🔒 Security Week Product Discussion: WAF for Everyone - Protecting Against High Severity Vulnerabilities
Presented by: Michael Tremante, Zhiyuan Zheng
Originally aired on March 15, 2022 @ 9:00 AM - 9:30 AM EDT
Join Cloudflare's Product Management team to learn more about the products announced today during Security Week.
Read the blog posts:
- A new WAF experience
- Improving the WAF with Machine Learning
- Security for SaaS providers
- Cloudflare Zaraz supports CSP
- WAF for everyone: protecting the web from high severity vulnerabilities
Tune in daily for more Security Week at Cloudflare!
SecurityWeek
English
Transcript (Beta)
Hello everyone to this Cloudflare TV session. My name is Michael Tremante.
I am one of the product managers here at Cloudflare specializing in our web application firewall and application security.
We've got a great topic today.
Of course, we are at day two of security week, which is a whole week of security related announcements.
I've been at Cloudflare for quite some time and I've got, you know, we've got a lot of really interesting projects to share.
And for the listeners that are just joining us live right now, of course, our blog posts are about to be announced as well.
And there's a few things we're going to talk about today.
Before we jump in, of course, I'm also joined here by one of the product designers that also works on application security day one.
Do you mind just a few sentences about yourself to the people that are our users?
Know what you work on.
Sounds great.
Thanks a lot, Michael, and great to be here. As Michael mentioned, my name is Zhiyuan, one of the product designers working within our application security area, familiar with Michael, actually, I'm pretty new to Cloudflare.
I joined last year and started working in security right away and I've been using myself Cloudflare for already many years before I joined and when I was reading a blog post launch last year, and that's the moment I figured out the great opportunities and that's how I join.
So I would encourage you, if you're listening right now, please check out our blog post.
They're amazing. And also check out our opportunities.
We are hiring a lot in many areas.
So that's briefly about me.
Awesome.
Thank you very much. You one and a few bookkeeping things before we jump in.
If anyone listening today has any questions as usual, please feel free to email [email protected].
If we do receive any questions, we'll make sure to answer them towards the end of the session.
Of course, if you're an enterprise customer or a self-serve customer, also feel free to email support or your account team.
I'm sure they'll be able to do follow ups and answer any questions that we might not answer in the session.
Great.
With that, let's kick it off. We've just published a couple of major announcements on our blog.
If you head over now to blog.cloudflare.com, they should be live or if not it's a matter of seconds.
And one of the big announcements, of course, is we're wanting to essentially help the broader community by providing a managed ruleset to all of our free customers.
Right. Is that is that a good place to start? Yeah, that sounds amazing.
So many blog posts are coming up today, so stay tuned for that.
And I think related to all the announcements that we are making today around Web application, firewall or WAF, in short, how should we define WAF?
How can you help us to recap about what a WAF is?
Yeah, absolutely.
So today is a lot about WAF.
And for those of you who might not be familiar with what a WAF is and what it does, of course, WAF is one of our core security products.
If you're running a website, if you're running, you know, a local shop, an e-commerce business, or maybe you're even a larger, larger enterprise customer offering API endpoints or integrations with third parties is super important that you make sure those systems are protected.
And one common way of doing this, of course, or at least to virtually patch and buy you some time in the event there's a vulnerability discovered on your application is by deploying what we generally refer to as WAF.
A WAF from a technical standpoint is nothing more than a proxy based system.
And as many of you know, Cloudflare is essentially a very large network that runs a very sophisticated reverse proxy on every single request.
And what WAFs do, of course, is every time a user tries to access your application, they may check that request coming from the browser, and they make sure that request essentially is not trying to do anything malicious.
It's very common for hackers or bad actors on the Web to try and compromise applications.
Many of you will be running WordPress sites. WordPress, a good chunk of the internet is made out of WordPress.
And WordPress, of course is an awesome tool.
I use it myself as well.
It's open source and because of that of course there's a lot of development from the community, but very often WordPress sites do tend to go a little out of date and when a visible vulnerability is discovered, maybe an attacker finds out about it or it's a very popular plug in a WAF is there to help you stop those attackers compromising that vulnerability and then taking over your site.
