OWASP ESAPI WAF AppSec DC 2009

L
Title of Presentation,[object Object],Name,[object Object],Title,[object Object],Company Name,[object Object]
OWASP ESAPI WAF,[object Object],Developed by Arshan Dabirsiaghi (w/ Jeff Williams),[object Object],A sub-project under the ESAPI umbrella,[object Object],The Star Trek: TNG of WAFs,[object Object],Robust,[object Object],Usable,[object Object],Free,[object Object],Open Source,[object Object],Performant,[object Object],Pragmatic,[object Object]
“Yeah, well I hate WAFs”,[object Object],Perfect! Me too.,[object Object]
WAFs were for Federalists (part 1),[object Object],Development Team A,[object Object],Development Team B,[object Object],Security Team,[object Object],Development Team C,[object Object]
WAFs were for Federalists (part 2),[object Object],Development Team A,[object Object],Development Team B,[object Object],Development Team C,[object Object]
Why fix in ESAPI WAF vs. fix in code?,[object Object]
Why fix in ESAPI WAF vs. fix in code?,[object Object]
Advantages of Application-Layer WAFs,[object Object],Performance – only your rules are checked, plus state is already managed by the app server,[object Object],Capability – being closer to the app lets us do more and I can’t wait to tell you about it,[object Object],Process – rules are closer to application owner, shortening discovery-to-patch time, also fix-to-patch-removal time,[object Object]
Principle: Make common tasks easy, uncommon tasks possible,[object Object],Easy!,[object Object],<virtual-patches>,[object Object],   <virtual-patch ,[object Object],           id=“bugtracker-id-1234" ,[object Object],           path="/vulnerable.do" ,[object Object],          variable="request.parameters.bar",[object Object],pattern="[0-9a-zA-Z]*" ,[object Object],message="zmg attax" />,[object Object],</virtual-patches>,[object Object],Possible… still easy!,[object Object],<bean-shell-rules>,[object Object],   <bean-shell-script ,[object Object],      id=“user-lockout-rule" ,[object Object],      file=“/enforce_user_lockout.bsh" ,[object Object],     stage="before-request-body"/>,[object Object],</bean-shell-rules>,[object Object],import org.acme.user.*;,[object Object],User user = session.getAttribute(“u”);,[object Object],If ( user.isLocked() ),[object Object],   action = new RedirectAction();,[object Object]
Fixing Injection Flaws,[object Object]
Business Logic Flaws,[object Object],/viewAccount?id=1826,[object Object],/admin/shutdown,[object Object],/ws/ImptWebService.rest,[object Object]
Adding “Outbound” Security,[object Object],[object Object]
  Set uniform content-type,[object Object]
Meet JForum 2.1.8,[object Object],Awesome, free, fully featured,[object Object],forum software.,[object Object],4 hours of code review/pen testing:,[object Object],10 findings,[object Object]
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
<virtual-patch/>,[object Object]
<virtual-patch/>,[object Object],<virtual-patch/>,[object Object],<add-http-only-flag>,[object Object]
<virtual-patch/>,[object Object],<add-http-only-flag>,[object Object],<add-header/>,[object Object]
<virtual-patch/>,[object Object],<add-http-only-flag>,[object Object],<add-header/>,[object Object],<bean-shell-rule/>,[object Object]
http://owasp-esapi-java.googlecode.com/svn/trunk_doc/2.0-rc3/index.html,[object Object],JavaDocs,[object Object]
http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/OWASP%20ESAPI%20WAF%20Configuration%20Guide.pdf,[object Object],Policy file specification,[object Object]
OWASP ESAPI WAF,[object Object],AVAILABLE NOW!,[object Object],$0,[object Object],Arshan Dabirsiaghi,[object Object],Director of Research, Aspect Security,[object Object],@nahsra, i8<messiah>.com,[object Object],http://www.aspectsecurity.com/,[object Object]
1 of 24

