Web Application Firewalls Revisited with OWASP Coraza

Transcript

1. None

2. JOSÉ CARLOS CHÁVEZ Okta WEB APPLICATION FIREWALLS REVISITED WITH OWASP

   CORAZA WAF

3. José Carlos Chávez Security Software Engineer @ Okta • Peruvian

   • Open source enthusiast • OWASP Coraza WAF Co-leader • Loving father of 2 • Mathematician in quarantine @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA

4. What is a Web Application Firewall (WAF)? • WAF is

   a proxy-based tool that inspect incoming/outgoing HTTP traffic. • Analyses traffic looking for malicious/unwanted content and blocking requests/responses accordingly. • Can be based on predefined rulesets describing well-known attacks e.g. OWASP CRS. • Produces audit logs for every request that matched one of the rules for further analysis. @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA

5. Why using a WAF? • Request/response inspection to avoid zero-day

   attacks, client-side attacks, bot attacks, etc. • Security rules: SQL Injection, XSS Attacks, Local/Remote File Inclusion, Size Restrictions, etc. • Anomaly scoring: assigns score to malformed/suspicious traffic and blocks based on thresholds. • Virtual patching: security patches at HTTP level to avoid risks of CVEs. • Audit logs for security analysis. @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA

6. But… why using a WAF in 2024? • Zero trust

   • Lift and shift • PCI DSS 4.0 compliance • OWASP Top 10 • Despite BOLA and AuthZ/AuthN, biggest hack of 2023 was SQL injection (MoveIt) • Robust Cybersecurity program @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA

7. @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA

8. What is Coraza WAF? • An open source Web Application

   Firewall • Written in Go • Initially inspired in Modsecurity, supports seclang • Focused on OWASP Coreruleset v4: Newest and shiniest CRS • Version 3.0 allowed the Production Flag from OWASP, currently on version 3.2.1. @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA

9. Coraza core principles • Sustainability • Built on use cases

   • API stability & extensibility • Targets different runtimes and environments • Focused on performance and high throughput. @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA

10. API features • Plugins: Actions, Transformations, Operators, Audit Loggers, and

    Body Processors can be extended with an experimental API. • Multiplatform connectors: ◦ Native Go, Caddy, haproxy, Traefik. ◦ Envoy, Istio, Kong and APISIX using proxy-wasm spec. ◦ Fully compatible with Webassembly. @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA

11. On Webassembly • Allows to run Coraza in very varied

    stacks through a Wasm runtime e.g. Native Go, Envoy (C++) and Coraza Playground (Browser) • Leverages Coraza as part of the Policy Enforcement Point (PEP) in Zero Trust deployments, specifically in sidecars in the Service Mesh based systems. • Allows to choose libraries on different languages based on its performance (polyglot Wasm). • Promotes portability and distribution of Coraza as a wide organization policy without requiring application changes. @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA

12. What is next? • Directives API • OSCF export format

    • Paranoia level as first class API • More regex support for variables (e.g. SecResponseBodyMimeType and ctl) • Yet more connectors • Better performance in Webassembly with Go compilation @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA
13. None

14. References • https://coraza.io/docs/tutorials/introduction/ • https://traefik.io/blog/why-does-waf-matter-in-api-security/ • https://github.com/corazawaf • https://coreruleset.org/ •

    https://traefik.io/blog/traefik-3-deep-dive-into-wasm-support-with-coraza- waf-plugin/ @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA

15. @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA