
Show HN: Wallarm – Protect your web apps or APIs with fast Nginx-based instances - stepan_
https://wallarm.com
======
idank
TLDR: proxy your traffic through a locally installed secret blackbox, after
which it is "100% protected".

Not found on the website: non-buzzwordy description of how this really works
and what makes it better than the other gazillion security products. Show me
an example of an attack you stopped. I realize the website isn't selling to
engineers, but still.

~~~
hkr_mag
Just a few examples of the attacks that other security products can't catch.

1\. A very complicated things going through XML/JSON APIs. Wallarm really
parse XML, understand the structure and catch even complicated exploitation
attempt like this:

<?xml version="1.0" encoding="UTF-8"?> <!ENTITY a "UNION"> <!ENTITY b
"SELECT"> <!ENTITY c "passwd"> <!ENTITY d "FROM"> <!ENTITY e "admins">
<!ENTITY f "WHERE"> <authorid>-1 &a; &b; &c; &d; &e; &f; id=1</authorid>

2\. Every vector that exploits vulnerabilities over WebSockets. Some product
doesn't support WebSocket at all. Some just proxy data without analysis of it.
Wallarm detects malicious behaviour in WebSocket messages.

3\. All the attacks with massive evasion techniques. We run thousands of tests
to check if attacker can bypass attacks engine. Soon, we'll publish bug-bounty
program and we'll pay money for those who will find by-passes.

~~~
hkr_mag
4\. Another great example is detecting exploitation of Java Unserialize
vulnerabilities ([https://foxglovesecurity.com/2015/11/06/what-do-weblogic-
web...](https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-
jboss-jenkins-opennms-and-your-application-have-in-common-this-
vulnerability/)).

WebSphere takes payload in Base64 inside the XML. To parse everything (and do
it fast), unfold the structure and detect the attacks is still almost
impossible thing for most of the WAFs

~~~
0xmohit
A security company citing another security company blog to describe a
vulnerability.

I <3 it!

\--

BTW, in order to use Wallarm one needs to pay upwards of $1000 pm. In order to
pacify themselves that it works, one either need to write poor code that
exhibits XEE or pay further to use WebSphere. Nice.

~~~
hkr_mag
Pity you get it in this way. Exploit for WebSphere is just an example of a
complicated case with Base64 inside XML where Wallarm can detect malicious
request other WAF usually fails.

And, no one asked to pay anything until getting proper results while 30 days
free pilot (it could be extended). Give it a try

------
0xmohit
One may also want to see NAXSI [0]. NAXSI is an open-source, high performance,
low rules maintenance WAF for NGINX.

[0] [https://github.com/nbs-system/naxsi](https://github.com/nbs-system/naxsi)

~~~
ddrager
I see the primary 'Advisor' to Wallarm is the primary author of Naxsi, so
perhaps this is a commercialization of the Naxsi firewall product.

~~~
hkr_mag
Glad you noticed it! Thibault Koechlin is a valuable advisor who shares his
feedback about the product. Also, we'll hopefully give some talks at hacker
conference soon.

But naxsi and wallarm are too different products; they still have something in
common though (using of nginx e.g.)

------
chdir
MVP it may be, but taking pictures of your screen with a camera creates
horrible artifacts. Why not use screenshots for your banner images ?

~~~
singlow
Yeah - the effect might have been gorgeous in the mockup but the moire pattern
did not survive the JPEG compression.

------
hkr_mag
Guys, here is a story of how we got the the idea of Wallarm

We started as a team of white hat hackers. Ivan (CEO) is a respected
researcher known for his articles and talks at international security
conferences (BlackHat, Hack In the Box, etc) on web application security.

Everything started with boutique security consulting company founded by Ivan
in 2009 which with time became a synonym for the "best security audits for web
applications". After each security audit had carried out we got a simple
question "Good job, guys, but what's next now? We've fixed all the
vulnerabilities you found. The only problem that we deploy code five times a
week — and each (!) update might have new security flaws. We could be hacked
again anytime!"

So "What's next?" We didn't know and were looking for the answer evaluating
different products pretending to secure modern web — with orchestration by
DevOps teams, continuous integration (CI) with frequent code updates right on
production systems, complex Single-Page Applications and REST APIs, etc. And
we failed. Every solution was broken for the same reasons.

1\. They are not ready for continuous integration. Frequent code updates
results in false positives when legitimate users got banned. The only way to
avoid this is manual/semi-manual reconfiguration after each code release.

2\. They don't scale well and are not ready for orchestration by popular
DevOps tools (making themselves enemies for DevOps teams).

3\. They overwhelm users with senseless notifications about thousands of
attacks (that obviously has every website!) — without saying which of them are
in fact dangerous and targeting security flaws of protected application.

4\. Finally, none of them help to find vulnerabilities which are the real
reason of data breaches.

So we ran different experiments by ourselves and step by step came to the idea
of the product that we wanted to see on the market and recommend to our
customers. We started working on it, released first MVP and instantly got
positive feedback from all those security teams.

------
0xmohit
I feel sad when the website of a security company (especially websec) makes
browsers block parts of their web pages due to cross-origin issues.

