Lab 2 – Discover the OWASP Dashboard

Objective

• Open up and view the OWASP Compliance Dashboard
• Apply some basic attack signatures using the Dashboard
• Disable the staging of the security policy

Discover and learn to operate the Dashboard

1. On the Main tab, click Security -> Overview -> OWASP Compliance. This opens the OWASP Dashboard. Highlight your new policy juice_shop_waf. You will see that your score is 0/10 for securing against the OWASP top 10. Though you will see partial % scores for some.

2. Click on the expand arrow next to A1 Injection. This will display the attack signature types and required protections you need to secure yourself against this risk.

   

3. On that same screen in the OWASP Dashboard, hover your pointer over SQL-Injection and select the checkmark. Also hover over Server Side Code Injection and select the checkmark. These checkmarks apply the protections to the policy. Notice your potential A1 Injection protection % increased.

   Note

   In the dashboard, if you see the checkmark available, it will enforce any protections required to be compliant for that vector.

   

4. Press the blue Review & Update button below. On the pop up window press the blue Save & Apply Policy button.

   Note

   While all attack signatures in this policy are in staging, we just used the OWASP dashboard to directly enforce (skip staging) those 2 categories. This would be a typical approach to secure an application immediatly against a certain catagory of injection attacks. These attack types are now blocked, while staging (learning and alarming) the rest of the attack categories.

5. Now for the sake of expediting the policy blocking malicious traffic, we will turn off signature staging. This will simulate a user waiting out the default 7 days of staging your attack signatures.

   • Go to Security -> Application Security -> Policy Building -> Learning and Blocking Settings
   • Expand Attack Signatures
   • Uncheck the box next to Enable Signature Staging
   • Press Save at the bottom of that screen
   • Press Apply Policy button at the top right corner of your screen

   Note

   For those of you looking for the attack signature list, you may have now noticed the location of attack signatures has changed in the most recent release.

   

6. Go back to your OWASP Dashboard Security -> Overview -> OWASP Compliance. Select your policy juice_shop_waf.. You can now see a lot more OWASP protections now.

   

   Note

   When we disabled the staging, we represented a user waiting out the enforcement readiness period. We basically just time traveled to the future!! https://youtu.be/8qrriKcwvlY

7. Congratulations! You now have a protected app, and you have visibility into how well you are protected against the OWASP Top 10. In the following labs we will work to get you even more protection against the OWASP Top 10.

   Note

   While working towards the goal of applying more security, each use-case is different and the dashboard may not always be at 100% in all categories. The dashboard gives you a visual guide and documentation of progress towards OWASP Compliance with each technical security policy change as well as corporate governance.