Recommended

Splunk'ing JIRA for deep insights into application, database, and server heal... by
Splunk'ing JIRA for deep insights into application, database, and server heal...Splunk'ing JIRA for deep insights into application, database, and server heal...
Splunk'ing JIRA for deep insights into application, database, and server heal...Cprime
421 views23 slides
Automating Web Analytics by
Automating Web AnalyticsAutomating Web Analytics
Automating Web AnalyticsAnand Bagmar
6.8K views57 slides
Not All Heroes Wear Capes: Skills and Tools Helpful in Becoming a Support Sup... by
Not All Heroes Wear Capes: Skills and Tools Helpful in Becoming a Support Sup...Not All Heroes Wear Capes: Skills and Tools Helpful in Becoming a Support Sup...
Not All Heroes Wear Capes: Skills and Tools Helpful in Becoming a Support Sup...Atlassian
9.1K views70 slides
Integration Testing in Enterprises using TaaS by
Integration Testing in Enterprises using TaaSIntegration Testing in Enterprises using TaaS
Integration Testing in Enterprises using TaaSAnand Bagmar
4.1K views57 slides
What is Agile Testing? How does Automation help? by
What is Agile Testing? How does Automation help?What is Agile Testing? How does Automation help?
What is Agile Testing? How does Automation help?Anand Bagmar
3.7K views62 slides
10x Test Coverage, Less Drama: Shift Left Functional & Performance Testing by
10x Test Coverage, Less Drama: Shift Left Functional & Performance Testing10x Test Coverage, Less Drama: Shift Left Functional & Performance Testing
10x Test Coverage, Less Drama: Shift Left Functional & Performance TestingSauce Labs
387 views12 slides

More Related Content

What's hot

Continuous Delivery by Alexey Turchanikov @ AgilePizza, Kyiv 2015 by
Continuous Delivery by Alexey Turchanikov @ AgilePizza, Kyiv 2015Continuous Delivery by Alexey Turchanikov @ AgilePizza, Kyiv 2015
Continuous Delivery by Alexey Turchanikov @ AgilePizza, Kyiv 2015Agile Ukraine
431 views30 slides
Ug. marketplace testing by
Ug. marketplace testingUg. marketplace testing
Ug. marketplace testingТранслируем.бел
271 views16 slides
Visual Validation - The Missing Tip of the Automation Pyramid by
Visual Validation - The Missing Tip of the Automation PyramidVisual Validation - The Missing Tip of the Automation Pyramid
Visual Validation - The Missing Tip of the Automation PyramidAnand Bagmar
5.7K views29 slides
Continuous Integration In The Cloud Final (1) by
Continuous Integration In The Cloud Final (1)Continuous Integration In The Cloud Final (1)
Continuous Integration In The Cloud Final (1)Alexis Williams
3.8K views28 slides
Native iphone app test automation with appium by
Native iphone app test automation with appiumNative iphone app test automation with appium
Native iphone app test automation with appiumJames Eisenhauer
3.8K views13 slides
Java Test Automation for REST, Web and Mobile by
Java Test Automation for REST, Web and MobileJava Test Automation for REST, Web and Mobile
Java Test Automation for REST, Web and MobileElias Nogueira
1.6K views27 slides

What's hot(20)

