A Web Application Firewall may cause fear that doesn't fit into the DevOps methodology. But what if a WAF is involved in the DevOps process very early and not just at its end?

The problem is that when a WAF is added to production, the impact on the application is tested too late, because application developers get feedback extremely late and the WAF could probably break the application. The referent will show a way how to integrate a WAF and its testing into the deployment pipeline with fast feedback loops.

The referent Franziska Bühler works as a Systems Engineer for Swiss Post, where she builds and enhances the reverse proxy platform in a DevOps manner. Her main areas of responsibility are web server security and everything related to the access layer.
In her spare time Franziska Bühler likes to read technical books about security, DevOps or HTTP. If she is not reading, she disassembles highly optimized regular expressions as described in her blogpost. Also Franziska helps as a developer and committer to enhance the OWASP ModSecurity Core Rule Set. The Core Rule Set is a rule set for the ModSecurity WAF. See https://coreruleset.org

Franziska Bühler