The ESAPI Web Application Firewall (ESAPI WAF)

The presentation
This talk will be the official introduction of the ESAPI WAF! We'll present a new way of thinking about WAFs & our tool provides all the usable, up-front security one can get from a WAF without suffering from any of the design flaws and integration patterns that make them a maintenance nightmare. It's a small-footprint technology that can do all the following with ease & and for FREE, BSD licensed! * Virtual patches * Enforce authentication * Enforce access control * Egress filtering/detection * Enforce HTTPS * Canonicalize input * It also has capabilities not yet imagined by today's WAFs because it is deployed much closer to the application. Because of its proximity, the ESAPI WAF can use custom code and session storage to integrate meaningful, complex and customized security into an application. Don't have the source? Not a problem! ESAPI can sit in front without any code changes. Don't have $200k to buy a commercial WAF? Don't feel comfortable with mod_security? ESAPI WAF is your answer! Assuming some knowledge of WAFs, the talk will cover its capabilities (with demonstrations), testing strategy (to provide assurance) and integration strategies.

The speaker
Arshan Dabirsiaghi is the Director of Research of Aspect Security, a company that specializes in application security services. He contributes to many OWASP groups and, as no surprise to Gary McGraw, voted for Nader. Arshan just left PR hack on AOL yesterday and is trying to figure out why document.cookie is so interesting. He spends most of his work time abusing web applications, teaching classes all over the world and doing research into next generation web application attacks and defenses.