WAF In DevOps DevOpsFusion2019

•

1 gefällt mir•722 views

Franziska Buehler

WAF as part of DevOps.

Technologie

whoami
● franziska bühler
● architect @ puzzle ITC
● OWASP ModSecurity Core Rule Set
(WAF Rules)
● OWASP DevSlop

Outline
1. Web
Application
Firewall
2. ModSecurity
and Core Rule
Set
3. WAF a Part
of DevOps

Outline
2. ModSecurity
and Core Rule
Set
3. WAF a Part
of DevOps
1. Web
Application
Firewall

1st
line of defense
APPWAF
SQLi Attack
XSS Attack

« We need a better process to get WAFs into production. »
- Franziska Bühler

CRS Container
$> docker pull franbuehler/modsecurity-crs-rp
$> docker run -dt
-e BACKEND=http://172.17.0.1:8000
franbuehler/modsecurity-crs-rp

Links
https://www.puzzle.ch
https://coreruleset.org
franbuehler/modsecurity-crs-rp
https://github.com/DevSlop/pixi-crs/
https://github.com/DevSlop/pixi-crs-demo/
https://modsecurity.org
https://devslop.co

Let’s make the world of web applications more
secure
-
Let’s add a WAF !

Franziska Bühler
buehler@puzzle.ch
@bufrasch

Weitere ähnliche Inhalte

Was ist angesagt?

Audience: Intermediate About: Tales from an OpenStack operations team that had to learn to walk before they could fly. A small agile team who follow scrum to reduce single points of failure and rely heavily on orchestration. This presentation will outline how we use metrics to investigate, troubleshoot and influence purchasing decisions. Why Up Down monitoring is not enough in this day and age, and how to support the inevitable Persistent VM in the cloud. Speaker Bio: Rarm Nagalingam – Senior Consultant, Red Hat Rarm is a Senior Consultant at Red Hat working with customers to deploy and manage their cloud infrastructure. As a passionate cloud advocate, he has assisted in the migration of workloads running on legacy virtualisation to the cloud. Rarm has over 13 years of experience in the ICT industry, specializing in rapid development of bespoke systems. OpenStack Australia Day - Sydney 2016 https://events.aptira.com/openstack-australia-day-sydney-2016/

/bin/tails from OpenStack Operations: Rarm Nagalingam, Red Hat

OpenStack

.NET Conf 2018: Build Great Libraries using .NET Standard

Immo Landwerth

Neil Desai - Data Driven Analytics

CSNP

Cypress e2e automation testing - day1 intor by: Hassan Hameed

Hassan Muhammad

Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/Min

Masahiro Nagano

WAF in Scale

Alexey Sintsov

DevOpsDays Philadelphia 2019 presentation. Zero to Hero: Start Test automation with Cypress In DevOps world, test automation is a must have. But start coding could be challenging for people novice in tech and also for the ones working in manual testing (because someone said that testers don’t need technical skills)! In this “right to the point” workshop you’ll start your automation test project - easy and painlessly. It’ll give you knowledge to continue learning and practicing after.

[English][Test Girls] Zero to Hero: Start Test automation with Cypress

Test Girls

Cypress Automation

Susantha Pathirana

Setting up and open fidy dev environment

ianibbo

Deep dive networking

Victor Morales

Getting started on AWS is easy, but building a scalable, reliable, and performant product in the cloud can be a challenge for startups and enterprises alike. Netflix has famously migrated all our services to the cloud. Along the way, we have open-sourced large portions of our platform that helped make this a reality. In this talk, Mike McGarr (Manager – Netflix Developer Productivity) will provide a survey of the Netflix OSS products available. Mike will also share patterns and lessons Netflix learned migrating to the cloud. This talk will cover tools such as Nebula, Aminator and Spinnaker. Lastly, Mike will leave you with a roadmap for how to get started with Netflix OSS on your cloud today.

Build and deploy to the cloud using NetflixOSS (Gradle Summit 2016)

Mike McGarr

[Wroclaw #7] Security test automation

OWASP

OWASP CSRF Protector

Minhaz A V

Null bhopal Sep 2016: What it Takes to Secure a Web Application

Anant Shrivastava

[Wroclaw #7] AWS (in)security - the devil is in the detail

OWASP

Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite

OWASP Kyiv

Openstack bug list

openstackcisco

Apache Struts2 CVE-2017-5638

Riyaz Walikar

On demand recording: nginx.com/watch-on-demand/?id=modsecurity-and-nginx-tuning-the-owasp-core-rule-set In this webinar we discuss how to install the OWASP Core Rule Set (CRS) with NGINX and ModSecurity, as well as how to tune it. The CRS protects against many types of attack, including SQL Injection (SQLi), Local File Inclusion (LFI), and Remote Code Execution (RCE). Watch this webinar to learn: - How to install the OWASP Core Rule Set (CRS) with ModSecurity - About the types of attacks the CRS blocks, such SQLi, RFI, and LFI - How to tune the CRS to minimize false positives - What it looks like when ModSecurity blocks an attack (in a live demo), and how to interpret the audit log

ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)

NGINX, Inc.