Continuous Delivery by Alexey Turchanikov @ AgilePizza, Kyiv 2015 by Agile Ukraine
Continuous Delivery by Alexey Turchanikov @ AgilePizza, Kyiv 2015Continuous Delivery by Alexey Turchanikov @ AgilePizza, Kyiv 2015
Continuous Delivery by Alexey Turchanikov @ AgilePizza, Kyiv 2015
Agile Ukraine431 views
Visual Validation - The Missing Tip of the Automation Pyramid by Anand Bagmar
Visual Validation - The Missing Tip of the Automation PyramidVisual Validation - The Missing Tip of the Automation Pyramid
Visual Validation - The Missing Tip of the Automation Pyramid
Anand Bagmar5.7K views
Continuous Integration In The Cloud Final (1) by Alexis Williams
Continuous Integration In The Cloud Final (1)Continuous Integration In The Cloud Final (1)
Continuous Integration In The Cloud Final (1)
Alexis Williams3.8K views
Native iphone app test automation with appium by James Eisenhauer
Native iphone app test automation with appiumNative iphone app test automation with appium
Native iphone app test automation with appium
James Eisenhauer3.8K views
Java Test Automation for REST, Web and Mobile by Elias Nogueira
Java Test Automation for REST, Web and MobileJava Test Automation for REST, Web and Mobile
Java Test Automation for REST, Web and Mobile
Elias Nogueira1.6K views
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'" by QASymphony
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"
QASymphony 364 views
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut... by QASymphony
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...
QASymphony 171 views
Advocating Adoption: Best Practices for User-Friendly Jira Configurations by Atlassian
Advocating Adoption: Best Practices for User-Friendly Jira ConfigurationsAdvocating Adoption: Best Practices for User-Friendly Jira Configurations
Advocating Adoption: Best Practices for User-Friendly Jira Configurations
Atlassian8.8K views
What DevOps means for QA Teams by Chris Riley ☁
What DevOps means for QA TeamsWhat DevOps means for QA Teams
What DevOps means for QA Teams
Chris Riley ☁1.1K views
Build the "right" regression suite using Behavior Driven Testing (BDT) by Anand Bagmar
Build the "right" regression suite using Behavior Driven Testing (BDT)Build the "right" regression suite using Behavior Driven Testing (BDT)
Build the "right" regression suite using Behavior Driven Testing (BDT)
Anand Bagmar2K views
An Admin's Guide for Running Confluence at Scale for 10,000+ Yahoo! JAPAN Users by Atlassian
An Admin's Guide for Running Confluence at Scale for 10,000+ Yahoo! JAPAN UsersAn Admin's Guide for Running Confluence at Scale for 10,000+ Yahoo! JAPAN Users
An Admin's Guide for Running Confluence at Scale for 10,000+ Yahoo! JAPAN Users
Atlassian9K views
London SF Developers: Custom Lightning Component Error Handling by Richard Clark
London SF Developers: Custom Lightning Component Error HandlingLondon SF Developers: Custom Lightning Component Error Handling
London SF Developers: Custom Lightning Component Error Handling
Richard Clark1.6K views
AQA TALKS 4 - AUTOMATION TEST REPORTER by Taras Lytvyn
AQA TALKS 4 - AUTOMATION TEST REPORTERAQA TALKS 4 - AUTOMATION TEST REPORTER
AQA TALKS 4 - AUTOMATION TEST REPORTER
Taras Lytvyn1.8K views
Build the "right" regression suite using Behavior Driven Testing (BDT) by Anand Bagmar
Build the "right" regression suite using Behavior Driven Testing (BDT)Build the "right" regression suite using Behavior Driven Testing (BDT)
Build the "right" regression suite using Behavior Driven Testing (BDT)
Anand Bagmar814 views
Testing lightning components feb 15th 2018 by Richard Clark
Testing lightning components feb 15th 2018Testing lightning components feb 15th 2018
Testing lightning components feb 15th 2018
Richard Clark312 views
Accelerating DevOps Collaboration with Sauce Labs and JIRA by Sauce Labs
Accelerating DevOps Collaboration with Sauce Labs and JIRAAccelerating DevOps Collaboration with Sauce Labs and JIRA
Accelerating DevOps Collaboration with Sauce Labs and JIRA
Sauce Labs911 views
How to pass a coding interview as an automation developer talk - Oct 17 2016 by Thomas F. "T.J." Maher Jr.
How to pass a coding interview as an automation developer talk - Oct 17 2016How to pass a coding interview as an automation developer talk - Oct 17 2016
How to pass a coding interview as an automation developer talk - Oct 17 2016
QA&test 2016 (Bilbao) Pros and Cons of Doing Performance Testing Along with D... by Federico Toledo
QA&test 2016 (Bilbao) Pros and Cons of Doing Performance Testing Along with D...QA&test 2016 (Bilbao) Pros and Cons of Doing Performance Testing Along with D...
QA&test 2016 (Bilbao) Pros and Cons of Doing Performance Testing Along with D...
Federico Toledo715 views

Similar to OWASP ESAPI WAF AppSec DC 2009

AppTrana Competency Matrix for OWASP Top 10 by
AppTrana Competency Matrix for OWASP Top 10AppTrana Competency Matrix for OWASP Top 10
AppTrana Competency Matrix for OWASP Top 10IndusfacePvtLtd
34 views6 slides
Tastypie: Easy APIs to Make Your Work Easier by
Tastypie: Easy APIs to Make Your Work EasierTastypie: Easy APIs to Make Your Work Easier
Tastypie: Easy APIs to Make Your Work EasierHarvard Web Working Group
1.5K views22 slides
Appium workship, Mobile Web+Dev Conference by
Appium workship,  Mobile Web+Dev ConferenceAppium workship,  Mobile Web+Dev Conference
Appium workship, Mobile Web+Dev ConferenceIsaac Murchie
807 views63 slides
Appium mobile web+dev conference by
Appium   mobile web+dev conferenceAppium   mobile web+dev conference
Appium mobile web+dev conferenceIsaac Murchie
481 views63 slides
What's New in AppFuse 2.0 by
What's New in AppFuse 2.0What's New in AppFuse 2.0
What's New in AppFuse 2.0Matt Raible
1.2K views26 slides
Esapi by
EsapiEsapi
EsapiSatish Govindappa
298 views16 slides

