Everything I Learned and Wanted to Forget about WAFs

  • Webcast Aired Wednesday, 03 Oct 2018 1:00PM EDT (03 Oct 2018 17:00 UTC)
  • Speakers: Serge Borso, Jeremiah Cruit

Application security is nothing like it was 25 years ago. Today, almost all enterprise applications have some web-facing component, whether in the form of a pure web-app, cloud application, API, or microservice. Furthermore, attackers have become more efficient, persistent and sophisticated, while all along, web application security has failed to keep up.

Web Application Firewalls (WAFs) have long been at the center of web application security strategy but have also created large gaps with their difficult-to-manage whitelist and signature approaches. WAFs require constant tuning to avoid false positives and result in broken web applications when they lack tight integration with the development cycle. Jeremiah Cruit should know ' he tried them all. '

For two decades Jeremiah purchased and implemented dozens of 'check the box, ' compliance-only solutions with minimal security value, struggling to find a WAF that really worked. That is, until, he was introduced to a modern take on web application security. 'A next-generation WAF has emerged that is based on attacker-centric behavior and risk, which means fewer false positives and the ability to thwart the most advanced attacks that all too often evade signatures.

On Wednesday, October 3, Jeremiah will be joined by SANS Analyst, Serge Borso to discuss:

  • - The first-hand challenges and limitations of legacy web application firewalls '
  • - Web application security in the age of DevOps and continuous delivery
  • - Why you should demand more from your web application firewall '
  • - What to look for in a modern web application security provider