After 3 year program of work, a tier-one APAC bank was ready to assess the effectiveness of their WAF deployment that had been configured to protect their key online assets. Given the strict requirements the bank has for both minimum legitimate service disruption and maximum effectiveness they had worked closely with the magic quadrant vendor to optimize the blocking mask.
For this assessment, they contracted an Application Security Testing supplier to conduct Volumetric and Application DoS tests plus SQLi and XSS with basic evasion. Basic evasion was agreed to be limited to the OWASP SQLi and XSS cheat sheet series.
The tests conducted produced frightening results. The WAF only detected 3% of the obfuscated SQLi attacks and 52% of the XSS attempts. As a result the bank was desperate apply more effective controls, without but still couldn’t compromise the compatibility of any additional defense with the normal functioning of the application.
RedShield proposed an out of path re-test by:
- First 2 stages of testing by the Bank’s application testing team. This was to tune the RedShield blocking masks to be compatible with the normal functioning of the application.
- Second the Security Testing supplier. Bypass and evasion methods over and above the OWASP cheat sheet series were also discussed to extend the scope of the testing.
In parallel RedShield took the Bank’s change and incident management personnel through an operational onboarding workshop to ensure that the process elements of outsourcing the protection function to RedShield.
We also requested to see any relevant Pen Test findings where remediation was still in development backlog. For these we provided a shielding plan where the required logic and content manipulation could be performed on the RedShield proxy layer in lieu of their developers having to touch code.
RedShield achieved in days what we had failed to deliver with a magic quadrant vendor in years. These devices are complicated, so even in a world with auto learning and AI tools, don’t underestimate the skills required to run these optimally. With the additional of RedShield we went from project failure to program success in weeks.
Given the bank had adequate application test scripts, compatibility tuning was completed successfully with 3 passes over a 2 week period. During this process, RedShield experts reviewed a combination of raw logs and machine learning suggestions to rapidly tune the blocking mask down to the optimal set. Attention was also paid to any reduction in effectiveness created by this tuning. To understand this, RedShield used its normal weekly audit function, by applied more frequently during this period.
Post tuning, the application security testers then conducted their testing, but this time they produced very different results, passes across the board.
Further testing with both RedShield and the partially remediated MQ vendor’s solution occurred over the following weeks until finally the decision was made to place both in path. The MQ vendor remained in front of RedShield to continue to deliver CDN and DDoS services that were integrated into the bank’s operational process, whilst RedShield was deployed as close as possible to the application server for protection.
The operation to date has been a success, with no application incompatibility reported. But if it is, all are aware of the operational processes to ensure that issues are resolved in minutes. Evasion and bypass testing continues to prove effective. The bank is also seriously considering RedShield’s transformational shield to assist in accelerating risk reduction and optimize workflow in the core application development function.