Brian A. McHenry, profile picture
Uploaded byBrian A. McHenry
PPTX, PDF579 views

Evolution of WAF - Stop Worrying About Vulnerabilities

The document discusses the evolution of web application firewalls (WAF) from application layer gateways and intrusion prevention systems to more advanced capabilities like bot detection, web scraping prevention, and brute force mitigation. It notes that bot detection can eliminate around 30% of web traffic and reduce load on infrastructure while also simplifying application security. Deep packet inspection and machine learning are helping WAFs to more accurately differentiate human and bot traffic.

Technology
Related topics:
Application Security

Embed presentation

Downloaded 32 times
Evolution of WAF Stop Worrying About Vulnerabilities
Who is this guy? • Brian A. McHenry, Sr. Security Solutions Architect, F5 Networks • 9 years at F5, focused on application security solutions • Regular contributor on DevCentral.f5.com & InformationSecurityBuzz.com • Follow me on twitter @bamchenry
In the Beginning… • There were Application Layer Gateways (ALG) Samples anyone?
© F5 Networks, Inc 4CONFIDENTIAL Then There Was IPS
And NGFW
© F5 Networks, Inc 6 Change the Way We Deploy WAF Traditional WAF • Signatures (OWASP Top 10) • DAST Integration • Site Learning • File/URL/Parameter/Header/Cookie Enforcement • Protocol Enforcement • Login Enforcement / Session Tracking • Data Leak Prevention • Flow Enforcement Advanced WAF • BOT Detection • Web scraping Prevention • Brute Force Mitigation • L7 DDoS Protection • Heavy URL Detection & Protection • Captcha Challenges • CSRF Token Injection • Client fingerprinting
Why Is Bot Detection So Valuable? Typical Web Traffic Humans Good Bots Bad Botshttps://www.incapsula.com/blog/bot-traffic-report-2015.html • Roughly 50% of traffic is human • About 20% is good bots • Remaining 30% is malicious bots How do we differentiate?
Deep Thoughts • Eliminating 30% of web traffic has serious impact – Capacity and performance improvements are measurable – Budget is always more available than for a security project • Bot detection requires less per-application customization – Increases operational scale for application security • Reduces threat model by eliminating most opportunistic attackers – Focus other defenses on vectors for directed attackers
Thank you! @bamchenry
Appendix Expanded discussion of this topic: http://www.informationsecuritybuzz.com/articles/organic-denial-service-dos-isnt-attack/ http://www.informationsecuritybuzz.com/articles/when-a-bot-isnt-a-bot/ http://www.informationsecuritybuzz.com/is-bot-detection-the-best-value-in-infosec/ http://www.informationsecuritybuzz.com/articles/the-death-of-waf-as-we-know-it/ https://www.youtube.com/watch?v=mB_xGSNm8Z0

More Related Content

PDF
Novinky F5
byMarketingArrowECS_CZ
 
PDF
F5 ASM v12 DDoS best practices
byLior Rotkovitch
 
PDF
Web Socket ASM support lior rotkovitch
byLior Rotkovitch
 
PDF
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
byLior Rotkovitch
 
PPTX
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
byLior Rotkovitch
 
PPTX
The DNS Tunneling Blindspot
byBrian A. McHenry
 
PDF
Taking the Fear out of WAF
byBrian A. McHenry
 
PDF
Novinky F5 pro rok 2018
byMarketingArrowECS_CZ
 
Novinky F5
byMarketingArrowECS_CZ
 
F5 ASM v12 DDoS best practices
byLior Rotkovitch
 
Web Socket ASM support lior rotkovitch
byLior Rotkovitch
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
byLior Rotkovitch
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
byLior Rotkovitch
 
The DNS Tunneling Blindspot
byBrian A. McHenry
 
Taking the Fear out of WAF
byBrian A. McHenry
 
Novinky F5 pro rok 2018
byMarketingArrowECS_CZ
 

What's hot

PDF
F5 BIG-IP Misconfigurations
byDenis Kolegov
 
PDF
FortiWeb
byAlireza Akrami
 
PDF
Penetration testing web application web application (in) security
byNahidul Kibria
 
PPTX
Radware - WAF (Web Application Firewall)
byDeivid Toledo
 
PDF
The WAF book intro protection elements v1.0 lior rotkovitch
byLior Rotkovitch
 
