Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Use Wasm to Deploy WAF Deeper in the Service Me...

José Carlos Chávez
March 19, 2024
Programming
0
45

Use Wasm to Deploy WAF Deeper in the Service Mesh for Zero Trust and Compliance

In today's complex cybersecurity landscape, it is increasingly challenging to protect against sophisticated attacks. WAF is already critical to application security when deployed at the edge, including as a fast patch mechanism for zero-day exploits. But it's now possible, using Wasm plugins in the data plane, to inject WAF transparently at PEPs around individual services as part of a Zero Trust Architecture where security policy is enforced at every hop. Deploying WAF close to workloads can help organizations improve their overall security posture and reduce the likelihood of successful cyberattacks. In this talk, I will explore how Wasm can be used to deploy WAF deeper in the network, not just at the application edge. We'll also discuss compliance requirements for sensitive applications, such as PCI DSS which will demand WAF deployment by 2025. We'll explain how open-source WAFs can help meet these requirements and provide peace of mind for organizations handling sensitive data.

José Carlos Chávez

March 19, 2024
Tweet

More Decks by José Carlos Chávez

See All by José Carlos Chávez
Fine-Grained Policies RBAC with OpenFGA
jcchavezs
0
110
Managing Open Source Software Security in Your Organization
jcchavezs
0
41
Web Application Firewalls Revisited with OWASP Coraza
jcchavezs
0
16
The Top 10 List of Istio Security Risks and Mitigation Strategies
jcchavezs
0
20
Web Application Firewalls Revisited
jcchavezs
0
58
Coraza Web Application Firewall
jcchavezs
0
170
Fine-Grained Policies are back with NGAC
jcchavezs
0
38
Securing Modern Apps with Zero Trust and Next-Gen Web Application Firewall
jcchavezs
0
84
The Top 10 List of Istio Security Risks and Mitigation Strategies
jcchavezs
0
210

Other Decks in Programming

See All in Programming
開発効率向上のためのリファクタリングの一歩目の選択肢 ~コード分割~ / JJUG CCC 2024 Fall
ryounasso
0
370
PagerDuty を軸にした On-Call 構築と運用課題の解決 / PagerDuty Japan Community Meetup 4
horimislime
1
110
JaSST 24 九州:ワークショップ(は除く) 実践!マインドマップを活用したソフトウェアテスト+活用事例
satohiroyuki
0
270
GCCのプラグインを作る / I Made a GCC Plugin
shouth
1
150
Kubernetes for Data Engineers: Building Scalable, Reliable Data Pipelines
sucitw
1
200
弊社の「意識チョット低いアーキテクチャ」10選
texmeijin
5
23k
offers_20241022_imakiire.pdf
imakurusu
2
360
Content Security Policy入門 セキュリティ設定と 違反レポートのはじめ方 / Introduction to Content Security Policy Getting Started with Security Configuration and Violation Reporting
uskey512
1
440
『ドメイン駆動設計をはじめよう』のモデリングアプローチ
masuda220
PRO
8
440
カスタムしながら理解するGraphQL Connection
yanagii
1
1.2k
Snowflake x dbtで作るセキュアでアジャイルなデータ基盤
tsoshiro
2
430
Vue.js学習の振り返り
hiro_xre
2
130

Featured

See All Featured
StorybookのUI Testing Handbookを読んだ
zakiyama
26
5.2k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
4 Signs Your Business is Dying
shpigford
180
21k
Facilitating Awesome Meetings
lara
49
6k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
14
1.9k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
Navigating Team Friction
lara
183
14k
Building an army of robots
kneath
302
42k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
9
680
Rebuilding a faster, lazier Slack
samanthasiow
79
8.6k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k

Transcript

  1. © Okta and/or its affiliates. All rights reserved. Highly sensitive

    information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED © Okta and/or its affiliates. All rights reserved. Highly sensitive information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED Use Wasm to Deploy WAF Deeper in the Service Mesh for Zero Trust and Compliance José Carlos Chávez Security Software Engineer @ okta

  2. © Okta and/or its affiliates. All rights reserved. Highly sensitive

    information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED What is a Web Application Firewall (WAF)? • WAF is a proxy-based tool that inspect incoming/outgoing HTTP traffic. • Analyses traffic looking for malicious/unwanted content and blocking requests/responses accordingly. • Can be based on predefined rulesets describing well-known attacks. • Produces audit logs for every request that matched one of the rules for further analysis.

  3. © Okta and/or its affiliates. All rights reserved. Highly sensitive

    information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED Why using a WAF? • Request/response inspection to avoid zero-day attacks, client-side attacks, bot attacks, etc. • Security rules: SQL Injection, XSS Attacks, Local/Remote File Inclusion, Size Restrictions, etc. • Anomaly scoring: assigns score to malformed/suspicious traffic and blocks based on thresholds. • Virtual patching: security patches at HTTP traffic level to skip CVEs • Audit logs for security analysis.

  4. © Okta and/or its affiliates. All rights reserved. Highly sensitive

    information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED But… why using a WAF in service mesh? • Zero trust • Lift and shift • PCI DSS 4.0 compliance • Biggest hack of 2023 was SQL injection (MoveIt) • Robust Cybersecurity program

  5. © Okta and/or its affiliates. All rights reserved. Highly sensitive

    information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED Crossing paths Istio Service mesh running envoy based sidecars as policy enforcers and allowing WebAssembly plugins filtering content at ingress or workload Envoy Proxy/Gateway allowing filters written in one language and compiled into WebAssembly (proxy-wasm ABI) WebAssembly Portable binary-code format for high performance executable programs. Coraza WAF Fast Web Application Firewall compilable to WebAssembly and supporting Coreruleset 4.0.

  6. © Okta and/or its affiliates. All rights reserved. Highly sensitive

    information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED But how? SPOILER: In the sidecar At ingress: apiVersion: extensions.istio.io/v1alpha1 kind: WasmPlugin metadata: name: coraza-ingressgateway namespace: istio-ingress spec: phase: AUTHN # before auth priority: 10000 # the bigger the safer pluginConfig: default_directives: default directives_map: default: - Include @demo-conf - Include @crs-setup-conf - Include @owasp_crs/*.conf - SecRuleEngine On selector: matchLabels: app: istio-ingressgateway istio: ingressgateway url: oci://ghcr.io/corazawaf/coraza-proxy-wasm:0.5.0 Each namespace individually: apiVersion: extensions.istio.io/v1alpha1 kind: WasmPlugin metadata: name: coraza-crs namespace: my-namespace spec: phase: AUTHN # before auth pluginConfig: default_directives: default directives_map: default: - Include @demo-conf - Include @crs-setup-conf - Include @owasp_crs/*.conf - SecRuleEngine On selector: matchLabels: app: my-app url: oci://ghcr.io/corazawaf/coraza-proxy-wasm:0.5.0

  7. © Okta and/or its affiliates. All rights reserved. Highly sensitive

    information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED Thank you! © Okta and/or its affiliates. All rights reserved. Highly sensitive information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED References: • https://github.com/corazawaf/coraza-proxy-wasm • https://github.com/tetratelabs/proxy-wasm-go-sdk • https://coreruleset.org/