No content

JOSÉ CARLOS CHÁVEZ Okta WEB APPLICATION FIREWALLS REVISITED WITH OWASP CORAZA WAF

José Carlos Chávez Security Software Engineer @ Okta ● Peruvian ● Open source enthusiast ● OWASP Coraza WAF Co-leader ● Loving father of 2 ● Mathematician in quarantine @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA

What is a Web Application Firewall (WAF)? ● WAF is a proxy-based tool that inspect incoming/outgoing HTTP traffic. ● Analyses traffic looking for malicious/unwanted content and blocking requests/responses accordingly. ● Can be based on predefined rulesets describing well-known attacks e.g. OWASP CRS. ● Produces audit logs for every request that matched one of the rules for further analysis. @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA

Why using a WAF? ● Request/response inspection to avoid zero-day attacks, client-side attacks, bot attacks, etc. ● Security rules: SQL Injection, XSS Attacks, Local/Remote File Inclusion, Size Restrictions, etc. ● Anomaly scoring: assigns score to malformed/suspicious traffic and blocks based on thresholds. ● Virtual patching: security patches at HTTP level to avoid risks of CVEs. ● Audit logs for security analysis. @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA

But… why using a WAF in 2024? ● Zero trust ● Lift and shift ● PCI DSS 4.0 compliance ● OWASP Top 10 ● Despite BOLA and AuthZ/AuthN, biggest hack of 2023 was SQL injection (MoveIt) ● Robust Cybersecurity program @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA

@jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA

What is Coraza WAF? ● An open source Web Application Firewall ● Written in Go ● Initially inspired in Modsecurity, supports seclang ● Focused on OWASP Coreruleset v4: Newest and shiniest CRS ● Version 3.0 allowed the Production Flag from OWASP, currently on version 3.2.1. @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA

Coraza core principles ● Sustainability ● Built on use cases ● API stability & extensibility ● Targets different runtimes and environments ● Focused on performance and high throughput. @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA

API features ● Plugins: Actions, Transformations, Operators, Audit Loggers, and Body Processors can be extended with an experimental API. ● Multiplatform connectors: ○ Native Go, Caddy, haproxy, Traefik. ○ Envoy, Istio, Kong and APISIX using proxy-wasm spec. ○ Fully compatible with Webassembly. @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA

On Webassembly ● Allows to run Coraza in very varied stacks through a Wasm runtime e.g. Native Go, Envoy (C++) and Coraza Playground (Browser) ● Leverages Coraza as part of the Policy Enforcement Point (PEP) in Zero Trust deployments, specifically in sidecars in the Service Mesh based systems. ● Allows to choose libraries on different languages based on its performance (polyglot Wasm). ● Promotes portability and distribution of Coraza as a wide organization policy without requiring application changes. @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA

What is next? ● Directives API ● OSCF export format ● Paranoia level as first class API ● More regex support for variables (e.g. SecResponseBodyMimeType and ctl) ● Yet more connectors ● Better performance in Webassembly with Go compilation @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA

No content

References ● https://coraza.io/docs/tutorials/introduction/ ● https://traefik.io/blog/why-does-waf-matter-in-api-security/ ● https://github.com/corazawaf ● https://coreruleset.org/ ● https://traefik.io/blog/traefik-3-deep-dive-into-wasm-support-with-coraza- waf-plugin/ @jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA

@jcchavezs WEB APPLICATION FIREWALLS REVISITED - OWASP CORAZA OKTA