Yesterday at Black Hat Ivan Ristic gave a talk on WAF evasion. Ivan began his talk by correctly noting that WAFs are an essential part of an appsec strategy. With the growth apps and their increasing complexity, code review and pen testing aren’t sufficient. A WAF is the only appsec technology that is always on. In reality, the talk should have been titled, “ModSecurity Evasion.” Ivan even said early in the presentation, “No commercial products were tested.” This is a key distinction which was missed in many press articles the overhyped this talk. More importantly, this is a key distinction...
![]()
