DeepSec 2018 Talk: Building your Own WAF as a Service and Forgetting about False Positives – Juan Berner

When a Web Application Firewall (WAF) is presented as a defensive solution to web application attacks, there is usually a decision to be made: Will this be placed inline (and risk affecting users due to outages or latency) or will it be placed out of band (not affecting users but not protecting them either). In his talk Juan Berner will cover a different approach you can take when deciding how to use any WAF at your disposal, which is to try and get the best of both worlds, making the WAF work in passive mode out of band detecting attacks and in active mode by selectively routing traffic through your WAF to decide if it should block the request or allow it.

To achieve this you will have to abstract the WAF around a web service, something that developers are commonly used to work with, which can result in delivering security in a targeted and scalable manner. In this network agnostic setup, a WAF web service can grow horizontally, allowing you to enhance the WAF decisions with your own business knowledge. This will mean that the decision to block or to route traffic through the WAF will not only depend on the WAF’s decision but also on data about your application and its context, which can significantly reduce the false positive rate.

In this talk, Juan will go through how such a service can be built with open source examples, what alternatives are there, depending on the flexibility of the WAF used, and how this approach can be used to manually decide on the false positive rate wanted and the desired business risk depending on the attack type. He will also cover the drawbacks of what’s not a fully inline solution and speak about possible improvements of this architecture.

We asked Juan a few more questions about his topic of expertise.

Please tell us the top 5 facts about your talk.

  • Web Application Firewalls (WAF) can take advantage of event streaming technologies (such as Kafka) to replicate a network tap to perform out of band analysis.
  • Creating a web service around a WAF means you do not need to limit to a single WAF but can use multiple different types to enhance the detection.
  • A WAF web service also allows to add business logic to the detection of Web Application Attacks.
  • By using context in relation to Web Application Attacks, the false positive rate can be decided not by just tuning the particular rules but also what context would trigger a response from the WAF service.
  • It’s possible to have a hybrid setup where most traffic will not have the downsides of a WAF (latency on the request analysis) and yet allow blocking of malicious requests by selective routing.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Due to constraints of not being able to implement a commercial WAF, due to the latency it might add and fear of false positives, I came up with a design that would solve both of these problems. This led to finding other benefits, such as the use of business logic and the ability to add multiple types of WAF’s and enhancements improving detection.

Why do you think this is an important topic?

I think it’s an important topic due to the problems that affect today’s WAFs. Lack of context awareness and false positives make them less effective and mostly unused in companies that can’t deal with their false positive rate, or, if they decide not to block it, would just suffer from alert fatigue. Showing that a false positive rate can be managed and context can enhance WAFs analysis would allow them to take advantage of their domain knowledge to improve detection.

Is there something you want everybody to know – some good advice for our readers maybe?

While WAF’s get a bad reputation, they are a useful layer of defence for any company that has web applications. I would advise them to consider if this talk could be useful in other contexts, and where  we could use known security components and enhance their capabilities with a more service oriented architecture.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I think that while Runtime Application Self-Protection (RASP) is the natural progression for web application defence it is still missing context awareness, a drawback similar to our current WAF implementations, which is one of the features I’m introducing in this talk. I would expect that using a similar approach with RASP’s will allow them to become more effective and in some cases less intrusive.

Juan Berner is a security researcher with over 8 years of experience in the field, currently working as Security Lead Developer at Booking.com, as SME for Application Security and Architect for security solutions.

Tags: , , , , ,

Leave a Comment