This presentation was by Alexander Meisel and is from a paper that was put together by the Germany OWASP chapter. He began by introducing the problem being online businesses having HTTP as their “weak spot”.  Then talked about the definition of the term “Web Application Firewall”.  It’s not a network firewall and not only hardware.  The targeted audience of the paper is technical decision makers, people responsible for operations and security, and application owners.  Next he talked about some of the characteristics of web applicatons with regard to security.  Prioritize web applications in regard to their importance (access to personal customer data, access to confidential company information, certifications).  Some technical aspects include test and quality assurance, documentaiton, and vendor contracts.

Where do WAFs fit into the web application security field?  WAFs are part of a solution.  Create a table with wanted functionality (CSRF, session fixation, *-Injection).  Do a rating/evaluation with “+” meaning it can be very well implemented using a WAF, “-” meaning it can not be implemented, “!” meaning depends on the WAF/application/requirement, and “=” meaning it can partly be implemented with a WAF.

Looks at the benefits and risks of WAFs.  Good baseline security.  Compliance.  Just-in-time patching of problems.  Additional benefits (depending on functionality) could be central reporting and error logging, SSL termination, URL encryption, etc.

Some risks involved in using WAFs are false positives, increased complexity, having yet another proxy, and potential side effects if the WAF terminates the application.

Protection against the OWASP Top 10.  App vs WAF vs Policy.  Three types of applications: web application in design phase, already productive app which can easily be changed, and productive app which cannot be modified or only with difficulty.  Table of OWASP Top 10 in regards to work required with the 3 types of applications to fix the problem in the application itself, using a WAF, and using a policy.

Criteria for deciding whether or not to use WAFs.  Company wide criteria includes the importance of the application for the success of the company, number of web applications, complexity, operational costs, and performance and scalability.  Criteria with regard to the web application includes changeability of the application, documentation, maintenance contracts, and time required fixing bugs in third-party products.  Consideration of financial aspects includes avoidance of financial damage via successful attacks and teh costs of using a WAF (license, update, project costs for eval and WAF introduction, volume of work required/personnel costs).

He started going pretty fast here since he was already running over on time.  The gist was a bunch of best practices for introduction and operation of web application firewalls.  He talked about technical requirements, job requirements, and an iterative procedure for implementation.

This presentation was mostly just an overview of what is in the paper and he didn’t get into too much specifics.  Go check out the paper at https://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls to get the details!