Follow

Q&A: Does Silverline WAF protect against OWASP 10?

 

Question

  • I'm curious if the Silverline WAF protects against the OWASP top 10 vulnerabilities and exploits?
  • Which phases of a WAF policy offer this protection?

 

Environment

  • Silverline WAF
  • Modules/Attack Signatures
  • WAF Policies

 

Answer

Yes, absolutely. The below provides a realistic summary of Silverline WAF coverage for OWASP Top 10:

  • A1-Injection: natively protected by default policies 
    WAF Phase: Attack Signatures (Phase 1)
  • A2-Broken Authentication: Not protected by default. Protections exist for specific vulnerabilities - e.g. if the application is broken such that an attacker can access protected resources without authentication, we can protect this with login flows. That is not an out-of-the-box implementation. We can also prevent cookie/parameter tampering, and cookie tampering protection is supported out-of-the-box implementation. These type of flaws tend to be highly specific so generally require custom configuration. 
    WAF Phase: Cookie tampering protection would be enabled in Phase 3; any further protection requires custom configuration (not specific to any phase).
  • A3-Sensitive Data Exposure: This is not protected in Silverline by default as we do not scan response-side traffic. We do protect against a great number of potential vectors for accessing sensitive data, such as SQL injection, and HTTP Response Code whitelisting. 
    WAF Phase: HIllegal HTTP Status in Response (HTTP response whitelisting) can partially defend Information Leakage (Phase 1), in cases where server-side responses include information which can be used to enumerate the application.
  • A4-XML External Entity (XXE): Protected by Attack Signatures, though as a relatively new vulnerability class additional validation is suggested (ASM signature DB might be lacking).
  • A5-Broken Access Control: This is similar in response to A2; this is a very generic class of flaw can cannot be universally protected, however we have a number of options to protect against specific incarnations of this flaw class. 
    WAF Phase: Not enough information to answer, depends on the specific nature of the flaw.
  • A6-Security Misconfiguration: Silverline can prevent known exploit attempts against vulnerable software components, and has default protections against a variety of attack vectors that may leverage A5 flaws. However, Silverline cannot resolve the misconfiguration itself (e.g. default admin credentials, open access to admin console). It should be treated as partial coverage. 
    WAF Phase: Not enough information to answer
  • A7-Cross-Site Scripting (XSS): natively protected by default policies 
    WAF Phase: Attack Signatures (Phase 1)
  • A8-Insecure Deserialization: Partial.  Some A8 attacks are mitigated with Attack Signatures (e.g. STRUTS), but others require special configuration such as session tracking or dynamic parameter enforcement.
  • A9-Using Components with Known Vulnerabilities: Similarly to A6, Silverline can protect against known exploits against vulnerable components, but cannot actually patch your servers. Partial coverage. 
    WAF Phase: Attack Signatures (Phase 1), or Not Protected
  • A10-Insufficient Logging and Monitoring: This class of flaw relates not to an attack vector but to the lack of detective controls to alert administrator(s) to a security event and to find out what may have occurred.  By its nature, Silverline includes a comprehensive range of logging and monitoring systems; it is recommended that customers also include sufficient logging and monitoring on their own servers - in particular, web access logs. WAF Phase: Not specific to any particular phase.

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request