Web Application Security 12 (WEBSEC) – Outline

Outline detalhado do curso

  • Web Application Security Admin Setup
    • Configure users, roles and permissions for the SecureSphere Web Application Firewall.
    • Create additional SecureSphere users with local or external authentication, as needed.
  • Verifying the Initial Configuration
    • Verify and configure all Web assets for protection by SecureSphere.
    • Configure the details of a Web Service object and associated application object in a manner which accurately represents an organization’s deployment of a specific Web application.
    • Verify network traffic from Load Balancers and Proxies will be handled correctly.
    • Install SSL keys for the Web applications to be protected.
    • Prevent potential compliance issues by configuring Data Masking to prevent sensitive information from being captured by SecureSphere.
    • Customize the SecureSphere default error page.
  • Web Application Level Preparations
    • Create additional Web Application Sites Tree objects, as needed.
    • Map an application object by host header and prioritize the mapping rules.
    • Adjust the initial learning thresholds based on the protected applications and Imperva best practice recommendations.
  • Web Application Security Policies
    • Given different types of Web attacks, configure appropriate polices to defend Web applications.
    • Create Action Set policies.
    • Assign relevant Action Set policy to specify Security Policy Followed Actions.
    • Configure and apply signature policies to defend Web applications from attacks with easily recognizable signatures.
    • Disable a signature from one or more signature dictionaries. Configure and apply HTTP/1.X Protocol policy to defend HTTP/1.X applications from protocol attacks.
    • Explain requirements for HTTP/2.X Protocol Policy (experimental) for defending HTTP/2.x applications from protocol attacks.
    • Mitigate and monitor Slow HTTP and Slow HTTPS attacks.
    • Configure and apply correlation policies to protect against multi-front Web attacks.
    • Mitigate SQL injection, cross site scripting attacks and more using Web correlation policies.
    • Consider how correlation technology works before disabling policies or policy rules.
    • Configure and apply custom Web policies to protect specific application weaknesses.
    • Configure and apply ThreatRadar policies to protect against advanced Web attacks, and the latest Web attacks.
    • Explain the factors that determine when to use modify a built-in policy, and when to create a copy of a built-in policy and modify it instead.
    • Create policy configuration reports.
  • Web Application Profiling
    • Describe the components of the Web Application Profile.
    • Explain how the Web Application Profile learns and protects Web applications.
    • View a summary of all the profiles and statistics about them.
    • Define and explain how application activity is mapped to the profile with application mapping.
    • Identify common Web application components used in the learning process.
    • View and edit a profile URL’s HTTP methods and URL parameters.
    • Display a profile’s list of URL patterns defined for the application, learned cookies and their statuses, a list of the mapplication’s login action URLs, a list of the hosts on which the application’s URLs are located and susceptible directories.
    • Monitor the Web profile as it is being built during the learning period.
    • Switch a URL from learning mode to protect mode.
    • Lock a URL or a URL directory.
    • Define and explain how Web application user tracking operates.
    • Specify the authentication method to be used for a Web service.
    • View, add and edit Action URLs.
    • Define a Web Application User Tracking Decision Rule.
    • Create a Set of Decision Rules for an Action URL.
    • Explain how to select Web Profile Policy rules for the protected Web application.
    • Configure appropriate reports to help administrators analyze profiles and profile learning.
    • Display graphical representations of profile information.
  • ThreatRadar Threat Intelligence
    • Identify and configure appropriate ThreatRadar feeds to help secure Web applications.
    • Configure and use ThreatRadar Reputation Service to identify potentially malicious client activity.
    • Protect Applications from Anonymous Proxies, Comment Spam IPs, Malicious IPs, Phishing URLs, and TOR IPs.
    • Identify when to use and how to configure ThreatRadar Intelligence (Reputation Services).
    • Identify when to use and how to configure ThreatRadar Intelligence (Community Defense).
    • Identify when to use and how to configure ThreatRadar Anti Automation (Bot Protection).
