BACK TO SPEAKERS
Juan Berner
Booking.com
Juan Berner is a security researcher with over 9 years of experience in the field, currently working as Security Lead Developer at Booking.com, as SME for Application Security and Architect for security solutions.

He has given talks in the past on how to build an open source SIEM (https://www.ekoparty.org/security-monitoring-like-the-nsa.php) and on exploiting A/B Testing frameworks (Exploiting A/B Testing for Fun and Profit).

Building your own WAF as a service and forgetting about false positives
Technical Level (3 being the highest score): 2

When a Web Application Firewall (WAF) is presented as a defensive solution to web application attacks, there is usually a decision to be made: Will this be placed inline (and risk affecting users due to outages or latency) or will it be placed out of band (not affecting users but not protecting them either). This talk will cover a different approach you can take when deciding how to use any WAF at your disposal, which is to try and get the best of both worlds, making the WAF work in passive mode out of band detecting attacks and in active mode by selectively routing traffic through your WAF to decide if it should block the request or allow it.

To achieve this you will have to abstract the WAF around a web service, something that developers are commonly used to work with, which can result in delivering security in a targeted and scalable manner. In this network agnostic setup, a WAF web service functionality can grow horizontally, allowing you to enhance the WAF decisions with your own business knowledge. This will mean that the decision to block or to route traffic through the WAF will not only depend on the WAF’s decision but also on data about your application and its context, which can significantly reduce the false positive rate up to the point of practically not existing.

This talk will go through how such a service can be built with open source examples, what alternatives are there, depending on the flexibility of the WAF used, and how this approach can be used to manually decide on the false positive rate wanted and the desired business risk depending on the attack type and it’s possible impact.