~~~
hkr_mag
Thanks! Asked mates to figure it out.

------
csears
Starting at $1000/mo

~~~
0xmohit
Isn't it cheap for a _magical_ black-box?

~~~
hkr_mag
When we started working on Wallarm we really wanted to make it real magic :)
So we did everything automatically (profiling of applications, tuning
rulesets, etc.) It turned out that security guys (like we are) more likely to
understand how it actually works. So we did a lot to give this visibility. E.g
now it's possible to get a visual profile of an application, add/change the
facts about, its structure etc.

In fact, Wallarm Node is much less black-box than most of the commercial
security products (with their own operation system you don't have access to,
updates no one knows what inside is, etc.). It is predictable in configuration
(just new directives in nginx.conf). Scripts, which come with the Wallarm
Node, are free to review. In-memory storage (used for fast local analytics) is
accessible. You can watch what the data is exchanged between Wallarm Nodes and
Wallarm Cloud. And you use operation system you know.

With our customers, it's OK for us to share source codes.

------
Bombthecat
For that money you can get IBM datapower.

Which is an all in one very powerful solution... With near wire speed
transfer.

I don't know why I should get that?

~~~
hkr_mag
Frankly speaking, I don't know what is pricing for IBM Datapower. Is it really
only $1k per month?

I am pretty sure that it's a kind of good option for some enterprises. But
most of our customer has high volume applications deployed in several
datacenters, with CI/CD and DevOps approaches used. For them, hardware
security boxes are almost impossible to use. What they are looking for is
DevOps friendly tools that scale and orchestrated well with their application.
That is why we're partners with NGINX to provide all the flexibility of our
filter nodes.

Moreover, IBM thing will not help you to figure out security flaws in your
apps and network perimeter. It will not provide you with details which of
millions of malicious request you really need to care about as they are
targeting existing security flaws.

I would like to get your feedback about this IBM product. Do you use for some
time? It's not that popular among security community (at least, that part we
usually talk with). If you give you access to test it, we'll show you some
bypasses — unfortunately, there are dozens of them for almost all old-
fashioned security solutions like this.

~~~
Bombthecat
I work daily with it and work towards the solution implementer certificate. So
take that info with a grain of salt and maybe as biased.

About your points:

Devops is possible. You got like three interfaces you could utilize. Json,
soap and something called afp, if you count shh, that's also possible to
automate with. You can load balance it, fail over, active, active, passive
active, self load balance etc. There is also a Citrix, vmware and docker
version. You can load balance incoming and outgoing traffic. I don't know what
else you want?

You get near wire speed format, signing, authing etc stuff on the datapower.
You can also add a hardware cryptography card for even more speed.

Datapower won't protect you from passwords like admin, admin. This needs and
should be done on application level. But if you feel frisky you can implement
a rule check on your own. In JavaScript if you like.

Where datapower shines is with three a and validation with a check against
known attack vectors.

Let's say you want to prevent overloading your api with nonsense. Including
none valid string formats ie they shouldn't be longer than 69 signs. And the
while json request shouldn't be bigger than 2kb. You can do side calling. Ie
checking external databases for validity. Throttle and or stop requests.

The datapower is extreme powerful. In terms of flexibility, speed and
security.

