Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Application Firewall - Friend of your DevOps Chains – Franziska Bühler

Web Application Firewall - Friend of your DevOps Chains – Franziska Bühler

A Web Application Firewall may cause fear that it doesn’t fit into the DevOps methodology. But what if a WAF is involved very early in the DevOps process and not just at its end?

The problem is that when a WAF is added to production, the impact on the application is tested too late. Application developers get extremely late feedback and the WAF can probably break the application. I will show a way how to integrate a WAF and its testing into the deployment pipeline. A WAF is an opportunity to automatically test the application and its security with fast feedback loops. It should already be an integral part of the application testing during the continuous integration and before the application can go to release.

The audience will also learn about the Web Application Firewall ModSecurity and its Core Rule Set. It is the first line of defense against web application attacks, like those described by the OWASP Top Ten. The Core Rule Set is mentioned as one of the possible precautions against A10:2017-Insufficient Logging & Monitoring.

DevOpsDays Zurich

May 02, 2018
Tweet

More Decks by DevOpsDays Zurich

Other Decks in Technology

Transcript

  1. whoami • • Franziska Bühler • Systems Engineer at Swiss

    Post • OWASP ModSecurity Core Rule Set (WAF Rules) • OWASP DevSlop
  2. Outline Web Application Firewall ModSecurity and Core Rule Set WAF

    a Part of DevOps ModSecurity at Swiss Post
  3. Outline Web Application Firewall ModSecurity and Core Rule Set WAF

    a Part of DevOps ModSecurity at Swiss Post
  4. Outline Web Application Firewall ModSecurity and Core Rule Set WAF

    a Part of DevOps ModSecurity at Swiss Post
  5. INSTALLATION ON NGINX • $> git clone 
 https://github.com/SpiderLabs/owasp- modsecurity-crs.git

    • $> cp crs-setup.conf.example crs-setup.conf • Include crs-setup.conf • Include REQUEST-901-INITIALIZATION.conf • …
  6. MALICOUS REQUEST http://example.com/get-files?file=/../../../../etc/shadow HTTP Request CRS Rule: Path Traversal Attack

    (/../) CRS Rule: OS File Access Attempt CRS Rule: Common Sequence in Shell Commands
  7. FIGHT FALSE POSITIVE Fix Application Open Issue on GitHub CRS

    Project ModSecurity Tuning: • Tutorials https://netnea.com
  8. Outline Web Application Firewall ModSecurity and Core Rule Set WAF

    a Part of DevOps ModSecurity at Swiss Post
  9. ModSec
 DevOps I Application Tests with WAF Fail early Commit

    triggers CI run App in deployable state
  10. CRS Container • $> docker pull franbuehler/modsecurity-crs-rp • $> docker

    run -dt \ • -e BACKEND=http://172.17.0.1:8000 \ • franbuehler/modsecurity-crs-rp
  11. •Every night •During deployment Apache Config Generation / Testing: ModSecurity

    and CRS for over 10 Years Automation for over 5 Years
  12. WAF IS YOUR FRIEND! Additional Layer of Defense Logging and

    Monitoring Mechanism Virtual Patching Open Source and free Happy IT Staff