WAFs FTW! A Modern DevOps Approach to Security Testing Your WAF

Explore a modern DevOps approach to security testing Web Application Firewalls (WAFs) in this conference talk from AppSecUSA 2017. Learn about the Framework for Testing WAFs (FTW) project, which provides an extendable framework for objectively reviewing WAF effectiveness. Discover how to design and implement tests using YAML format, leveraging the OWASP Core Ruleset Version 3 as a benchmark for web attacks and defenses. Gain insights into the architecture of the code, including the use of Py.test for testing and continuous integration strategies. Examine real-world use cases, including regression testing for the ModSecurity team and shipping WAF rules for customers on the edge. Understand the importance of applying security to the Software Development Life Cycle (SDLC) of WAF deployments and explore the journaling feature for comprehensive pentest reports.

Intro
What is FTW
Goals of FTW
How we do FTW
Real Rule
How we use FTW
Stop Go Message
Core Ruleset
Ruleset Tests
Commit Tests
PowerPoint Presentation
Christian
Fastly
Issues
Chaining
Bypass
Session Fixation
Tool Chain
Future Steps
Additional Resources