Christian Folini on the strategic role of web application firewalls

Christian, with a doctorate in medieval history alongside your career in cyber security, you combine two very different fields of expertise. Which skills from your historical training are particularly valuable for your technical work?

That's an exciting question I could talk about for hours. One skill that has often helped me is in the area of forensics and debugging. I can extract a wealth of information from relatively few log files. I suspect this has to do with my training as a medieval historian, where we often had to work with very scarce and often difficult-to-read sources. In such a situation, you often spend hours pondering a single sentence. And that's exactly how I approach log files, to understand exactly how a single entry was created.

How did you discover your passion for cyber security, especially in the area of web application firewalls?

As a junior employee, I worked on several web servers. During an audit, the corporate audit department of a customer recommended that I take a look at ModSecurity. We agreed that I would invest two days in it. That was almost 20 years ago.

As the author of the ‘ModSecurity Handbook’ and co-leader of the OWASP CRS project (Core Rule Set), which plays a key role in protecting millions of servers worldwide, you have a deep insight into the importance of this technology. Could you explain why this project is so important for the security of web applications and what role it plays in the cybersecurity landscape?

As an open source set of rules for web application firewalls, OWASP CRS is beyond compare. This means that commercial providers either have to develop a WAF with their own rules or integrate CRS into their offering.

Of course, WAFs can be a matter of opinion and operating a WAF is no walk in the park. But if you do it right, it makes a significant contribution to a defence in depth.

Incidentally, in 2008 a machine learning developer told me that AI WAFs would soon be ready to completely replace CRS. No one can remember the name of his company, but CRS is now stronger than ever.

What role does the open-source philosophy play in your work and how does it influence the cyber security community?

The open-source idea has always been very important to me and unconditional sharing is also in line with my own values. But the fact that large corporations make millions a year selling what we give away for free – and do so without at least sponsoring us – is sometimes frustrating.

The ability to copy digital assets for free makes open source a highly successful model. The fact that you can write very good software with it is icing on the cake.

Your talk at GOhack24, "Using a WAF to Make the Life of Bug Bounty Hunters Miserable", looks at how WAFs can be used to control and challenge bug bounty hunters. Can you give us a few insights in advance into how WAFs can be strategically used to effectively protect security devices while keeping bug bounty hunters on their toes?

For conceptual reasons, a WAF cannot provide complete protection. A WAF always has gaps and, with enough time, these gaps can be found and exploited. The game that never ceases to fascinate me is trying to keep attackers busy for as long as possible.

In cybersecurity today, we often see a situation where a single hacker can disable a very large security system single-handedly. With a WAF, however, it is possible for a single security engineer to keep a small army of bug bounty hunters away from the application.

I remember a setup in which a pentester tried to access a WordPress admin console for several days. After checking the log files, I informed him that not a single one of his requests had reached the actual server. He broke off the test.

Without a WAF, he would have certainly destroyed the WordPress installation. Thanks to the WAF, however, I was able to turn the tables completely and suddenly make him squirm.

As a representative of civil society on the steering committee of the national cyber strategy, you play a central role in shaping Switzerland's cybersecurity policy. In your opinion, in which direction is cybersecurity developing in Switzerland?

The country's decentralized structure and heterogeneous society are both a blessing and a curse when it comes to cybersecurity. They hinder the creation of vulnerable centralized systems and lead to inefficient but more resilient redundancies. However, I have the impression that we are in the process of better connecting the various players and systems, learning from mistakes and now – often on the second or third attempt – doing things better. It has never been a lack of know-how that has held us back, but rather the fact that we have not all been pulling in the same direction.

What advice would you give to young security researchers just starting their careers in cybersecurity?

My advice to the next generation: try something new! We have been doing security for 30 years now and the situation is sad to bleak. If anyone can improve the situation, it is the newcomers to the industry.