From e8f33835b140a70af01913e035258b03602d9900 Mon Sep 17 00:00:00 2001 From: louzoid-gds <31240444+louzoid-gds@users.noreply.github.com> Date: Wed, 24 Jul 2024 15:27:03 +0100 Subject: [PATCH] Update WAF page Corrected some markdown and also some minor updates to some of the wording. --- .../web-application-firewall.html.md.erb | 30 +++++++------------ 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/source/standards/web-application-firewall.html.md.erb b/source/standards/web-application-firewall.html.md.erb index 7b4ff82a..f35beda0 100644 --- a/source/standards/web-application-firewall.html.md.erb +++ b/source/standards/web-application-firewall.html.md.erb @@ -1,6 +1,6 @@ --- title: Use a web application firewall (WAF) -last_reviewed_on: 2023-06-27 +last_reviewed_on: 2024-07-24 review_in: 6 months --- @@ -12,7 +12,7 @@ A [web application firewall (WAF)](https://owasp.org/www-community/Web_Applicati Your continuous integration (CI) and continuous deployment (CD) pipelines should include security tests in their workflows to identify any common vulnerabilities in your code. Some common vulnerabilities like [Cross-site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/) and [XML command injection attacks](https://wiki.owasp.org/index.php/Testing_for_XML_Injection_(OTG-INPVAL-008)) are still possible in your production environments due to human error. -Combining a WAF with CI and CD tools reduces the risk from those tools, and provide enhanced layered security coverage for your service. +Combining a WAF with CI and CD tools reduces the risk of these attacks being successful, and provides enhanced layered security coverage for your service. You may also need to use a WAF because of: @@ -26,7 +26,7 @@ You may also need to use a WAF because of: Set up a baseline of tests in your project’s alpha phase to identify any security vulnerabilities. As your service’s features grow, extend your tests to cover new vulnerabilities you identify. For example, through exercises like [application threat modelling](/standards/threat-modelling.html) -[Good development practices](/) should detect and fix common vulnerabilities before they reach production environments. Use your WAF to track digital services vulnerabilities an attacker could exploit. +[Good development practices](https://www.ncsc.gov.uk/collection/developers-collection) should detect and fix common vulnerabilities before they reach production environments. Use your WAF to track digital service vulnerabilities an attacker could exploit. You should: @@ -63,11 +63,11 @@ When WAF alerts are raised, make sure you already have an incident policy in pla Review your WAF after each application change against the risks in the OWASP top 10 category rules. -This should be similar to how you use an [IT Health Check (ITHC)](https://www.itgovernance.co.uk/it-health-check) to test and confirm the effectiveness of security controls in your environment. +This should be similar to how you use an [IT Health Check (ITHC)](/standards/how-to-do-penetration-tests.html) to test and confirm the effectiveness of security controls in your environment. ## Case study GOV.UK PaaS -A [GOV.UK PaaS](https://www.cloud.service.gov.uk/) tenant uses a pattern with [Amazon Web Services (AWS) WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) before forwarding traffic to their apps with enabled shield advance for extra protection. +A [GOV.UK PaaS](https://www.cloud.service.gov.uk/) tenant uses a pattern with [Amazon Web Services (AWS) WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) before forwarding traffic to their apps with enabled [shield advance](/manuals/security-overview-for-websites.html#12-aws-shield-response-team) for extra protection. For more information read the proposed architecture for [implementing a DDoS-resistant Website using AWS Services](https://docs.aws.amazon.com/waf/latest/developerguide/tutorials-ddos-cross-service.html). @@ -77,20 +77,10 @@ For more information read the proposed architecture for [implementing a DDoS-res GOV.UK Pay operates under the governance of [PCI compliance and DSS point 6.6](https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfirewalls_codereviews.pdf) which states the need for web application scanning. -## Contact GDS Information Security or COD Cyber Security +## Contact GDS Information Security or CO:D Cyber Security -Contact GDS [Information Security][] or the security architects in the COS Cyber Security team by email at [cyber.security@digital.cabinet-office.gov.uk](mailto:cyber.security@digital.cabinet-office.gov.uk) or use the [#cyber-security-help Slack channel](https://gds.slack.com/messages/CCMPJKFDK/) for help and advice. +Contact GDS [Information Security][] or the security architects in the CO:D Cyber Security team by email at [cyber.security@digital.cabinet-office.gov.uk](mailto:cyber.security@digital.cabinet-office.gov.uk) or use the [#cyber-security-help Slack channel](https://gds.slack.com/messages/CCMPJKFDK/) for help and advice. -## Further reading - -To find out more about WAF refer to: - -- [Open Web Application Security Project (OWASP)](https://owasp.org/) the OWASP Foundation -- [WASC OWASP Web Application Firewall](https://wiki.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project) Evaluation Criteria Project -- [National Cyber Security Centre (NCSC)](https://www.ncsc.gov.uk/) guidance - -## References - -- [Information Security]: https://sites.google.com/a/digital.cabinet-office.gov.uk/gds/directorates-and-groups/cto-and-ciso-office/information-security -- [Cyber Assessment Framework]: https://www.ncsc.gov.uk/collection/cyber-assessment-framework/introduction-to-caf -- [Secure by Design Principles]: https://www.security.gov.uk/guidance/secure-by-design/ +[Information Security]: https://sites.google.com/a/digital.cabinet-office.gov.uk/gds/directorates-and-groups/cto-and-ciso-office/information-security +[Cyber Assessment Framework]: https://www.ncsc.gov.uk/collection/cyber-assessment-framework/introduction-to-caf +[Secure by Design Principles]: https://www.security.gov.uk/guidance/secure-by-design/