Similar to OWASP ESAPI WAF AppSec DC 2009(20)

AppTrana Competency Matrix for OWASP Top 10 by IndusfacePvtLtd
AppTrana Competency Matrix for OWASP Top 10AppTrana Competency Matrix for OWASP Top 10
AppTrana Competency Matrix for OWASP Top 10
IndusfacePvtLtd34 views
Appium workship, Mobile Web+Dev Conference by Isaac Murchie
Appium workship,  Mobile Web+Dev ConferenceAppium workship,  Mobile Web+Dev Conference
Appium workship, Mobile Web+Dev Conference
Isaac Murchie807 views
Appium mobile web+dev conference by Isaac Murchie
Appium   mobile web+dev conferenceAppium   mobile web+dev conference
Appium mobile web+dev conference
Isaac Murchie481 views
What's New in AppFuse 2.0 by Matt Raible
What's New in AppFuse 2.0What's New in AppFuse 2.0
What's New in AppFuse 2.0
Matt Raible1.2K views
High Availability SOA APP with GlusterFS by zeridon
High Availability SOA APP with GlusterFSHigh Availability SOA APP with GlusterFS
High Availability SOA APP with GlusterFS
zeridon459 views
Integrate Your Test Automation Tools for More Power by TechWell
Integrate Your Test Automation Tools for More PowerIntegrate Your Test Automation Tools for More Power
Integrate Your Test Automation Tools for More Power
TechWell50 views
AliExpress’ Way to Microservices - microXchg 2017 by juvenxu
AliExpress’ Way to Microservices  - microXchg 2017AliExpress’ Way to Microservices  - microXchg 2017
AliExpress’ Way to Microservices - microXchg 2017
juvenxu1.9K views
Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet by Puppet
Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet
Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet
Puppet1.8K views
Achieving Continuous Delivery with Puppet by Devoteam Revolve
Achieving Continuous Delivery with PuppetAchieving Continuous Delivery with Puppet
Achieving Continuous Delivery with Puppet
Devoteam Revolve2.3K views
Open-Source Security Management and Vulnerability Impact Assessment by Priyanka Aash
Open-Source Security Management and Vulnerability Impact AssessmentOpen-Source Security Management and Vulnerability Impact Assessment
Open-Source Security Management and Vulnerability Impact Assessment
Priyanka Aash895 views
NodeJS Interactive 2019: FaaS meets Frameworks by Chris Bailey
NodeJS Interactive 2019:  FaaS meets FrameworksNodeJS Interactive 2019:  FaaS meets Frameworks
NodeJS Interactive 2019: FaaS meets Frameworks
Chris Bailey346 views
Web application penetration testing lab setup guide by Sudhanshu Chauhan
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
Sudhanshu Chauhan1.2K views
Practical appsec lessons learned in the age of agile and DevOps by Priyanka Aash
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
Priyanka Aash128 views
TechMentor Fall, 2011 - How to Resolve (Nearly) Every Windows 7 Application I... by Concentrated Technology
TechMentor Fall, 2011 - How to Resolve (Nearly) Every Windows 7 Application I...TechMentor Fall, 2011 - How to Resolve (Nearly) Every Windows 7 Application I...
TechMentor Fall, 2011 - How to Resolve (Nearly) Every Windows 7 Application I...
How we took our server side application to the cloud and liked what we got by Baruch Sadogursky
How we took our server side application to the cloud and liked what we gotHow we took our server side application to the cloud and liked what we got
How we took our server side application to the cloud and liked what we got
Baruch Sadogursky1.2K views

