Get the Skills you need from Home with SANS OnDemand


To attend this webcast, login to your SANS Account or create your Account.

Everything I Learned and Wanted to Forget about WAFs

  • Wednesday, October 3rd, 2018 at 1:00 PM EDT (17:00:00 UTC)
  • Serge Borso and Jeremiah Cruit
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.


  • ThreatX

You can now attend the webcast using your mobile device!


Application security is nothing like it was 25 years ago. Today, almost all enterprise applications have some web-facing component, whether in the form of a pure web-app, cloud application, API, or microservice. Furthermore, attackers have become more efficient, persistent and sophisticated, while all along, web application security has failed to keep up.

Web Application Firewalls (WAFs) have long been at the center of web application security strategy but have also created large gaps with their difficult-to-manage whitelist and signature approaches. WAFs require constant tuning to avoid false positives and result in broken web applications when they lack tight integration with the development cycle. Jeremiah Cruit should know he tried them all. 

For two decades Jeremiah purchased and implemented dozens of check the box, compliance-only solutions with minimal security value, struggling to find a WAF that really worked. That is, until, he was introduced to a modern take on web application security. A next-generation WAF has emerged that is based on attacker-centric behavior and risk, which means fewer false positives and the ability to thwart the most advanced attacks that all too often evade signatures.

On Wednesday, October 3, Jeremiah will be joined by SANS Analyst, Serge Borso to discuss:

  •    The first-hand challenges and limitations of legacy web application firewalls 
  •    Web application security in the age of DevOps and continuous delivery
  •    Why you should demand more from your web application firewall 
  •    What to look for in a modern web application security provider

Speaker Bios

Serge Borso

Serge Borso, a SANS community instructor and analyst, teaches the DEV522 Defending Web Applications Security Essentials and SEC542 Web Application Penetration Testing and Ethical Hacking courses. As owner and principal consultant of an information security organization, he leads penetration-testing engagements and has helped dozens of organizations improve their security posture. Serge’s accomplishments include developing vulnerability management programs, creating security awareness training solutions and implementing a biometric security system for online banking. An active member in the InfoSec community, he serves on the board of directors of the large, active Denver chapter of Open Web Application Security Project (OWASP). Serge holds several security certifications, including CISSP, GPEN, GCFA and GWAPT.

Jeremiah Cruit

Jeremiah Cruit is a seasoned Chief Information Security Officer with 25+ years of leadership experience in the financial, telecommunications, and manufacturing sectors. Before joining Threat X, he implemented a security program that resulted in no compromised systems for over three years and has been recognized for creating innovative fraud protection and incident response programs. Professional focal points include security engineering and architecture, application security, anti-fraud programs, vulnerability management, incident response, forensics, technology solutions, and penetration testing.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.