© Okta and/or its affiliates. All rights reserved. Highly sensitive information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED © Okta and/or its affiliates. All rights reserved. Highly sensitive information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED Use Wasm to Deploy WAF Deeper in the Service Mesh for Zero Trust and Compliance José Carlos Chávez Security Software Engineer @ okta

© Okta and/or its affiliates. All rights reserved. Highly sensitive information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED What is a Web Application Firewall (WAF)? ● WAF is a proxy-based tool that inspect incoming/outgoing HTTP traffic. ● Analyses traffic looking for malicious/unwanted content and blocking requests/responses accordingly. ● Can be based on predefined rulesets describing well-known attacks. ● Produces audit logs for every request that matched one of the rules for further analysis.

© Okta and/or its affiliates. All rights reserved. Highly sensitive information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED Why using a WAF? ● Request/response inspection to avoid zero-day attacks, client-side attacks, bot attacks, etc. ● Security rules: SQL Injection, XSS Attacks, Local/Remote File Inclusion, Size Restrictions, etc. ● Anomaly scoring: assigns score to malformed/suspicious traffic and blocks based on thresholds. ● Virtual patching: security patches at HTTP traffic level to skip CVEs ● Audit logs for security analysis.

© Okta and/or its affiliates. All rights reserved. Highly sensitive information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED But… why using a WAF in service mesh? ● Zero trust ● Lift and shift ● PCI DSS 4.0 compliance ● Biggest hack of 2023 was SQL injection (MoveIt) ● Robust Cybersecurity program

© Okta and/or its affiliates. All rights reserved. Highly sensitive information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED Crossing paths Istio Service mesh running envoy based sidecars as policy enforcers and allowing WebAssembly plugins filtering content at ingress or workload Envoy Proxy/Gateway allowing filters written in one language and compiled into WebAssembly (proxy-wasm ABI) WebAssembly Portable binary-code format for high performance executable programs. Coraza WAF Fast Web Application Firewall compilable to WebAssembly and supporting Coreruleset 4.0.

© Okta and/or its affiliates. All rights reserved. Highly sensitive information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED But how? SPOILER: In the sidecar At ingress: apiVersion: extensions.istio.io/v1alpha1 kind: WasmPlugin metadata: name: coraza-ingressgateway namespace: istio-ingress spec: phase: AUTHN # before auth priority: 10000 # the bigger the safer pluginConfig: default_directives: default directives_map: default: - Include @demo-conf - Include @crs-setup-conf - Include @owasp_crs/*.conf - SecRuleEngine On selector: matchLabels: app: istio-ingressgateway istio: ingressgateway url: oci://ghcr.io/corazawaf/coraza-proxy-wasm:0.5.0 Each namespace individually: apiVersion: extensions.istio.io/v1alpha1 kind: WasmPlugin metadata: name: coraza-crs namespace: my-namespace spec: phase: AUTHN # before auth pluginConfig: default_directives: default directives_map: default: - Include @demo-conf - Include @crs-setup-conf - Include @owasp_crs/*.conf - SecRuleEngine On selector: matchLabels: app: my-app url: oci://ghcr.io/corazawaf/coraza-proxy-wasm:0.5.0

© Okta and/or its affiliates. All rights reserved. Highly sensitive information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED Thank you! © Okta and/or its affiliates. All rights reserved. Highly sensitive information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED References: ● https://github.com/corazawaf/coraza-proxy-wasm ● https://github.com/tetratelabs/proxy-wasm-go-sdk ● https://coreruleset.org/