SSL Pinning and Bypasses: Android and iOS

Anant Shrivastava

Was ist angesagt? (20)

/bin/tails from OpenStack Operations: Rarm Nagalingam, Red Hat

.NET Conf 2018: Build Great Libraries using .NET Standard

Neil Desai - Data Driven Analytics

Cypress e2e automation testing - day1 intor by: Hassan Hameed

Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/Min

WAF in Scale

[English][Test Girls] Zero to Hero: Start Test automation with Cypress

Cypress Automation

Setting up and open fidy dev environment

Deep dive networking

Build and deploy to the cloud using NetflixOSS (Gradle Summit 2016)

[Wroclaw #7] Security test automation

OWASP CSRF Protector

Null bhopal Sep 2016: What it Takes to Secure a Web Application

[Wroclaw #7] AWS (in)security - the devil is in the detail

Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite

Openstack bug list

Apache Struts2 CVE-2017-5638

ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)

SSL Pinning and Bypasses: Android and iOS

Ähnlich wie WAF In DevOps DevOpsFusion2019

A Web Application Firewall may cause fear that it doesn’t fit into the DevOps methodology. But what if a WAF is involved very early in the DevOps process and not just at its end? The problem is that when a WAF is added to production, the impact on the application is tested too late. Application developers get extremely late feedback and the WAF can probably break the application. I will show a way how to integrate a WAF and its testing into the deployment pipeline. It should already be an integral part of the application testing during the continuous integration and before the application can go to release. The audience will also learn about the Web Application Firewall ModSecurity and its OWASP ModSecurity Core Rule Set. It is the first line of defense against web application attacks, like those described by the OWASP Top Ten. The Core Rule Set is mentioned as one of the possible precautions against A10:2017-Insufficient Logging & Monitoring.

Web Application Firewall - Friend of your DevOps Chain?

Franziska Buehler

As attackers become more sophisticated, web application developers need to constantly update their security configurations. Static firewall rules are no longer good enough. Developers need a way to deploy automated security that can learn from the application behavior and identify bad traffic patterns to detect bad bots or bad actors on the Internet. This session showcases some of the real-world customer use cases that use machine learning and AWS WAF (a web application firewall) with automated incident response and machine learning to automatically identify bad actors. We also present tutorials and code samples that show how customers can analyze traffic patterns and deploy new AWS WAF rules on the fly.

AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...

Amazon Web Services

Apache Cloudstack QA Strategy

Sudha R Ponnaganti

Some of the best businesses today are deploying their code dozens of times a day. How? By making heavy use of automation, smart tools, and repeatable patterns to get process out of the way and keep the workflow moving. Come to this session to learn how you can do this too, using services such as AWS OpsWorks, AWS CloudFormation, Amazon Simple Workflow Service, and other tools. We'll discuss a number of different deployment patterns, and what aspects you need to focus on when working toward deployment automation yourself.

(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...

Amazon Web Services

Firewalling a Service Mesh with WebAssembly.pdf

micharaeck

This document contains the results of a second comparative penetration test conducted by a team of security specialists at Zero Science Lab against two cloud-based Web Application Firewall (WAF) solutions: Incapsula and Cloudflare. This test was designed to bypass security controls in place, in any possible way, circumventing whatever filters they have. Given the rise in application-level attacks, the goal of the test was to provide IT managers of online businesses with a comparison of these WAFs against real-world threats in simulated real-world conditions.

CloudFlare vs Incapsula: Round 2

Zero Science Lab

淺談WAF在AWS的架構

4ndersonLin

VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...

VMworld

淺談WAF在AWS的架構_20171027

4ndersonLin

This session will provide details on the usage of OSS tools to secure your dev and ops lifecycle. It covers tools used in application, host and network security assessments for both monolithic and Microservices based architectures. The session also covers usage of OSS tools for runtime application self-protection. Apart from tools in development phase, the session provides insights on building secure design into the product via threat modeling tool.

