Zero-day exploits

Hi Aaron

 

 

Thanks for your reply. So ASM could protect against zero-day exploits against Windows automatically? For example a new attack on IIS? If yes, does that mean the Windows server does not need to have the security patch applied straight away when it is released?

 

 

Regards

 

Danny

Hi Danny,

 

 

I don't think I can give an unqualified answer to that. But if you have a well built ASM policy using the positive security model, that policy will block most attacks. For example, if there is an IIS exploit which depends on an attacker being able to use a % in the requested object, and you have that character disallowed in the character set for objects, the request will be marked as illegal. Likewise, if you don't explicitly allow access to .exe or .dll object types, and the newly discovered exploit depends on access to one of these object types, the attack would be blocked.

 

 

Of course, it's always a good practice to keep the servers patched as soon as practical.

 

 

Aaron

ASM does not protect against zero-day or OWASP top ten etc automatically you have to customise your policy by teaching ASM what should be allowed, ASM has negative & positive security model potential. however, initially, it's default deny whether you are in learning or blocking mode unitil you accept the request or responses. Either option in positive or negative security both involve learning and customizing the ASM, there nothing automatic from what I have seen thus far.

 

 

The positive security model might be automated by telling the Crawbar to crawl your backend servers, however if you have dynamic urls or pages then it would work.

 

 

It's a long and painful process I am afraid.

Sorry! I mean

 

however if you have dynamic urls or pages then it would "NOT" work.