OWASP AppSec DC 2012/Training/Virtual Patching Workshop
Course Length: 2 Day
Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth.
This workshop is intended to provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the workshop, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this workshop is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.
See the recent OWASP Virtual Patching Survey for a selection of topic areas we will discuss in depth: http://blog.spiderlabs.com/2012/03/owasp-virtual-patching-survey-results.html
Laptop Required: Yes
Students Need to Bring:
- OWASP LiveCD image pre-installed: http://appseclive.org/node/45
Audience: Technical, Operations Skill Level: Intermediate
1) Understand Virtual Patching Concepts
2) Evaluate if virtual patching is appropriate
3) Practice constructing virtual patches for various types of vulnerabilties