The Open Web Application Security Project(OWASP) recently released the OWASP Top 10 for 2010 for web application security. This list documents the most common web application vulnerabilities and is a great starting point to evaluate web security. Here we detail how to configure the NetScaler Application Firewall to mitigate these flaws. The Application Firewall is available as an integrated module in the NetScaler Application Delivery Controller adding to the high performance load balancing functions. It is also available as a full range of firewall appliances on the same NetScaler MPX hardware appliances delivering the fastest Web Application Firewall in the market today.

The full OWASP Top 10 document is available at OWASP Top 10 for 2010.

I assume some familiarity with the NetScaler Application Firewall configuration and features. Some of the OWASP Top 10 refer to the broader security environment (like Insecure configuration, SSL) etc but the relevant NetScaler specific configuration is noted. The OWASP Top 10 is best used as a starting point to gauge your web application security. NetScaler offers a much richer set of functionality beyond that covered by this list.

OWASP Top 10 – 2010 NetScaler feature
A1 – Injection Injection attack prevention (SQL/ Custom)
A2 – Cross Site Scripting (XSS) XSS attack prevention
A3 – Broken Authentication and Session management AAA, Cookie Tampering protection, CSRF tagging. Use SSL
A4 – Insecure Direct object references Form field consistency, field format, AAA
A5 – Cross Site Request Forgery (CSRF) CSRF form tagging, Referer header validation
A6 – Security Misconfiguration PCI reports
A7 – Failure to Restrict URL access Start URL protection with URL closure
A8 – Unvalidated Redirects and Forwards Policy control, field format protection configuration, Referer header scrubbing
A9 – Insecure Cryptographic storage Applicable to backend server infrastructure. FIPS compliant model available for securing keys on Firewall device itself
A10 – Insufficient Transport Layer protection Use SSL with strong keys and ciphers.

The full document is available as a whitepaper for download (NetScaler Application Firewall and the OWASP Top 10 2010).

Twitter: @netscaler or me @vkorr

More Information