YoVDO

WAFs FTW! A Modern DevOps Approach to Security Testing Your WAF

Offered By: OWASP Foundation via YouTube

Tags

Conference Talks Courses DevOps Courses YAML Courses Web Security Courses Continuous Integration Courses Security Testing Courses Web Application Firewalls Courses

Course Description

Overview

Explore a modern DevOps approach to security testing Web Application Firewalls (WAFs) in this conference talk from AppSecUSA 2017. Learn about the Framework for Testing WAFs (FTW) project, which provides an extendable framework for objectively reviewing WAF effectiveness. Discover how to design and implement tests using YAML format, leveraging the OWASP Core Ruleset Version 3 as a benchmark for web attacks and defenses. Gain insights into the architecture of the code, including the use of Py.test for testing and continuous integration strategies. Examine real-world use cases, including regression testing for the ModSecurity team and shipping WAF rules for customers on the edge. Understand the importance of applying security to the Software Development Life Cycle (SDLC) of WAF deployments and explore the journaling feature for comprehensive pentest reports.

Syllabus

Intro
What is FTW
Goals of FTW
How we do FTW
Real Rule
How we use FTW
Stop Go Message
Core Ruleset
Ruleset Tests
Commit Tests
PowerPoint Presentation
Christian
Fastly
Issues
Chaining
Bypass
Session Fixation
Tool Chain
Future Steps
Additional Resources


Taught by

OWASP Foundation

Related Courses

Web and Mobile Testing with Selenium
University of Minnesota via Coursera DevOps Pipeline: Automatización hasta el despliegue
Universidad Anáhuac via edX Programming Foundations: Software Testing/QA
LinkedIn Learning Security Assessment and Testing for CISSP®

Pluralsight EU Panel: The Joys of Integrating Security Testing into Your Pipeline
Pluralsight