PPTX
F5 SIRT - F5 ASM WAF - DDoS protection
byLior Rotkovitch
 
PPTX
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
byImperva Incapsula
 
PDF
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
byDenim Group
 
PPTX
Mirai botnet
byOWASP
 
PPTX
Authentication and session v4
byskimil
 
PDF
Securing Internal Applications with Cloudflare Access
byCloudflare
 
PPTX
Testing web application firewalls (waf) accuracy
byOry Segal
 
PPT
Benefits of web application firewalls
byEnclaveSecurity
 
PDF
Tech t18
bySelectedPresentations
 
PDF
The waf book intro v1.0 lior rotkovitch
byLior Rotkovitch
 
PDF
[Wroclaw #4] WebRTC & security: 101
byOWASP
 
PPTX
F5 Networks Adds To Oracle Database
byF5 Networks
 
PPTX
F5 EMEA Webinar Oct'15: http2 how to ease the transition
byDmitry Tikhovich
 
PPTX
Standardizing and Strengthening Security to Lower Costs
byOpenDNS
 
PDF
What You Should Know Before The Next DDoS Attack
byCloudflare
 
F5 BIG-IP Misconfigurations
byDenis Kolegov
 
FortiWeb
byAlireza Akrami
 
Penetration testing web application web application (in) security
byNahidul Kibria
 
Radware - WAF (Web Application Firewall)
byDeivid Toledo
 
The WAF book intro protection elements v1.0 lior rotkovitch
byLior Rotkovitch
 
F5 SIRT - F5 ASM WAF - DDoS protection
byLior Rotkovitch
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
byImperva Incapsula
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
byDenim Group
 
Mirai botnet
byOWASP
 
Authentication and session v4
byskimil
 
Securing Internal Applications with Cloudflare Access
byCloudflare
 
Testing web application firewalls (waf) accuracy
byOry Segal
 
Benefits of web application firewalls
byEnclaveSecurity
 
Tech t18
bySelectedPresentations
 
The waf book intro v1.0 lior rotkovitch
byLior Rotkovitch
 
[Wroclaw #4] WebRTC & security: 101
byOWASP
 
F5 Networks Adds To Oracle Database
byF5 Networks
 
F5 EMEA Webinar Oct'15: http2 how to ease the transition
byDmitry Tikhovich
 
Standardizing and Strengthening Security to Lower Costs
byOpenDNS
 
What You Should Know Before The Next DDoS Attack
byCloudflare
 

Similar to Evolution of WAF - Stop Worrying About Vulnerabilities

PPTX
Forti web
byLan & Wan Solutions
 
PPTX
Forti web
byLan & Wan Solutions
 
PDF
Web Application Firewall Presentation .pdf
byFerriantoSuryanto
 
PDF
Web Application Security
byMarketingArrowECS_CZ
 
PPT
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
byNeil Matatall
 
PPTX
WAFs.pptx
byHamzaJamil41
 
PDF
WAF Deployment proposal
byJeremy Quadri
 
PDF
Nginx app protect-for-meetup-v1.0-202006_lk
byJuraj Hantak
 
PPTX
Advanced Web Application Security with an Intelligent WAF
byAvi Networks
 
PDF
Easily View, Manage, and Scale Your App Security with F5 NGINX
byNGINX, Inc.
 
PDF
Why Do You Need a Web Application Firewall?
byBORNSEC CONSULTING
 
PDF
Web Application Firewall_ Solution to Reduce Cyber Attacks _ CyberPro Magazin...
byCyberPro Magazine
 
PPTX
Barracuda WAF Deployment in Microsoft Azure
byAravindan A
 
PPTX
Prophaze WAF 3.0.pptx
byPrasad G (Prechu)
 
PDF
Secure Your Kubernetes Apps from Attacks with NGINX
byNGINX, Inc.
 
PPTX
Tune in for the Ultimate WAF Torture Test: Bots Attack!
byDistil Networks
 
PDF
Atelier Technique - F5 - #ACSS2019
byAfrican Cyber Security Summit
 
PPTX
The Power of Web Application Firewalls (WAFs) in Protecting Your Web App.pptx
byBluechipComputerSyst
 
PDF
Web Application Firewall. Enhancing web security in the digital age.pdf
byPriyaSharma401031
 
PDF
Découvrez NGINX AppProtect
byNGINX, Inc.
 
