My AWS WAF Deployment Odyssey

Presented at CircleCityCon 8.0 (2021) Virtual, Unknown date/time (Unknown duration).

As teams race to shore up application security issues in their enterprise, a web application firewall (WAF) can be an indispensable tool in the hands of a good engineer. A WAF can perform virtual patching, prevent vulnerabilities in your internally developed applications, slow down attackers, and prevent basic reconnaissance. Unfortunately, someone has to install them. Even more unfortunately, that someone was me. I will share how I built the system using the AWS WAF in Terraform along with some basics of what a WAF does, what some of the pitfalls are, how to troubleshoot your WAF during the rollout, and how to figure out if you’ve made a horrible mistake. This presentation is appropriate for attendees who have no experience with web application security or WAFs, attendees wishing to gain a better understanding of web application vulnerabilities, and those interested in the AWS WAF and WAF management.

Presenters:

• Rebecca Deck - Staff Application Security Engineer at Avalara
  Rebecca Deck is a Staff Application Security Engineer at Avalara. She determines application security tools and strategy and (hopefully) gets to perform application security testing. She has more than 20 years of experience in IT that includes QA, software development, engineering, incident response, and consulting. She’s currently quarantined with her wife and kids living the dream of working and home schooling.

Similar Presentations:

• THOTCON 0x4 (2013) / Teaching your WAF new tricks
• DeepSec 2017 „Science First!“ / Bypassing Web Application Firewalls
• DeepSec 2018 „I like to mov &6974,%bx“ / Building your Own WAF as a Service and Forgetting about False Positives