SlideShare a Scribd company logo

WAF In DevOps DevOpsFusion2019

F
Franziska Buehler

This document discusses implementing a web application firewall (WAF) using ModSecurity and the OWASP Core Rule Set (CRS) as part of a DevOps process. It recommends setting up the WAF using a Docker container for the CRS for fast feedback. This allows detecting attacks like SQL injection and cross-site scripting early before deployment, as well as reducing false positives by testing requested changes to the rule set. The goal is to integrate WAF testing into the development cycle to improve security.

Technology
Related topics:
CI/CDContinuous Integration
1 of 35
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
WAF In DevOps DevOpsFusion2019
Web Application Firewall in DevOps
WAF In DevOps DevOpsFusion2019
whoami ● franziska bühler ● architect @ puzzle ITC ● OWASP ModSecurity Core Rule Set (WAF Rules) ● OWASP DevSlop
Outline 1. Web Application Firewall 2. ModSecurity and Core Rule Set 3. WAF a Part of DevOps
Outline 2. ModSecurity and Core Rule Set 3. WAF a Part of DevOps 1. Web Application Firewall
1st line of defense APPWAF SQLi Attack XSS Attack
WAF In DevOps DevOpsFusion2019
Too late !
« We need a better process to get WAFs into production. » - Franziska Bühler
Test WAF
Outline 1. Web Application Firewall 2. ModSecurity and Core Rule Set 3. WAF a Part of DevOps
WAF In DevOps DevOpsFusion2019
WAF In DevOps DevOpsFusion2019
Installation on NGINX
Request Rules
Malicous Request
Response Rules
Response : SQL Stack Trace
False Positive
Fight False Positive
Outline 1. Web Application Firewall 2. ModSecurity and Core Rule Set 3. WAF a Part of DevOps
WAF In DevOps DevOpsFusion2019
ModSecDevOps
Setup
Setup WAF
WAF In DevOps DevOpsFusion2019
Fast Feedback
CRS Container $> docker pull franbuehler/modsecurity-crs-rp $> docker run -dt -e BACKEND=http://172.17.0.1:8000 franbuehler/modsecurity-crs-rp
WAF at
WAF In DevOps DevOpsFusion2019
WAF makes everyone happy!
Links https://www.puzzle.ch https://coreruleset.org franbuehler/modsecurity-crs-rp https://github.com/DevSlop/pixi-crs/ https://github.com/DevSlop/pixi-crs-demo/ https://modsecurity.org https://devslop.co
Let’s make the world of web applications more secure - Let’s add a WAF !
Franziska Bühler buehler@puzzle.ch @bufrasch

More Related Content

PDF
Web Application Firewall - Friend of your DevOps Pipeline?
Franziska Buehler
 
PPTX
Nodejs Security
Jason Ross
 
DOCX
Np web ii-devel-installation
Bánh Bao
 
PPTX
Mod security
Shruthi Kamath
 
PPTX
Pxosys Webinar Amplify your Security
🏆Ruben Cocheno💭
 
PDF
Node Day - Node.js Security in the Enterprise
Adam Baldwin
 
PPTX
Web Application firewall-Mod security
Romansh Yadav
 
PDF
I'm watir
yidiyu
 
Web Application Firewall - Friend of your DevOps Pipeline?
Franziska Buehler
 
Nodejs Security
Jason Ross
 
Np web ii-devel-installation
Bánh Bao
 
Mod security
Shruthi Kamath
 
Pxosys Webinar Amplify your Security
🏆Ruben Cocheno💭
 
Node Day - Node.js Security in the Enterprise
Adam Baldwin
 
Web Application firewall-Mod security
Romansh Yadav
 
I'm watir
yidiyu
 

What's hot (20)

PDF
/bin/tails from OpenStack Operations: Rarm Nagalingam, Red Hat
OpenStack
 
PPTX
.NET Conf 2018: Build Great Libraries using .NET Standard
Immo Landwerth
 
PPTX
Neil Desai - Data Driven Analytics
CSNP
 
PDF
Cypress e2e automation testing - day1 intor by: Hassan Hameed
Hassan Muhammad
 
PDF
Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/Min
Masahiro Nagano
 
PPTX
WAF in Scale
Alexey Sintsov
 
PDF
[English][Test Girls] Zero to Hero: Start Test automation with Cypress
Test Girls
 
PPTX
Cypress Automation
Susantha Pathirana
 
ODP
Setting up and open fidy dev environment
ianibbo
 
PPTX
Deep dive networking
Victor Morales
 
PDF
Build and deploy to the cloud using NetflixOSS (Gradle Summit 2016)
Mike McGarr
 
PPTX
[Wroclaw #7] Security test automation
OWASP
 
PPTX
OWASP CSRF Protector
Minhaz A V
 
PDF
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
 
PPTX
[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP
 
PPTX
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv
 
PDF
Openstack bug list
openstackcisco
 
PPTX
Apache Struts2 CVE-2017-5638
Riyaz Walikar
 
PPTX
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
NGINX, Inc.
 
