The ESAPI Web Application Firewall (ESAPI WAF)
* Virtual patches * Enforce authentication * Enforce access control * Egress filtering/detection * Enforce HTTPS
It also has capabilities not yet imagined by today's WAFs because it is deployed much closer to the application. Because of its proximity, the ESAPI WAF can use custom code and session storage to integrate meaningful, complex and customized security into an application. Don't have the source? Not a problem! ESAPI can sit in front without any code changes. Don't have $200k to buy a commercial WAF? Don't feel comfortable with mod_security? ESAPI WAF is your answer! Assuming some knowledge of WAFs, the talk will cover its capabilities (with demonstrations), testing strategy (to provide assurance) and integration strategies.
Arshan Dabirsiaghi is the Director of Research of Aspect Security, a company that specializes in application security services. He contributes to many OWASP groups and, as no surprise to Gary McGraw, voted for Nader. Arshan just left PR hack on AOL yesterday and is trying to figure out why document.cookie is so interesting. He spends most of his work time abusing web applications, teaching classes all over the world and doing research into next generation web application attacks and defenses.