In questo post ospite sul nostro blog di John Stauffacher , un esperto di fama mondiale nella sicurezza delle applicazioni Web e autore di Web Application Firewall: un approccio pratico ... John consiglia ...
The best approach to web application security is to whitelist the good
rather than to blacklist the bad.
Why? It is far simpler to enumerate all that is good within your
application than it would be to continually update all of the bad that
could possibly be thrown at your application. Your routes, cookies,
parameters (and their values) are all known to your organization.
Using this information you can create a proposed ‘whitelist’ of all
the correct points of entry, cookies, parameters, and values for your
application. This whitelist can become your baseline for the
application, and any traffic that deviates from this baseline can be
considered bad traffic.
A whitelisting approach is far more secure and efficient than
continuously enumerating ‘the bad’ in your Web traffic. The bad
changes on a daily basis. Web teams that rely on blacklisting find
themselves behind the eight ball, chasing the latest zero-day threat
and spending countless hours listing every attack vector known to man,
writing and updating rules in their WAF and driving themselves crazy.
In the end, their WAF becomes a list of attack signatures that looks
into the past and fails to stop new threats.
So while the initial process of establishing a whitelist requires a
bit more upfront time than blacklisting, you gain a more proactive and
robust WAF security stance that doesn’t have to play catch-up with
every zero-day threat that comes down the pike.
Include whitelisting as part of your standard Web application security
practice, and make sure to update your list on a regular basis. You’ll
be glad you did.