PDF
SSL Pinning and Bypasses: Android and iOS
Anant Shrivastava
 
/bin/tails from OpenStack Operations: Rarm Nagalingam, Red Hat
OpenStack
 
.NET Conf 2018: Build Great Libraries using .NET Standard
Immo Landwerth
 
Neil Desai - Data Driven Analytics
CSNP
 
Cypress e2e automation testing - day1 intor by: Hassan Hameed
Hassan Muhammad
 
Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/Min
Masahiro Nagano
 
WAF in Scale
Alexey Sintsov
 
[English][Test Girls] Zero to Hero: Start Test automation with Cypress
Test Girls
 
Cypress Automation
Susantha Pathirana
 
Setting up and open fidy dev environment
ianibbo
 
Deep dive networking
Victor Morales
 
Build and deploy to the cloud using NetflixOSS (Gradle Summit 2016)
Mike McGarr
 
[Wroclaw #7] Security test automation
OWASP
 
OWASP CSRF Protector
Minhaz A V
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv
 
Openstack bug list
openstackcisco
 
Apache Struts2 CVE-2017-5638
Riyaz Walikar
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
NGINX, Inc.
 
SSL Pinning and Bypasses: Android and iOS
Anant Shrivastava
 
Ad

Similar to WAF In DevOps DevOpsFusion2019 (20)

PDF
Web Application Firewall - Friend of your DevOps Chain?
Franziska Buehler
 
PDF
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
JosephTesta9
 
PDF
WAF 101
Null Bhubaneswar
 
PDF
Introduction to ModSecurity and the OWASP Core Rule Set
Christian Folini
 
PDF
Introduction to Mod security session April 2016
Rahul
 
PDF
Web Application Firewall. Enhancing web security in the digital age.pdf
PriyaSharma401031
 
PDF
Secure your web application with an open source WAF.pdf
PriyaSharma401031
 
PPTX
Secure your web application with open source waf (PPT).pptx
PriyaSharma401031
 
PDF
A little waf
yang bingwu
 
PDF
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 
PDF
Opensource pnp container based waf
Varun konadagadapa
 
PDF
Folini Extended Introduction to ModSecurity and CRS3
Christian Folini
 
PDF
Why Do You Need a Web Application Firewall?
BORNSEC CONSULTING
 
PPT
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
Neil Matatall
 
PDF
Defending your workloads with aws waf and deep security
Mark Nunnikhoven
 
PDF
Introducing the OWASP ModSecurity Core Rule Set
Christian Folini
 
PDF
淺談WAF在AWS的架構_20171027
4ndersonLin
 
PDF
Web Application Frewall
Abhishek Singh
 
PDF
Benefits of web application firewall (1).pdf
PriyaSharma401031
 
PDF
淺談WAF在AWS的架構
4ndersonLin
 
Web Application Firewall - Friend of your DevOps Chain?
Franziska Buehler
 
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
JosephTesta9
 
WAF 101
Null Bhubaneswar
 
Introduction to ModSecurity and the OWASP Core Rule Set
Christian Folini
 
Introduction to Mod security session April 2016
Rahul
 
Web Application Firewall. Enhancing web security in the digital age.pdf
PriyaSharma401031
 
Secure your web application with an open source WAF.pdf
PriyaSharma401031
 
Secure your web application with open source waf (PPT).pptx
PriyaSharma401031
 
A little waf
yang bingwu
 
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 
Opensource pnp container based waf
Varun konadagadapa
 
Folini Extended Introduction to ModSecurity and CRS3
Christian Folini
 
Why Do You Need a Web Application Firewall?
BORNSEC CONSULTING
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
Neil Matatall
 
Defending your workloads with aws waf and deep security
Mark Nunnikhoven
 
Introducing the OWASP ModSecurity Core Rule Set
Christian Folini
 
淺談WAF在AWS的架構_20171027
4ndersonLin
 
Web Application Frewall
Abhishek Singh
 
Benefits of web application firewall (1).pdf
PriyaSharma401031
 
淺談WAF在AWS的架構
4ndersonLin
 
Ad

Recently uploaded (20)

PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Cloud computing and distributed systems.
kkkkkhan
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 

WAF In DevOps DevOpsFusion2019