

Ideal but too late

Who has responsibility?

We need to live with what

Off the Shelf

We must look at threads

Application Security Needs New Approach

Network firewalls detect network attacks

IPS products detect known signatures only

Only Web Application

Owasp Top Ten - 2013

A direct object reference occurs when a developer exposes a reference to an internal

Owasp Top Ten - 2013

PCI DSS (cont.)

Requirement 6.3: Develop software applications based on industry best

Why Web Application Firewalls?