Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Application Firewalls Revisited with OWASP ...

Web Application Firewalls Revisited with OWASP Coraza

Security has been a concern since the dawn of the internet, and today's threats are more prevalent and sophisticated than ever. Success in security today means more mechanisms to protect not just the edge of your network, but every component from attacks. In this talk we go through the Zero-Trust principles and how they play a fundamental role in the design of secure modern systems. Then, we’ll review how the Web Application Firewall concept has evolved to the point no user, device, or network traffic is trusted by default. We’ll also then meet Coraza, a modern WAF library that embraces OWASP CoreRuleSet, and how together they protect web applications from a wide range of attacks.

José Carlos Chávez

July 08, 2024
Tweet

Transcript

  1. José Carlos Chávez Security Software Engineer @ Okta • Peruvian

    • Open source enthusiast • OWASP Coraza WAF Co-leader • Loving father of 2 • Mathematician in quarantine @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA
  2. What is a Web Application Firewall (WAF)? • WAF is

    a proxy-based tool that inspect incoming/outgoing HTTP traffic. • Analyses traffic looking for malicious/unwanted content and blocking requests/responses accordingly. • Can be based on predefined rulesets describing well-known attacks e.g. OWASP CRS. • Produces audit logs for every request that matched one of the rules for further analysis. @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA
  3. Why using a WAF? • Request/response inspection to avoid zero-day

    attacks, client-side attacks, bot attacks, etc. • Security rules: SQL Injection, XSS Attacks, Local/Remote File Inclusion, Size Restrictions, etc. • Anomaly scoring: assigns score to malformed/suspicious traffic and blocks based on thresholds. • Virtual patching: security patches at HTTP level to avoid risks of CVEs. • Audit logs for security analysis. @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA
  4. But… why using a WAF in 2024? • Zero trust

    • Lift and shift • PCI DSS 4.0 compliance • OWASP Top 10 • Despite BOLA and AuthZ/AuthN, biggest hack of 2023 was SQL injection (MoveIt) • Robust Cybersecurity program @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA
  5. What is Coraza WAF? • An open source Web Application

    Firewall • Written in Go • Initially inspired in Modsecurity, supports seclang • Focused on OWASP Coreruleset v4: Newest and shiniest CRS • Version 3.0 allowed the Production Flag from OWASP, currently on version 3.2.1. @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA
  6. Coraza core principles • Sustainability • Built on use cases

    • API stability & extensibility • Targets different runtimes and environments • Focused on performance and high throughput. @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA
  7. API features • Plugins: Actions, Transformations, Operators, Audit Loggers, and

    Body Processors can be extended with an experimental API. • Multiplatform connectors: ◦ Native Go, Caddy, haproxy, Traefik. ◦ Envoy, Istio, Kong and APISIX using proxy-wasm spec. ◦ Fully compatible with Webassembly. @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA
  8. On Webassembly • Allows to run Coraza in very varied

    stacks through a Wasm runtime e.g. Native Go, Envoy (C++) and Coraza Playground (Browser) • Leverages Coraza as part of the Policy Enforcement Point (PEP) in Zero Trust deployments, specifically in sidecars in the Service Mesh based systems. • Allows to choose libraries on different languages based on its performance (polyglot Wasm). • Promotes portability and distribution of Coraza as a wide organization policy without requiring application changes. @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA
  9. What is next? • Directives API • OSCF export format

    • Paranoia level as first class API • More regex support for variables (e.g. SecResponseBodyMimeType and ctl) • Yet more connectors • Better performance in Webassembly with Go compilation @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA
  10. References • https://coraza.io/docs/tutorials/introduction/ • https://traefik.io/blog/why-does-waf-matter-in-api-security/ • https://github.com/corazawaf • https://coreruleset.org/ •

    https://traefik.io/blog/traefik-3-deep-dive-into-wasm-support-with-coraza- waf-plugin/ @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA