隨著開放網路軟體安全計劃(Open Web Application Security Project , OWASP),在2003, 2004, 2007, 2010年公佈的OWASP Top 10網頁風險,OWASP所揭露的TOP 10風險,一直是注重網頁安全的朋友們注重的一項指標。而OWASP Top 10的內容,也從早期的漏洞指標,轉而為風險指標(The 2010 version was revamped to prioritize by risk, not just prevalence. This 2013 edition follows the same approach.),這也代表了,防護的方式,不會是從單一的特徵碼、方式可以避免這些風險的。

NetScaler早先就曾針對 OWASP Top 10 2010,提供了對應的安全防護方案(/blogs/2010/06/02/netscaler-application-firewall-and-the-owasp-top-10-2010/),當然隨著2013的公布,許多客戶也詢問關於NetScaler相對應的防護方式。這裡列出對應簡表,供大家參考。

OWASP Top-10 2013 NetScaler Features
A1 – Injection Injection attack prevention (SQL or any other custom injections such as OS Command injection, XPath injection, and LDAP Injection), auto update signature feature
A2 – Broken Authentication and Session Management AAA, Cookie Tampering protection, Cookie Proxying, Cookie Encryption, CSRF tagging, Use SSL
A3 – Cross Site Scripting (XSS) XSS Attack Prevention, Blocks all OWASP XSS cheat sheet attacks
A4 – Insecure Direct Object References StartURL checks, AAA, Form protections, and Cookie tampering protections
A5 – Security Misconfiguration PCI reports, SSL features, Signature generation from vulnerability scan reports such as Ceznic, Qualys , and Whitehat. Additionally, very specific protections such as Cookie encryption, proxying, and tampering.
A6 – Sensitive Data Exposure Credit Card protection, Safe Commerce, Cookie proxying, and Cookie Encryption
A7 – Missing Function Level Access Control Authorization security feature within AAA module of NetScaler, StartURL, and ClosureURL
A8 – Cross Site Request Forgery CSRF form tagging, Referer header validation
A9 – Using Components with known Vulnerabilities Vulnerability scan reports, Application Firewall Templates, and Custom Signatures
A10 – Unvalidated Redirects and Forwards Protections by policy control, field format protection configuration

詳細的方案說明,大家可以參考NetScaler features with OWASP TOP 10 2013.