Forti web
byLan & Wan Solutions
 
Forti web
byLan & Wan Solutions
 
Web Application Firewall Presentation .pdf
byFerriantoSuryanto
 
Web Application Security
byMarketingArrowECS_CZ
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
byNeil Matatall
 
WAFs.pptx
byHamzaJamil41
 
WAF Deployment proposal
byJeremy Quadri
 
Nginx app protect-for-meetup-v1.0-202006_lk
byJuraj Hantak
 
Advanced Web Application Security with an Intelligent WAF
byAvi Networks
 
Easily View, Manage, and Scale Your App Security with F5 NGINX
byNGINX, Inc.
 
Why Do You Need a Web Application Firewall?
byBORNSEC CONSULTING
 
Web Application Firewall_ Solution to Reduce Cyber Attacks _ CyberPro Magazin...
byCyberPro Magazine
 
Barracuda WAF Deployment in Microsoft Azure
byAravindan A
 
Prophaze WAF 3.0.pptx
byPrasad G (Prechu)
 
Secure Your Kubernetes Apps from Attacks with NGINX
byNGINX, Inc.
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
byDistil Networks
 
Atelier Technique - F5 - #ACSS2019
byAfrican Cyber Security Summit
 
The Power of Web Application Firewalls (WAFs) in Protecting Your Web App.pptx
byBluechipComputerSyst
 
Web Application Firewall. Enhancing web security in the digital age.pdf
byPriyaSharma401031
 
Découvrez NGINX AppProtect
byNGINX, Inc.
 

Recently uploaded

PDF
December Patch Tuesday
byIvanti
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
Incident Response Planning with a Foundation Model
byKim Hammar
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
December Patch Tuesday
byIvanti
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
The Landscape of Computer Software Development Companies
byYash Singh
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
Incident Response Planning with a Foundation Model
byKim Hammar
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 

Evolution of WAF - Stop Worrying About Vulnerabilities

  • 1.
    Evolution of WAF StopWorrying About Vulnerabilities
  • 2.
    Who is thisguy? • Brian A. McHenry, Sr. Security Solutions Architect, F5 Networks • 9 years at F5, focused on application security solutions • Regular contributor on DevCentral.f5.com & InformationSecurityBuzz.com • Follow me on twitter @bamchenry
  • 3.
    In the Beginning… •There were Application Layer Gateways (ALG) Samples anyone?
  • 4.
    © F5 Networks,Inc 4CONFIDENTIAL Then There Was IPS
  • 5.
  • 6.
    © F5 Networks,Inc 6 Change the Way We Deploy WAF Traditional WAF • Signatures (OWASP Top 10) • DAST Integration • Site Learning • File/URL/Parameter/Header/Cookie Enforcement • Protocol Enforcement • Login Enforcement / Session Tracking • Data Leak Prevention • Flow Enforcement Advanced WAF • BOT Detection • Web scraping Prevention • Brute Force Mitigation • L7 DDoS Protection • Heavy URL Detection & Protection • Captcha Challenges • CSRF Token Injection • Client fingerprinting
  • 7.
    Why Is BotDetection So Valuable? Typical Web Traffic Humans Good Bots Bad Botshttps://www.incapsula.com/blog/bot-traffic-report-2015.html • Roughly 50% of traffic is human • About 20% is good bots • Remaining 30% is malicious bots How do we differentiate?
  • 8.
    Deep Thoughts • Eliminating30% of web traffic has serious impact – Capacity and performance improvements are measurable – Budget is always more available than for a security project • Bot detection requires less per-application customization – Increases operational scale for application security • Reduces threat model by eliminating most opportunistic attackers – Focus other defenses on vectors for directed attackers
  • 9.
  • 10.
    Appendix Expanded discussion ofthis topic: http://www.informationsecuritybuzz.com/articles/organic-denial-service-dos-isnt-attack/ http://www.informationsecuritybuzz.com/articles/when-a-bot-isnt-a-bot/ http://www.informationsecuritybuzz.com/is-bot-detection-the-best-value-in-infosec/ http://www.informationsecuritybuzz.com/articles/the-death-of-waf-as-we-know-it/ https://www.youtube.com/watch?v=mB_xGSNm8Z0