Recently uploaded

Melek BEN MAHMOUD.pdf by
Melek BEN MAHMOUD.pdfMelek BEN MAHMOUD.pdf
Melek BEN MAHMOUD.pdfMelekBenMahmoud
14 views1 slide
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV by
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTVSplunk
88 views20 slides
Voice Logger - Telephony Integration Solution at Aegis by
Voice Logger - Telephony Integration Solution at AegisVoice Logger - Telephony Integration Solution at Aegis
Voice Logger - Telephony Integration Solution at AegisNirmal Sharma
17 views1 slide
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum... by
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...NUS-ISS
34 views35 slides
Black and White Modern Science Presentation.pptx by
Black and White Modern Science Presentation.pptxBlack and White Modern Science Presentation.pptx
Black and White Modern Science Presentation.pptxmaryamkhalid2916
14 views21 slides
Throughput by
ThroughputThroughput
ThroughputMoisés Armani Ramírez
36 views11 slides

Recently uploaded(20)

.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV by Splunk
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk88 views
Voice Logger - Telephony Integration Solution at Aegis by Nirmal Sharma
Voice Logger - Telephony Integration Solution at AegisVoice Logger - Telephony Integration Solution at Aegis
Voice Logger - Telephony Integration Solution at Aegis
Nirmal Sharma17 views
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum... by NUS-ISS
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...
NUS-ISS34 views
Black and White Modern Science Presentation.pptx by maryamkhalid2916
Black and White Modern Science Presentation.pptxBlack and White Modern Science Presentation.pptx
Black and White Modern Science Presentation.pptx
maryamkhalid291614 views
Special_edition_innovator_2023.pdf by WillDavies22
Special_edition_innovator_2023.pdfSpecial_edition_innovator_2023.pdf
Special_edition_innovator_2023.pdf
WillDavies2216 views
Combining Orchestration and Choreography for a Clean Architecture by ThomasHeinrichs1
Combining Orchestration and Choreography for a Clean ArchitectureCombining Orchestration and Choreography for a Clean Architecture
Combining Orchestration and Choreography for a Clean Architecture
ThomasHeinrichs169 views
SAP Automation Using Bar Code and FIORI.pdf by Virendra Rai, PMP
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdf
PharoJS - Zürich Smalltalk Group Meetup November 2023 by Noury Bouraqadi
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023
Noury Bouraqadi120 views
Business Analyst Series 2023 - Week 3 Session 5 by DianaGray10
Business Analyst Series 2023 -  Week 3 Session 5Business Analyst Series 2023 -  Week 3 Session 5
Business Analyst Series 2023 - Week 3 Session 5
DianaGray10209 views
handbook for web 3 adoption.pdf by Liveplex
handbook for web 3 adoption.pdfhandbook for web 3 adoption.pdf
handbook for web 3 adoption.pdf
Liveplex19 views
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor... by Vadym Kazulkin
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
Vadym Kazulkin75 views
AI: mind, matter, meaning, metaphors, being, becoming, life values by Twain Liu 刘秋艳
AI: mind, matter, meaning, metaphors, being, becoming, life valuesAI: mind, matter, meaning, metaphors, being, becoming, life values
AI: mind, matter, meaning, metaphors, being, becoming, life values
The details of description: Techniques, tips, and tangents on alternative tex... by BookNet Canada
The details of description: Techniques, tips, and tangents on alternative tex...The details of description: Techniques, tips, and tangents on alternative tex...
The details of description: Techniques, tips, and tangents on alternative tex...
BookNet Canada121 views
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors by sugiuralab
TouchLog: Finger Micro Gesture Recognition  Using Photo-Reflective SensorsTouchLog: Finger Micro Gesture Recognition  Using Photo-Reflective Sensors
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors
sugiuralab15 views
Future of Learning - Yap Aye Wee.pdf by NUS-ISS
Future of Learning - Yap Aye Wee.pdfFuture of Learning - Yap Aye Wee.pdf
Future of Learning - Yap Aye Wee.pdf
NUS-ISS41 views
Future of Learning - Khoong Chan Meng by NUS-ISS
Future of Learning - Khoong Chan MengFuture of Learning - Khoong Chan Meng
Future of Learning - Khoong Chan Meng
NUS-ISS33 views
Understanding GenAI/LLM and What is Google Offering - Felix Goh by NUS-ISS
Understanding GenAI/LLM and What is Google Offering - Felix GohUnderstanding GenAI/LLM and What is Google Offering - Felix Goh
Understanding GenAI/LLM and What is Google Offering - Felix Goh
NUS-ISS41 views

OWASP ESAPI WAF AppSec DC 2009

  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.