There is a reason why one of our customers has 60 of them.

------
philsnow
Sounds really similar to Signal Sciences (
[https://signalsciences.com/](https://signalsciences.com/) ), down to
implementation-level things as well.

hkr_mag or others, what differentiates Wallarm?

~~~
hkr_mag
Signal Sciences launched a bit after us. The main difference is in the result:
\- Guys are helping to detect anomalies and attacks, and I believe they're
doing this better than regular WAF does. \- Wallarm helps to discover
exploitable security flaws and incidents (vulnerabilities exploitation) within
attacks/anomalies which it detects.

There is still lack of technical details on Signal Sciences website. And no
public demo. Hey, guys, give us a try :)

------
nwrk
Looks very inspired by VeryNgix extension

Same features but open source [0]

[0]
[https://github.com/alexazhou/VeryNginx](https://github.com/alexazhou/VeryNginx)

Demo dashboard:
[http://alexazhou.xyz/vn/index.html#](http://alexazhou.xyz/vn/index.html#)

User: verynginx

Password: verynginx

------
ryanlol
A security company where most of the employees uses their personal emails on
the VCS, I'm sure that'll be just great when one of your employees reuses
passwords (which they do) or otherwise gets hacked.

But hey, I guess that solves all the complaints about secret black boxes.

------
hkr_mag
Hey guys, Stepan and Ivan, co-founders here. Thanks for all the feedback!
Answering all of this now.

------
BinaryIdiot
Normally the person showing off something with Show HN also comes into the
comments but I haven't seen anything. Is this yours, hkr_mag? Even one of your
competitors showed up in the comments...

Some feedback (edited to add stuff twice):

\- The pricing is confusing. The front page shows me how to install it and run
but then another page mentions a free trial? Is that's what I'm doing when I
install via apt-get or run via docker?

\- What's Wallarm Cloud? It appears to me Wallarm is an nginx module that
"protects" stuff, somehow, and for some (maybe all) things it sends them to
the Wallarm cloud for analysis. What is the Wallarm Cloud and how does that
protect all of my data that it's receiving? What if it's receiving HIPPA data?
Is it stored / cached and if so for how long?

\- When attempting to register I think it's best to provide a verify option
for the password.

\- When attempting to register I keep getting errors stating my password is
too simple. Even after 50 characters. I assume this is doing a check for
symbols or something but allowing any character and then me putting in 50
characters I think it's safe to say it's no longer "too simple"

\- You're using CORS but it's a subdomain; you don't need to do anything with
CORS at all unless you really want to (but who wants to preflight _every
single request_ if you don't have to?). Just set the document.domain to the
same domain and you're done.

\- I think you can make your registration services flow a little better. Since
it makes a request to get a token from the backend and it provides nothing
with the request (minus the session id cookie) then that means you're managing
session state on the backend so why are you also managing state on the front
end? I get the idea behind the token but you have a token _and_ a session id
and you're using token more like a session id as it doesn't appear to change
when I make calls to it.

\- Why do I have a "permissions":["admin"] in my profile? :)

\- Clicking on "Profile" takes me to a profile page, it downloads all of the
resources and makes REST calls, and then it redirects back to active. Why not
do this server-side so it's immediate and less bandwidth intensive?
Alternatively if I haven't activated and I entered the wrong email address or
other information now I can't update it at all. I have to create a new
account. I'd suggest letting profile information be updated.

\- Seems too black-box-y to me. I'd like to see something more to the point.
Then again I'm an engineer but typically for products like this I've found you
need at least some engineer buy-in to sell it to a company.

~~~
0xmohit

                if (c.get().length < 8) C.isValid = !1, c.hasErrors = !0, c.errors = [{
                    message: "Password too short"
                }];
                else if (c.get().length > 256) C.isValid = !1, c.hasErrors = !0, c.errors = [{
                message: "Password too long" 
            }];
            else if (/^[a-zA-Z0-9`~!@#\$%^&*()_=+\[\]{};:'",.<>\/? -]*$/.test(c.get())) {
                var e = 0;
                /[a-z]/.test(c.get()) && (e += 1), /[A-Z]/.test(c.get()) && (e += 1), /[0-9]/.test(c.get()) && (e += 1), /[`~!@#\$%^&*()_=+\[\]{};:'",.<>\/? -]/.test(c.get()) && (e += 2), 3 > e ? (C.isValid = !1, c.hasErrors = !0, c.errors = [{
                    message: "Password too simple"
                }]) : (c.hasErrors = !1, c.errors.length = 0)
            } else C.isValid = !1, c.hasErrors = !0, c.errors = [{
                message: "Invalid symbols in password" 
            }]
    
    
    

Maybe they could've used
[https://github.com/dropbox/zxcvbn](https://github.com/dropbox/zxcvbn) to
determine password strength.