And from an engine perspective, we on our side of Cloudflare have this ability to, as part of the WAF provide what we call manage rules.
And for those of you who are familiar with this concept in computer science, of course regular expressions that allow us to define the syntax of what we're looking for in the request.
If someone's opening a web page, we don't expect anything malicious to be there.
But if someone is trying to post the form and as you name, surname, email and instead of the email address, they put a code snippet.
Of course, that's not legitimate.
Someone's trying to do something fishy and WAFs are of course trying to detect that and then ideally block it.
Or in some cases you may want to challenge it, or at least log to see what's happening for further investigation.
And yeah, that's WAF in a nutshell, of course, there's a lot more topics around WAF, but essentially they help keep your application safe from malicious payloads.
That sounds amazing.
And I myself I also started the journey in the web space, let's say also from WordPress.
And that's one of the first applications I start hosting and designing around and get my myself into the web area.
And over the time, I've been also building a lot more applications.
And also, let's say the tech service has been expanding mostly because the complexity of the applications that have been running myself.
So one of the blog posts today that we're announcing will be called "WAF for everyone." And the name definitely sounds very exciting.
So what do we actually release today to our customers?
Yeah, and that's our headline announcement.
I'm very excited by this one, especially because, you know, Cloudflare started with our self-serve plans.
Most of folks using the platform are on our free plan, which is very good value given it's free and there's no side effect.
We want to actually allow customers and users with small applications to serve a lot of content to the community at large.
Right.
And historically, because of what the WAF does, as we said earlier, it's inspecting every single request for malicious payloads.
And when it finds one that it blocks or does something, it's actually quite an expensive operation to perform.
If you think about we're seeing several million, I believe, a peak, more than 44 million HTTP requests per second.
Running the WAF to protect everyone is not an easy task.
Having said that, and because of that, historically, only our pro business and enterprise customers had access to our web application firewall.
So if you were a free user, you do get some protection.
Of course, our DDOs mitigation has been announced as unmetered and available to everyone.
Just by being on the platform, you're getting some benefits from the bandwidth and size of the platform itself.
But WAF has never been something we have been able to bring down the plan, but that's changing today.
So as part of the headline of the announcement, of course, is we have now built a Cloudflare free manage ruleset.
This is essentially a set of rules developed internally at Cloudflare from our security analysts.
And we've packaged them and we're going to make them available to essentially everyone, including the free plans and the manage rulesets are to some extent the more important part of the WAF because the WAF is an engine that lets you block malicious things and there's several components to it and it also allows you to write your own custom rules.
But not everyone of course is a security expert.
So as part of the cloud for WAF we provide managers and the protections of course are actually already running today across the network.
That's why, you know.
Yeah, that's actually a very important point is that we, we're actually offering already the protection out there, but we want to make sure that our customers, I bet you the listeners can see them, tweak them and feel well protected based on our new free rulesets.
Yeah, absolutely.
And that's that's what's going to be happening over the next couple of months.
Right. So everyone's getting protection today. So the system is running already.
We're just missing to finalize some of the UI components to really expose it in the UI.
But if you were to perform a specific malicious request to any free zone on Cloudflare, it will already be blocked.
I think there was actually two fundamental reasons we're doing this as well.
Our first mission, of course, is to help make the web a better place. And this very much is in that in that line, when there is a high impact and wide impact in vulnerability, it's just the right thing to do.
We don't want to see the Web scattered with millions of compromise WordPress sites or Joomla sites or even custom applications, if we if we could have avoided that.
Secondly, though, I guess from a from a product selfish perspective, we want to always try to disrupt what we're doing today, both internally.
I'm, you know, I've been working on the WAF now for two years and Joanne, you've been joined in helping us on that effort.
But if we, we need to keep making the WAF, WAF better in general.
Right.
And one way to do that of course is the forces out to disrupt yourself. So by doing this we're also making sure we keep on thinking, okay, what's next?
What's the next big feature we can release?
And today actually there's quite a few other additional WAF announcements which we're not discussing in the session.
I think the separate collaborative sessions talking about some of those efforts and we're also sending a message to other WAF providers.
I, to some extent, I don't think we should be the only one providing some protection for free to the Internet of wide.
Right.
So those are definitely the two main drivers. That sounds amazing.
