Level: Tehnical

Abstract:
Your security team has just painted a grim picture of cyber threats, and you’re aware that your web application is a full of vulnerabilities. Fixing these seems like it will take between forever and never.

But wait! There’s a solution, a Web Application Firewall, which catches common vulnerabilities like script injection and Distributed Denial of Service (DDoS). No coding needed. You just direct all web traffic to the WAF; the WAF inspects all HTTPS requests, and blocks the dangerous ones.

In my talk, I will explain how a WAF works, and tell some stories from my experience showing why you probably don’t want one, and when it can provide value anyway.

WAFs often block legitimate users by mistaking normal activity for an attack. When an ecommerce firm saw that a quarter of potential new customers couldn’t even see the web-app, that was good reason to abandon the WAF. But these false positives are accompanies by false negatives: attacks that are let through. There is no way to catch them all: The variety of possible attacks is beyond the imagination of WAF designers and yours; but not of the hackers. I’ll describe a tricky hack aimed at the specific weaknesses of a web-app; there was no way to handle it but thoughtfully secure coding. I will describe some cases in which, with a WAF in place, development teams became more complacent about proper security practices.

Despite these drawbacks, there are situations where using a WAF might be a good idea.

When my customers were asked for a WAF as a specific auditing requirement, they had no choice: But of course, in that case the WAF was not for security. And in rare cases where an enterprise deployed a not-so-secure third-party web-app whose code they couldn’t fix, the WAF added a bit of security.

That said, there is one good security reason to use a WAF: DDoS protection. Unlike string-matching, the DDoS is pretty effective, particularly with modern machine-learning based pattern detection.

This talk will leave you with the sense that the WAF is a lot less useful than you thought, but also with an understanding of when it’s the right choice to protect your systems.

Bio:
Joshua Fox has been a software architect in innovative technology companies for 20 years. Now, he advises tech startups and growth companies about Google Cloud Platform and Amazon Web Services; also writing open source and publishing and speaking to cloud engineers.

He has PhD from Harvard University and a BA in math from Brandeis.

Posted on Friday, February 27th, 2026 at 11:19 am in talks | rss feed for comments| Responses are currently closed, but you can trackback from your own site.