Protect Your Website Vulnerabilities With a WAF – New Compairson Report – CloudFlare vs Incapsula vs ModSecurity

March 9, 2013 By

A new report came out in February, put together by Zero Science Lab, in which they compare the effectiveness between CloudFlare and Incapsula. In it they did the same thing Philip Tibom of Sweden did last year in his comparative report in which he concluded that Incapsula was the superior product. In this new report they included the use of TrustWave’s ModSecurity solution. The thing that website owners have to understand however is that comparing the three is a bit misleading.

Incapsula and Cloudflare are the two leading WAF solutions set up as a software as a service (SaaaS) designed to help every day website owners. CloudFlare probably trumps Incapsula actually in their marketing prowess. ModSecurity, although powerful, is the opposite. It’s something you’d have to configure and maintain on your web servers. It functions the same in that it filters the incoming traffic, but don’t be fooled, it has to be installed and configured and if you don’t know what you’re doing you will likely not render the results they present. That should not take away from its use, in fact I know Cloudflare uses it as part of their solution, not 100% on Incapsula. For the every day website owner, especially those on shared environments, unless you configure your own reverse proxy, ModSecurity will be of little value to you.

Given that ModSecurity is free, we signed up for both CloudFlare and Incapsula paid Business plan. They have noticeably different prices for their paid plans. CloudFlare Business Plan is $200/month (the WAF is also available in the
Pro Plan, for $20/month). Incapsula Business Plan is $59/month. – Zero Science Lab

[Read more...]

Filed Under: Awareness, General Security, Technology, Web Application Firewall, Web Security Tagged With: , , , , , ,

Security Implications of WordPress in The Enterprise

January 30, 2013 By

My Chileno brother from another mother, Chris Lema, put out a great guest post on WPEngine yesterday talking about WordPress and the Enterprise. He talks to the how and why of it’s emergence in the enterprise scene, but in the process makes a number of statements that very clearly explains the challenges we face as information security professionals. That, however, does not take away from the great points he makes around why it is a good enterprise platform.

Quick side note:

If you’re not familiar with Chris Lema, he’s perhaps one of the most engaging and insightful people you’ll meet and loves to write. WP Engine on the other hand is one of the premiere managed WordPress hosting providers in today’s market specializing in the ability to make your website grow wings, yes like Red Bull.

The Discussion

Of the various things I do at Sucuri, the one I am fondest of, is the ability to lead our incident / intrusion handling team. This is an unadvertised service that we provide enterprises. At a high-level we perform forensic analysis of the incident, outline the impacts of the compromise and perform offensive countermeasures to attacks if so required. It’s in this capacity that I have gained a unique perspective on this subject. I can attest to its arrival in the enterprise, and I’d argue that it’s no longer sneaking in – that was perhaps 2 years ago.
[Read more...]

Filed Under: Awareness, General Security, Technology, Web Security, WordPress Tagged With: , ,

Web Application Vulnerability Scanners – W3AF – 12.10 xUbuntu Installation

January 28, 2013 By

I have been interested in the Web Application Attack and Audit Framework (W3AF) since I first heard about it last summer, 2012. It was unfortunately not the most straight forward installation, it contains a number of dependencies and not something I was willing to invest into. I was also a bit more novice than I am today and didn’t completely understand what I was doing or needed to do. Today things are a bit different and this evening I decided to take another stab at it.

Note: If you run BackTrack 3.0 you’ll find it prepackaged, not sure about earlier versions, so just skip this entire post.

My biggest challenge was that I was trying to install it on a xUbuntu NIX distribution. If you’re not familiar with it, it’s a child of the Ubuntu family as implied by the name, but it’s light weight. By light weight I mean that it comes with the bare necessities only, if you want something on the box you have to install it and that includes all its dependencies. That’s perhaps where I ran into the most issues. Most of the documentation you find, to include what w3af says once installed, states that python 2.6 is required. That, fortunately is not the case. You can definitely get it running with 2.7 and that’s what I’ll provide here.
[Read more...]

Filed Under: General Security, Technology, Vulnerability Scanner, Web Security Tagged With: , ,

Protecting Your Website – CloudFlare or Incapsula?

November 13, 2012 By

I get this question a lot whenever I talk with clients or give presentations, “How do I prevent my website from being hacked?”. Many actually confuse the service we offer at Sucuri as a preventive service. Good thing we don’t advertise preventive services.

That’s right, our service sits in the detection and remediation realm. By the nature of what we do there are preventive components that we implement, but our service has always been about detection, and more importantly remediating the mess. For any InfoSec professional working in the security domain you can understand this approach; you have long learned that prevention is ideal but detection is key and that’s based around the understanding that prevention, like detection, will never be a 100% solution.

That being said, I came across a recent report by Philip Tibom of Sweden titled Incapsula vs. CloudFlare (PDF Download). It was published October 15th, 2012 and in it he chronicles his experiences with both platforms over the last 6 months. If you’re not familiar with either then you’re really not that concerned with your security posture, and that’s ok of course but unfortunate none the less.

I would argue that CloudFlare is likely winning the popular vote, entering into the most partnerships and making the most noise, but Incapsula is perhaps the most effective based on the report. The two services are software as a service (SaaS) based solutions targeting the preventive side of the house; yes these would be the first-line of defense solutions so many folks are looking for.

They fall into the latest category of Web Application Firewalls (WAF) coming to the market designed to address the pandemic problem that is website attacks and web malware distribution. They are designed to slow down, if not completely, prevent the attacks from ever occurring; in essence doing away with your need for a detection / remediation service, right?

If that were only the case..
[Read more...]

Filed Under: Awareness, General, General Security, Technology, Tools, Web Application Firewall, Web Security

Java Zero Day – Two Vulnerabilities

August 28, 2012 By

Yesterday was an interesting one for the security world, it was a buzz over the new Java 0-Day and today is no different.

It turns out however that it’s not just one (1) zero-day, it’s two and they were introduced back in July of 2011. We shared our initial thoughts on the vulnerability yesterday.

Today though Esteban Guillardoy put out a more in-depth analysis of the vulnerability. Thought you too would enjoy the read. It’s good to note that I’m by no means well-versed on desktop based malware but I still enjoyed the read, my focus is web-based malware.
[Read more...]

Filed Under: Awareness, Desktop Security, Technology, Web Security Tagged With: , , , ,
« Older Posts