    • Identify when to enable and how to configure ThreatRadar Emergency Feed and related security policies.
    • Identify environments that may benefits from ThreatRadar Account Takeover Protection.
    • Identify environments that may benefits from ThreatRadar Fraud Prevention Services.
    • Use IP Forensics to investigate and analyze source of traffic SecureSphere alerts.
    • Enable and disable ThreatRadar services globally.
    • Restrict Access by Country using IP Geo Location.
    • Configure Community Defense data sharing and data masking to meet company data handling requirements.
  • Alerts, Violations and Monitoring
    • Monitor alerts using the dashboard view
    • Identify Gateways managed by SecureSphere.
    • Review the state of Gateways and server groups.
    • Analyze traffic, CPU load, and hits.
    • Analyze the latest alerts and system events.
    • Apply a filter to view alerts generated in a specific date range.
    • Identify false positive and attack events.
    • Identify tuning opportunities.
    • Determine alert severity, action taken in response to the event, and whether the alert information has been aggregated.
    • Apply basic, quick, and advanced filters to Alerts and Violations.
    • Configure appropriate reports for analysis of Alerts and Violations.
    • Configure appropriate reports to identify tuning opportunities.
    • Correct false positive events with the “Add as Exception” and “add to profile” buttons.
    • Flag Alerts to support an event review workflow.
  • SecureSphere Web Application Firewall Tuning
    • Tune SecureSphere to minimize false positives, streamline profiles, improve policies and reduce non-essential alerts.
    • Explain the impact and trade-offs of the “add to profile” button.
    • Explain the impact and trade-offs of Parameter prefixes and URL prefixes.
    • Identify impacts of modifying predefined, automatically applied Policies.
    • Create custom policy to minimize the impacts of modifications with the predefined, automatically applied Policies.
    • Reduce the number of alerts in SecureSphere by preventing the display of false positives and making changes to noisy policies.
    • Improve performance of SecureSphere by removing redundant policies and controlling the size and number of profiles.
    • Confirm the correct SSL keys have been imported and the encryption ciphers used by the servers.
    • Exclude trusted vulnerability scanners from WAF inspection.
    • Identify profiling anomalies.
    • Determine if a separate Web application should be created.
    • Determine if Web profile plug-ins are needed and configure them.
    • Build a report to show how many of what type alerts have occurred.
    • Use this report to direct your alert review and give you an agenda for alert tuning.
    • Restrict application object monitoring to specific URLs and directories.
  • Active Blocking
    • Configure SecureSphere to enforce the tuned configuration.
    • Move SecureSphere from Simulation to Active Blocking mode.
    • Test that blocking is occurring with simulated attack patterns.
    • Verify the error page is working and is displaying a non-default error page.
    • Define custom error pages and error page policies.
    • Configure additional Web Error Page Groups as needed.
    • Monitor suspicious, Users/IPs/Sessions and apply extended blocking with Action Sets and Followed Actions.
  • Web Scanner Integration
    • Integrate external Web scanner data with SecureSphere and manage identified vulnerabilities.
    • Conduct a Web server scan.
    • Prepare results from the vulnerability scan for import into SecureSphere.
    • Import scanner File.
    • Configure a scanner integration policy.
    • Apply the policy to the target server where the scan results originated.
    • View the results of the Scanner Integration in the Vulnerability Workbench.
    • Mitigate vulnerabilities discovered.
  • Configuring Reverse Proxies
    • Describe reverse proxy architectures for all Imperva Web application security products.
    • Describe the differences between Transparent Reverse Proxy and Kernel Reverse Proxy modes.
    • Identify when the Transparent Revers Proxy mode best supports an organization’s desired deployment architecture.
    • Identify when the Kernel Revers Proxy mode best supports an organization’s desired deployment architecture.
    • Configure Reverse Proxy mode settings.
    • Create and configure default and custom Web error pages for use in security policies.
    • Configure URL rewrite and redirection rules.
    • Configure SecureSphere to work with SSL Client Certificates.