And that's also one of the main reasons why I started using Cloudflare years back and also why I joined is to help make a better Internet.
And I love the statement very much.
So talking about the free rulesets that we're offering to basically everyone, there are definitely some of the vulnerabilities that we are offering to protect in there.
And if you have been reading our blog post last year, you probably have already been reading some of the high profile ones appearing last year.
But Michael, can you help us to understand a little bit more, some high profile ones and why they're important and what are they basically and what are protecting from?
Yeah, good question.
So this cloud for free manager ruleset that has been implemented and it's running it's there even if you don't see it in the UI just yet.
The goal is to add rules that are protecting against what I would consider high impact and wide impacting vulnerabilities and exploits.
What I mean by that is that the vulnerability or exploit causes remote code execution or full takeover of the application server, which is your worst case scenario, right.
Once an attacker has that, they can pretty much do anything they want within ideally within the boundaries of the application.
In the worst case, though, normally when someone gets in and less and less people are implementing the buzzword of zero trust properly, they will be able to jump to other application servers.
But then the other the other aspect of course is we are going we're committing to mostly protect against wide impacting vulnerabilities.
So there's a few vulnerabilities that target that have been discovered in very common software.
And if that software is used by a reasonable percentage of applications on the net, it means that there's a really big impact if applications are compromised.
So it's high impact and wide ranging, then we're we're committing to add manage rules to this cloud for free manage sets so that any application behind cloud is protected.
And I have three examples, I guess, in these categories.
Number one, the recent Log Forge exploit.
This affected, came out in December, just before Christmas, very timely to some extent.
A lot of these things come out over the holidays when security teams and application owners are taking some well-deserved time off.
At least in most of the Western countries.
And and, you know, attackers have more time to try and compromise applications.
Log Forge specifically was affecting a very popular Java based logging library, which is integrated.
Java is everywhere.
It's one of the promises of Java.
You have a runtime environment that can run on any on any device, and specific patterns of payloads could be very easily inserted in customer logs.
Anyone who runs an app is generating logs.
And if Log4j was being used, sorry, Apache Log4j, then of course the vulnerability would would come into play and the application would be compromised with full remote code execution.
They would use actually the payload to fetch a shell from an external party.
The logging system would actually fetch it and then once it's installed, the attacker can do whatever they want.
These are rules that we've deployed.
We actually did this in December.
We actually deployed it for everyone.
This now we're committing to doing this moving forward.
Another example is shellshock.
This is a very old example.
Back in 2014, I had just joined Cloudflare back then.
This was a popular bash vulnerability with a specific payload you could essentially get access to to the shell on any Linux based server.
You can realize how dangerous that is.
As soon as you have that, you have remote code compromised.
The third one, and I think we're going to be expanding on some of this moving forward as well.
Wordpress, as I said earlier, is a good proportion of websites out there.
Anyone who wants to start a blog, chances are they will go to WordPress.com or WordPress.org get going with a WordPress install because of its popularity.
By consequence, any vulnerability affecting a WordPress application is wide impacting.
So because of that, the cloud for free manageable set will also contain a number of rules protecting WordPress applications.
Right.
And we're just going to give that to everyone. So you have WordPress, you have another incentive to be on our on our free plan and deploy some rules to protect your installs.
Yeah, those are definitely very good background information about the protection that we are providing in this free managed process.
And one of the questions definitely that the security is actually very important, but we are talking about the kind of our massive user base and what benefit do we provide to them in this case?
And also what do we want to build on top of later on what our users can expect from us?
Yeah.
And I think the value the problem we're trying to solve here, right, is if you think of the average Workers user or our Free Plan users who have their site, the little e-commerce application or whatever it is, and they don't, you know, myself included, to be honest, don't have the time to follow everything that's going on in the cybersecurity space online.
Right.
There's there's no way, I've had many websites compromised myself. And you always forget to update the WordPress, install the plugin.
I also use Joomla in the past one of my custom PHP apps.
I should probably not be coding coding as much.
It was compromised once.
It's very difficult to keep up to date with these things.
So the the Free manager settings need to be easy to use.
Very low false positive rate if none at all.
In fact, we tested it across all edge network and if you have a deployed you can have a little bit more peace of mind or never promise, you know, 100% security.
