jShield: An Open Source Solution for Web Application Security
Abstract
The purpose of this article is describe a solution for web application security based on an application firewall which is implemented using a model called reverse proxy. The application firewall use as much the model of negative filter as the model of positive filter for, apart from providing applications with more security, avoiding the occurrence of false positive what could filter applications authentic packets. This way, the firewall aggregates both the easy configuration of the negative security model with the better security provided by positive model.
References
Bace, R., Mell, P. (2001). Intrusion Detection Systems. NIST - National Institute of Standards and Technology. http://www.snort.org/docs/nist-ids.pdf.
Ceron, J, et al. (2008). Vulnerabilidades em Aplicações Web: uma Análise Baseada nos Dados Coletados nos honeypots. VIII Simposio Brasileiro de Segurança. http://sbseg2008.inf.ufrgs.br/proceedings/data/pdf/st06_02_resumo.pdf.
CERT.BR (2009). Estatísticas dos Incidentes Reportados ao CERT.br. http://www.cert.br/stats/incidentes/index.html, Novembro.
IISteam, (2009). Using URLScan. http://learn.iis.net/page.aspx/473/using-urlscan/,Novembro.
JMeter (2009). JMETER: Uma Aplicação desktop projetada para testes de carga e medidas de performance. http://jakarta.apache.org/jmeter/. Novembro.
Jones, K. J., Bejtlich, R., Rose, C. W. (2006). Real Digital Forensics – Computer Security and Incident Response, Addison-Wesley.
Microsoft (2009). UrlScan Security Tool. http://technet.microsoft.com/enus/security/cc242650.aspx. Novembro.
ModSecurity (2009). ModSecurity: open source web application firewall. http://www.modsecurity.org. Novembro.
OWASP (2010). The ten most critical web application security vulnerabilities. Open Web Application Security Project - OWASP. http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf.
WAFEC (2006). Web Application Firewall Evaluation Criteria. Web Application Security Consortium. http://www.webappsec.org/projects/wafec/v1/wasc-wafec-v1.0.pdf.