Freely subscribe to our NEWSLETTER

rWeb 4.1, first European WAF to be certified by ANSSI

An independent software vendor founded in France in 2001, DenyAll publishes rWeb, a next
generation web application firewall, dedicated to the security of web applications and services. The
product is used by organizations of all sizes to protect transactional sites (e-banking, e-administration,
e-support, e-commerce), critical applications accessible via a browser (email, HR, ERP, etc), cloud
applications (CRM, Marketing, etc) and web services (automated data transactions between servers).
rWeb version 4.1.1 was granted the first level security certificate (CSPN) by the French national
agency for information security (ANSSI), on June 27, 2013. Following a series of tests performed by
Sogeti, one of ANSSI’s official evaluators, the agency has concluded that the software complies with
its security target (which can be found on the agency’s web site in French). It also validated the
efficiency of its security features, among which a new generation of filtering engines, designed to
meet the challenges posed by modern attack and evasion techniques.

This certification is a tribute to the continuous innovation and quality improvement efforts
built into DenyAll’s flagship product since the introduction of version 4.0 in late 2010. It
illustrates the maturity of this modular and scalable platform, which allows DenyAll to deliver new
innovations to its customers, such as the following technologies:

? A new approach to SQL injection protection based on grammatical analysis of submitted data;

? A scripting language injection detection engine, protecting against nested blocks in Java,
PHP, SSI (Server Side Include) and JavaScript;

? JSON canonization

? Protection against HTTP Response Splitting;

? The ability to identify and block XSS attacks in HTML4/5 tags and attributes;

? Advanced protection against directory traversal confusion attempts.

? Dynamic detection of command injections;

? Identification of elements encoded in base64.

Improving cyber-security for Operators of Vital Importance

These innovations are necessary in the face of modern threats. They enable the safe use of new web
applications technologies and modern user interfaces, which make it a lot easier to share information.
They are essential in the context of attacks targeting national interests and broad cyber espionage.

“Public and private organizations can’t deal with today’s threats using traditional network security”,
explains Jacques Sebag, CEO of DenyAll. “Specific and innovative tools are required to effectively
fight against intrusion and data theft attempts, which now focus on Web applications.”

In many parts of the world, the Prism scandal is contributing to the realisation that American vendors are indeed cooperating with US intelligence agencies, within the boundaries of the Patriot Act, including outside of the USA. If anything, it serves to reinforce the need for organisations concerned with data privacy to favour European alternatives, when they exist. The French government is recommending the use of products certified by ANSSI, as part of its push for stronger cyber security measures to be used by public administrations and operators of vital importance.

Next steps: building awareness

DenyAll will continue to work with ANSSI in France and similar institutions in other countries, to raise the level of understanding on these issues. The company is leveraging its partners worldwide to help customers implement a security policy that meets today’s dangers: detecting vulnerabilities and protecting applications with best-of-breed, integrated security solutions is the way to go.