That's impossible to achieve.
But it's there's no reason not to have it there.
And it's going to buy you some time when it's going to be important.
And if another Log4j comes along, we'll put rules in place to protect you against against any exploits.
Right.
So and that's of course, we want to provide this to everyone. And actually, to that point, ease of use is very important.
Right?
So we're trying to make sure that you don't have to be a security expert and that anyone can deploy this with a single click.
And when the UI comes up, you'll be able to do this directly.
Actually, some of our newer customers on our business plans already default.
Everyone's already defaulting to our new app engine, which was an announcement we made last year.
And all of this is building upon the new app engine.
And talking about ease of use, I think there's another update today, right, regarding our our user interface and a lot of improvements we did even from a user interaction perspective.
And I think, Zhiyuan, you might be much better place to talk about some of that.
Definitely for sure.
And thanks, Michael, for helping us understand what the value behind the WAF for us, for everyone.
I think one of the challenges that we started reviewing a while back is that they've been looking at all these upcoming vulnerabilities out there, looking at all these threats out there.
We take steps to help you to protect your application while also writing our custom rules that Michael mentioned.
One of the challenge definitely is that how do we make sure that you understand what you are being protected from and also what you can adjust and adapt to to your needs?
So that that would be one of the key goals that we want to achieve is that how do we make sure our whole web application firewall is, first of all, easy to understand?
That's very important.
What things am I being protected from?
Secondly, also very important.
How can I do it in a very efficient way?
As we are saying last year, when Log4j just came up, we basically need to run after the vulnerability and just do things right away.
Either we do it from our point of view.
Or you do it from your point of view.
Easy to employ, easy to deploy, easy to put it out there, it is very important.
So while exploring the opportunities, we are looking at all the rules, all the kind of logics, patterns that we're creating behind the scene, we define three very important guidelines for us in terms of how we can help our users, how we can help you to make sure you have a wonderful experience when using our WAF.
So first of all, first one is that we want to make sure you have a good overview of the full set of rules and patterns that are being protected with.
So being able to oversee everything, being able to have a full overview will help you in the longer term to understand the full spectrum of the protection.
Secondly is that when we dig deeper into different types of rules, for instance, the managed rulesets that we just talk about and also the custom rules and few others, is that how many I am using and how can optimize and how can I tweak and tune to fit the needs?
So we need to have a very easy way for you to have a way to see the usage, but also most importantly, how can adjust, how can our depth because our application is ever growing and the security landscape is changing.
So let's make an example then.
Michael, just talk about the new wealth engine, new metrics engine that we launched last year.
And if you read our blog post from last year, you probably can get a sneak peek about what it looks like and how our approach is.
I can briefly explain it here as well.
So if you look at the new Manage Rules engine, we want to have three layers of, let's say Customizability, but also is simple to use.
So in the interface compare with our existing managers where you need to tweak every detail before you can make it work.
Rather, we provide a single, single button called Deploy.
By clicking the deploy button, Cloudflare offers you the confidence that the rules that we manage for you.
We have very low false positive rate, but also we'll be able to protect you from the vulnerabilities, not just the high profile one, but actually for the payment plans.
You get everything. So you can do that with one click button.
Further, you can also say that I want to deploy a certain type of ruleset, but then I want to have a different type of reaction.
For instance, I just want to see what's happening, so maybe I just want to log it or simulate it and so on.
And the third layer is that when you have a very complicated application where you have a certain need to tweak the little, little details that we have prepared for, you can actually go to each of the ruleset, go to each of the rules and say that for this type of pattern, I want to apply a certain type of action to mitigate the risk.
So we provide three layers. Mostly what you need to care about is the only the first layer deploy and you are well protected.
That's how it go.
Right?
Yeah. No. And I'm very impressed with some of the updates to the UI. Right.
That we're always trying. As we add more and more features, the product becomes more complex, but we need to make sure the experience stays easy.
And the three layers you can decide how deep you want to go.
Most users, especially in our self-serve brands, would only care about deploying the manage ruleset, and 99% of use cases are covered just by doing that.
And to that extent, though, this was also for us a great opportunity, as you said, to redefine a little bit what we mean by buy more broadly.