(SACON) Satish Sreenivasaiah - DevSecOps Tools and Beyond

Priyanka Aash

Web Security Automation: Spend Less Time Securing your Applications

Amazon Web Services

隨著攻擊者日趨複雜精密化，網路應用開發者必須常態性更新其安全配置。靜態防火牆規則早已不敷需求。開發者需要能部署自動化安全性的方法，以從應用程式行為學習並辨別有害流量模式，進而偵測出網際網路上的有害機器人程式或有害動作者。本專題演講將以真實世界的客戶使用案例為例，示範如何運用機器學習和 AWS WAF（網路應用防火牆）搭配自動化事件回應和機器學習，來自動辨別出有害動作者。另外也將介紹主題教學和程式碼範例，示範客戶可以如何在執行作業期間分析流量模式並部署新的 AWS WAF 規則。

網路安全自動化 - 縮短應用維安的作業時間

Amazon Web Services

Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21

drewz lin

ThoughtWorks Technology Radar Roadshow - Brisbane

Thoughtworks

OWASP CSRF Protector_Minhaz

OWASP Delhi

WAF Deployment proposal

Jeremy Quadri

With AWS, organizations now have the ability to develop and run their applications with speed and flexibility like never before. Working with an infrastructure that can be 100% API-driven enables organizations to use lean methodologies and realize these benefits. In this session, we will explore some key concepts and design patterns for continuous deployment and continuous integration, two elements of lean application and infrastructure development. We will look at several use cases where IT organizations leveraged AWS to rapidly develop and iterate on applications for scale, high availability and cost optimization. Speaker: Adrian White, Solutions Architect, Amazon Web Services

Continuous Integration and Deployment Best Practices on AWS

Amazon Web Services

VMworld 2015: Automating Everything VMware with PowerCLI- Deep Dive

VMworld

Juggling Java EE with Enterprise Apache Maven

elliando dias

Securing your web applications a pragmatic approach

Antonio Parata

Ähnlich wie WAF In DevOps DevOpsFusion2019 (20)

Web Application Firewall - Friend of your DevOps Chain?

AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...

Apache Cloudstack QA Strategy

(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...

Firewalling a Service Mesh with WebAssembly.pdf

CloudFlare vs Incapsula: Round 2

淺談WAF在AWS的架構

VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...

淺談WAF在AWS的架構_20171027

(SACON) Satish Sreenivasaiah - DevSecOps Tools and Beyond

Web Security Automation: Spend Less Time Securing your Applications

網路安全自動化 - 縮短應用維安的作業時間

Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21

ThoughtWorks Technology Radar Roadshow - Brisbane

OWASP CSRF Protector_Minhaz

WAF Deployment proposal

Continuous Integration and Deployment Best Practices on AWS

VMworld 2015: Automating Everything VMware with PowerCLI- Deep Dive

Juggling Java EE with Enterprise Apache Maven

Securing your web applications a pragmatic approach

Kürzlich hochgeladen

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Advantages of Hiring UIUX Design Service Providers for Your Business

Pixlogix Infotech

Scaling API-first – The story of a global engineering organization

Radu Cotescu

Tech Trends Report 2024 Future Today Institute.pdf

hans926745

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

This presentation explores the impact of HTML injection attacks on web applications, detailing how attackers exploit vulnerabilities to inject malicious code into web pages. Learn about the potential consequences of such attacks and discover effective mitigation strategies to protect your web applications from HTML injection vulnerabilities. for more information visit https://bostoninstituteofanalytics.org/category/cyber-security-ethical-hacking/

HTML Injection Attacks: Impact and Mitigation Strategies

Boston Institute of Analytics

Tata AIG General Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

Real Time Object Detection Using Open CV

Khem

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Kürzlich hochgeladen (20)

How to Troubleshoot Apps for the Modern Connected Worker

Powerful Google developer tools for immediate impact! (2023-24 C)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Advantages of Hiring UIUX Design Service Providers for Your Business

Scaling API-first – The story of a global engineering organization

Tech Trends Report 2024 Future Today Institute.pdf

How to Troubleshoot Apps for the Modern Connected Worker

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Axa Assurance Maroc - Insurer Innovation Award 2024

GenAI Risks & Security Meetup 01052024.pdf

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

HTML Injection Attacks: Impact and Mitigation Strategies

Tata AIG General Insurance Company - Insurer Innovation Award 2024

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Real Time Object Detection Using Open CV

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Boost Fertility New Invention Ups Success Rates.pdf

Boost PC performance: How more available memory can improve productivity

Apidays New York 2024 - The value of a flexible API Management solution for O...