Read the abstract ➤ https://www.conf42.com/Site_Reliability_Engineering_SRE_2024_Joshua_Fox_wafs_web_application Other sessions at this event ➤ https://www.conf42.com/sre2024 Support our mission ➤ https://www.conf42.com/support Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 0:26 preamble 0:33 about joshua fox 1:03 doit 1:25 article 1:36 scenario 2:02 what is a waf? 2:16 drivers for getting a waf 2:22 hacker attack 2:35 penetration test 3:09 urgency 3:18 expertise 3:32 outside requirement/audit 4:00 security blanket 4:18 web threats 4:50 walktrhrough: cross site scripting 5:09 wihout waf 5:44 demo waf architecture 5:59 make it safe! 6:28 a simple chat message is executed 6:34 with waf 7:05 sql injection 8:02 ddos 8:10 why distributed? 8:33 application-level threats 8:39 broken access control 9:15 toss in a waf 9:20 how cloud armor works 9:25 architecture 9:57 policies and rules 10:16 rules 10:41 types of rules 11:28 preconfigured rules (use these!) 11:48 sensitivity (paranoia) 12:08 standard signatures 12:41 sample signature 13:03 rule language 13:28 waf won't protect you! 13:37 blocking your own app 14:24 false positives 15:06 job zero 15:33 secure your app 16:33 but the most important 16:43 ddos 17:27 ip address 17:45 geo 17:52 dry run 17:56 preview 18:26 problem with preview 18:47 false negatives 18:54 imperfection detection 19:17 the worst: broken access control 19:40 attackers shift 19:57 attackers are smart 20:08 flexibility? 21:22 waf adds risk, man-in-the-middle 21:37 risk: complacency 22:01 risk to performance 22:12 pricing 23:03 at long last... 23:07 eternal requirement 23:18 third-party apps 23:33 central supervision 24:36 the one go-to feature 24:43 consider advanced services 25:11 if you're going to do it, do it now 25:19 prefer your cloud's waf 25:46 minuses of waf 26:09 plusses of a waf 26:31 conclusion 26:45 we're hiring!