Right.
We had a lot of conversation with customers and users that are getting a little confused about what to find in different places.
So we had a chance to redefine that a little as well.
Definitely.
And that's basically our topic today about Cloudflare One, Cloudflare Web application firewall.
So internally, we are structuring our internal organization also.
How we approach it in a very efficient manner that at the end that you will benefit from it.
But on the other side is that we also want to understand how our existing users perceive WAF, because WAF, there is no single definition out there in the industry.
Every company is doing it a little bit differently. But we want to understand from you how you want to.
Get it how you want to get protected from Cloudflare.
So we actually run together with our users UK's research department studies last year to get to hundreds of users in our from our dashboard to.
To know how you want to get the love and what you believe that should be part of our offering.
So that's very important because that actually help us a lot in understanding the broader concept of wealth for every one of you.
So if you have chance going forward, looking into the dashboard, definitely keep an eye out for the a lot more opportunities that we want to invite you to give feedback on us for different roadmap and also different features we develop.
So that would be our foundation. We set the research, we ask you how you want to define work and that will help us set the baseline, the foundation work, which is what we're launching today.
If you go into the dashboard, you'll be able to see it instead of seeing a lot different features in the navigation.
Rather, we now offer you a destination called WAF, web application firewall.
Inside there we offer you the three core components that will get you protected.
The first one is the firewall rules, where you can customize it, you can really tweak it to the point that fit your need and your application.
The second one we just talked a lot about is the manage rules that we offer now for everyone and you'll be able to get it.
The third one also very important, is the rate limiting how can best protect the applications that I want to protect based on based on rates.
Besides that, we also offer handy tools that you can also achieve the same effect in file rules.
But we just offer them so that you can do it very simply, for instance, based on IP, based on zones and so on.
So that's our approach.
We want to make sure everything that are related are keeping in one place and you have a full overview and you know what to tweak on.
So you.
Need.
Yeah. Awesome.
And just to recap, so WAF will be custom rules, file rules where you define your own requirements from security access policies, rate limiting rules.
If you want to define thresholds where you block specific traffic patterns, if the request load gets a little too high, for example, if you want to limit the search function.
And then the third component of the WAF is to manage rules.
So the ones that we provide to you to be deployed with a single click to protect the application.
And definitely and we just mentioned about the new WAF experience and also the new manager rules experience that we want to set out there.
I know we're running out of time, but do we have a rough roadmap and plan about when can we launch this to all the customers?
So the NAV and UI, as defined with a new WAF tab, is live right now for everyone.
Now, of course, we referred many times in the conversation about our new engine.
All new customers onboarding onto Cloudflare have been getting the new engine for quite some time and over the next quarter or two we will now be providing the migration experience took longer than expected.
So I'm very sorry about that.
But we're finally, finally in there.
They're all existing Manage Rules customers will slowly receive a little button that says Click here to move over to the new app engine so that you can also get within the WAF navigation the new manager rulesets UI.
Most good chunk of zones will be eligible sometime in Q2.
We're now finalizing the UI component of that or the back end migration is done.
And then beyond that, so this will be several hundred thousand zones across the platform.
And then in Q2, we're going to be working on the second phase of it, which will allow even more complex WAF manage rules those deployments to self serve migrate.
So please stay tuned. Definitely very exciting.
So our journey just started.
We want to build a Cloudflare One, very powerful, very easy to tweak, but also that you can have a good overview and also fit in your needs and a longer journey.
We can do this ourselves. We want to get your feedback.
We want to get your views.
Also, keep an eye out on our dashboard. A lot of times we will definitely invite you in about getting feedback.
So keep an eye in the dashboard and we want to know how you think and help us build a better WAF.
Yeah, that's right.
Do give us feedback.
I always like to remind everyone all of these changes are not forever.
The product is in constant evolution, so we use your feedback to make it better.
Sometimes we even decide to maybe revisit some of our decisions.
With that, thank you for joining us today.
This is one of the many Cloudflare sessions for Security Week.
A lot of, go check out the blog.
There's another couple of days, four days left.
So it was a lot more interesting announcements to come.
Thanks again and goodbye and speak to you soon on another session.
Very shortly.
Thank you. - Bye.
- Bye.