The idea is to first catch up with what's currently "state-of-the-art"
and build new features from there. This means that I'm starting with:
SQL injection, XSS, honeypots, IP white/black listing and so on.
The main difference, though, is to have the proxy/filter to communicate
with a "WAF Server" via Web Sockets, so that they can send request data
to the backend for an async analysis and receive new data from the
server, like an updated blacklist of IPs. This way, the filter is only a
thin layer, with minimal impact on the performance of the protected
application. Should the WAF Server become unavailable for some reason,
the last known state is still at the filter.
My first idea for an apiman integration would be to have a component on
apiman's side, communicating directly with the WAF Server via Web
Sockets, like the proxy/filter.
On 08.04.2016 20:57, Eric Wittmann wrote:
Thanks for the question!
I think we have only scratched the surface of what is possible and
relevant for apiman, in terms of the policies we support. We're always
looking to expand our catalog of policies when it makes sense to do so.
Looking at the documenation for ModSecurity, I think there are
definitely some features that would make sense for apiman to have.
Can you perhaps give us some bullet points of features you would like
your Web Application Firewall to support? :)
On 4/8/2016 12:21 PM, Juraci Paixão Kröhling wrote:
> I'm currently working on a Web Application Firewall idea on my free
> time, and I think this might somehow fit within the scope of apiman.
> Web Application Firewall is a proxy or filter that sits in front of an
> application, accepting/rejecting requests. The main idea is to block
> malicious requests before they reach the protected application. One
> example of such component is ModSecurity.
> I see that apiman already has some features around security, but I'm not
> sure how far into this realm the project wants to go. Is there an
> interest in having such a feature? If so, what would make most sense:
> something completely inside apiman, or light integration with an
> external service (in a microservices fashion)?
> 1 - https://www.modsecurity.org/
> - Juca.
> Apiman-dev mailing list