SecAppDev 2024 workshop details
WAF Whirlwind Tour - A one day introduction to OWASP ModSecurity and OWASP CRS
Learning goal: This workshop aims to equip participants with the skills to perform basic WAF configuration, write and read simple ModSecurity rules, and handle false positives.
Thursday June 6th, 09:00 - 17:30
Room Lemaire
Abstract
The OWASP ModSecurity WAF engine and it's rule set counterpart OWASP CRS is the dominant team in the WAF world. Most commercial products are based on CRS and very often also ModSecurity. The key characteristic is the high detection rate and the transparency of the rule set. The generic nature of the rule set also comes with a painful downside: false positives.
In this one day workshop, we will look into the configuration of the WAF, we will write a few rules and we will namely fight false positives. The workshop is all you need to understand the basics and to get you started with WAF.
Content overview
- WAF
- Web Application Firewall
- Application Security
- XSS
- SQLInjection
- ModSecurity
- CRS
- Core Rule Set
Content level
Deep-dive
Target audience
People interested in understanding how WAFs work, people eager to deploy a WAF, and people running a commercial WAF who want to understand what is really going on.
Prerequisites
Basic understanding of a unix shell like "bash", experience editing files in an editor of your choice
Technical requirements
Superuser access to an Ubuntu installation. Locally, virtual or remote. Other distro may be acceptable too, but won't be covered in workshop.
Christian Folini
Project Co-Lead, OWASP CRS, OWASP ModSecurity
Expertise: Web application security, Web Application Firewalls (WAF)
Other workshops
Externalizing authorization in a diverse application landscape using OPA
One-day workshop by Michael Boeynaems and Jasper Rots in room Lemaire
Friday June 7th, 09:00 - 17:30
This hands-on, interactive training will teach participants how their applications can benefit from external authorization and how they can implement this using Open Policy Agent (OPA), a modern solution to realize the PIP-PAP-PEP-PDP model and an accessible alternative to XACML-based solutions. OPA is application agnostic and allows writing policies as code in the Rego policy language. Through this policy engine, participants will learn how to manage access away from their applications, which will help them to address the current number one risk of the OWASP Top 10: Broken Access Control.
Learning goal: Participants will understand the benefits of externalizing authorization and will be able to do so in practice, while at the same time understanding the limitations of such an architecture.
Navigating the 2021 OWASP Top Ten for web security
One-day workshop by Jim Manico in room West Wing
Friday June 7th, 09:00 - 17:30
This workshop offers a deep dive into the OWASP Top 10 2021, essential for web developers and security professionals aiming to master secure coding practices. It elucidates the critical web application security risks, fostering a comprehensive understanding and implementation of defensive programming. Attendees will gain insights into the most prevalent security threats and the methodologies to mitigate them, ensuring the development of secure and resilient web applications.
Learning goal: Participants will master the OWASP Top 10 2021, learning to identify, understand, and mitigate the most critical web application security risks, thereby enhancing their secure coding skills.
Bulletproof APIs: Hands-On API Security
One-day workshop by Philippe De Ryck in room West Wing
Thursday June 6th, 09:00 - 17:30
As APIs become a big part of our tech world, making sure they're secure is key. The 2023 version of the OWASP API Security top 10 shows us that API security needs our attention. Building secure APIs requires developers and architects to really get API security, from the big picture down to the nitty-gritty details.
This workshop will teach you the skills you need! We're going to think like an attacker to test APIs and like a defender to figure out the best ways to protect them. With lectures, real-world demos, fun quizzes, and hands-on labs, you'll learn how to secure your APIs.
Learning goal: Gain hands-on security strategies for APIs, understand the root causes of threats, and learn to implement effective solutions. Master best practices and leave with a checklist to enhance your application's security.