------
pbarnes_1
Only $1000/month/node! What a bargain. :)

------
jxcl
I have never heard someone pronounce nginx "n-jinks" before like they did in
their video. It's a minor thing, but it hurts their credibility in my eyes.

~~~
cmdrfred
I've only ever seen it written, how do you pronounce it?

~~~
nilved
The de facto and possibly de jure pronunciation is engine-ex.

~~~
cmdrfred
Thank you. It's been n-jinx in my head for about 5 years now.

------
borski
Wallarm looks like a fairly good WAF, and focused on developers / DevOps. We
([https://www.tinfoilsecurity.com](https://www.tinfoilsecurity.com)) have the
same focus, but are focused on helping you find and fix the vulnerabilities
rather than cloaking them / trying to catch them being exploited in real-time.

"Detect anomalies and block attacks with no latency" seems hard to believe -
minimal latency, maybe, but none?

On the other hand, good luck to Wallarm - there need to be better WAFs out
there.

~~~
avtar
[http://modsecurity.org/](http://modsecurity.org/) is an open source option
with free and commercial rules. I remember reading that CloudFlare used
ModSecurity at one point and then moved to their own WAF.

~~~
hkr_mag
Mod_security is a good option proven with time. Especially, if you know how to
"cook" it (read this book by Ivan Ristić to learn:
[https://www.feistyduck.com/books/modsecurity-
handbook/](https://www.feistyduck.com/books/modsecurity-handbook/)).

But mod_security provide a very basic approach based on signatures (regular
expressions) which: \- very hard to maintain and tune, especially if you have
applications with a lot of updates (if you don't tune you'll get false-
positives); \- they don't cover all the attacks; \- it not that fast because
you need to match each request to the signature database (it's possible to
make fast though as CloudFlare did with LuaJIT and OpenResty).

There are no learning capabilities in mod_security, so you need to dedicate
engineers time to tune it. There is a lack of analytics. It will detect
thousands and millions of malicious request but never says which of them are
targeting real vulnerabilities in your apps.

Anyway, mod_security is just another product. It's plain WAF, with a great
community and good CRS (signature ruleset).

------
bigblind
Isn't show HN meant for personal projects rather than companies?

~~~
dang
Definitely not! It's for anything you've made that people can try out.

[https://news.ycombinator.com/showhn.html](https://news.ycombinator.com/showhn.html)

------
nick007
I really like this idea and I've started using Wallarm.

\- Integration is amazingly easy if you use nginx... basically an apt-get.

\- Unlike most security packages that just block certain ports or apply
predefined rules, Wallarm feels like I have a dev-ops team looking at traffic
patterns 24/7\. They're always learning and they identify when things seem
irregular.

This is definitely the next level of network security

~~~
BinaryIdiot
Hmm, care to elaborate? Typically HN comments provide details where possible
but your comment reads very heavily like marketing speak (so much so I clicked
your profile to make sure you weren't a new user registered today). Basically:

> Integration is amazingly easy if you use nginx... basically an apt-get.

What about the Wallarm Cloud?

> Unlike most security packages that just block certain ports or apply
> predefined rules, Wallarm feels like I have a dev-ops team looking at
> traffic patterns 24/7\. They're always learning and they identify when
> things seem irregular.

What exactly does this mean? Are you implying that Wallarm uses machine
learning and what criteria / data would it use in such a case? Alternatively
is this referencing the Wallarm Cloud?

Typically infrastructure pieces are very, very well defined in what they do as
they're critical (if it's too slow or not working correctly then you're
business goes too slow or stops). If you have specifics of any of your claims
it would be great to read.

