For The Win: Finding WAF Evasions and Verifying Fixes with FTW

Speaker: Christian Peron (Fastly)
Event: BSides Winnipeg 2017
Date: November 4th, 2017
Photo: Danielle Northam (@NorthDamn)

This talk will discuss some of the core design objectives Fastly had regarding their WAF implementation. Christian will discuss the design of Fastly's custom Modsecurity toolchain, and the need to thoroughly test both their code and WAF rule sets using the FTW WAF testing framework. He will discuss how continuous testing of their rules and toolchain helps identify WAF evasion and technical issues which are used to improve their technology. Finally Christian will discuss some findings and insights that we have shared with the OWASP and security communities.

Christian has 17 years experience in cybersecurity and security based open-source engineering and development. At Fastly Christian performs threat and vulnerability research, prototype and proof of concept development.