Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Use Wasm to Deploy WAF Deeper in the Service Me...

José Carlos Chávez
March 19, 2024
Programming
0
47

Use Wasm to Deploy WAF Deeper in the Service Mesh for Zero Trust and Compliance

In today's complex cybersecurity landscape, it is increasingly challenging to protect against sophisticated attacks. WAF is already critical to application security when deployed at the edge, including as a fast patch mechanism for zero-day exploits. But it's now possible, using Wasm plugins in the data plane, to inject WAF transparently at PEPs around individual services as part of a Zero Trust Architecture where security policy is enforced at every hop. Deploying WAF close to workloads can help organizations improve their overall security posture and reduce the likelihood of successful cyberattacks. In this talk, I will explore how Wasm can be used to deploy WAF deeper in the network, not just at the application edge. We'll also discuss compliance requirements for sensitive applications, such as PCI DSS which will demand WAF deployment by 2025. We'll explain how open-source WAFs can help meet these requirements and provide peace of mind for organizations handling sensitive data.

José Carlos Chávez

March 19, 2024
Tweet

More Decks by José Carlos Chávez

See All by José Carlos Chávez
Fine-Grained Policies RBAC with OpenFGA
jcchavezs
0
120
Managing Open Source Software Security in Your Organization
jcchavezs
0
43
Web Application Firewalls Revisited with OWASP Coraza
jcchavezs
0
17
The Top 10 List of Istio Security Risks and Mitigation Strategies
jcchavezs
0
20
Web Application Firewalls Revisited
jcchavezs
0
59
Coraza Web Application Firewall
jcchavezs
0
170
Fine-Grained Policies are back with NGAC
jcchavezs
0
41
Securing Modern Apps with Zero Trust and Next-Gen Web Application Firewall
jcchavezs
0
84
The Top 10 List of Istio Security Risks and Mitigation Strategies
jcchavezs
0
220

Other Decks in Programming

See All in Programming
CSC509 Lecture 11
javiergs
PRO
0
180
Djangoの開発環境で工夫したこと - pre-commit / DevContainer
hiroki_yod
1
250
ふかぼれ!CSSセレクターモジュール / Fukabore! CSS Selectors Module
petamoriken
0
150
Quine, Polyglot, 良いコード
qnighy
4
650
「今のプロジェクトいろいろ大変なんですよ、app/services とかもあって……」/After Kaigi on Rails 2024 LT Night
junk0612
5
2.2k
Realtime API 入門
riofujimon
0
150
型付き API リクエストを実現するいくつかの手法とその選択 / Typed API Request
euxn23
8
2.4k
Remix on Hono on Cloudflare Workers
yusukebe
1
310
DevTools extensions で 独自の DevTool を開発する | FlutterKaigi 2024
kokiyoshida
0
130
Laravel や Symfony で手っ取り早く
OpenAPI のドキュメントを作成する
azuki
2
130
A Journey of Contribution and Collaboration in Open Source
ivargrimstad
0
1.1k
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
1
100

Featured

See All Featured
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Art, The Web, and Tiny UX
lynnandtonic
297
20k
Code Review Best Practice
trishagee
64
17k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
It's Worth the Effort
3n
183
27k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Writing Fast Ruby
sferik
627
61k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
840
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
The Art of Programming - Codeland 2020
erikaheidi
52
13k

Transcript

  1. © Okta and/or its affiliates. All rights reserved. Highly sensitive

    information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED © Okta and/or its affiliates. All rights reserved. Highly sensitive information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED Use Wasm to Deploy WAF Deeper in the Service Mesh for Zero Trust and Compliance José Carlos Chávez Security Software Engineer @ okta

  2. © Okta and/or its affiliates. All rights reserved. Highly sensitive

    information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED What is a Web Application Firewall (WAF)? • WAF is a proxy-based tool that inspect incoming/outgoing HTTP traffic. • Analyses traffic looking for malicious/unwanted content and blocking requests/responses accordingly. • Can be based on predefined rulesets describing well-known attacks. • Produces audit logs for every request that matched one of the rules for further analysis.

  3. © Okta and/or its affiliates. All rights reserved. Highly sensitive

    information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED Why using a WAF? • Request/response inspection to avoid zero-day attacks, client-side attacks, bot attacks, etc. • Security rules: SQL Injection, XSS Attacks, Local/Remote File Inclusion, Size Restrictions, etc. • Anomaly scoring: assigns score to malformed/suspicious traffic and blocks based on thresholds. • Virtual patching: security patches at HTTP traffic level to skip CVEs • Audit logs for security analysis.

  4. © Okta and/or its affiliates. All rights reserved. Highly sensitive

    information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED But… why using a WAF in service mesh? • Zero trust • Lift and shift • PCI DSS 4.0 compliance • Biggest hack of 2023 was SQL injection (MoveIt) • Robust Cybersecurity program

  5. © Okta and/or its affiliates. All rights reserved. Highly sensitive

    information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED Crossing paths Istio Service mesh running envoy based sidecars as policy enforcers and allowing WebAssembly plugins filtering content at ingress or workload Envoy Proxy/Gateway allowing filters written in one language and compiled into WebAssembly (proxy-wasm ABI) WebAssembly Portable binary-code format for high performance executable programs. Coraza WAF Fast Web Application Firewall compilable to WebAssembly and supporting Coreruleset 4.0.

  6. © Okta and/or its affiliates. All rights reserved. Highly sensitive

    information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED But how? SPOILER: In the sidecar At ingress: apiVersion: extensions.istio.io/v1alpha1 kind: WasmPlugin metadata: name: coraza-ingressgateway namespace: istio-ingress spec: phase: AUTHN # before auth priority: 10000 # the bigger the safer pluginConfig: default_directives: default directives_map: default: - Include @demo-conf - Include @crs-setup-conf - Include @owasp_crs/*.conf - SecRuleEngine On selector: matchLabels: app: istio-ingressgateway istio: ingressgateway url: oci://ghcr.io/corazawaf/coraza-proxy-wasm:0.5.0 Each namespace individually: apiVersion: extensions.istio.io/v1alpha1 kind: WasmPlugin metadata: name: coraza-crs namespace: my-namespace spec: phase: AUTHN # before auth pluginConfig: default_directives: default directives_map: default: - Include @demo-conf - Include @crs-setup-conf - Include @owasp_crs/*.conf - SecRuleEngine On selector: matchLabels: app: my-app url: oci://ghcr.io/corazawaf/coraza-proxy-wasm:0.5.0

  7. © Okta and/or its affiliates. All rights reserved. Highly sensitive

    information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED Thank you! © Okta and/or its affiliates. All rights reserved. Highly sensitive information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED References: • https://github.com/corazawaf/coraza-proxy-wasm • https://github.com/tetratelabs/proxy-wasm-go-sdk • https://coreruleset.org/