summercon 2008 A new tradition of organization (5/30-6/1)

Ben Feinstein
Many of us working in the security industry regularly deal with issues
related to PCI DSS compliance. In February the PCI Security Standards
Council issued a clarification around its DSS v1.1 requirement to protect
"all web-facing applications ... against known attacks." The Council is
now on the record as stating that this requirement can be met in two very
different ways: through performing application code reviews or by
deploying web application firewalls (WAFs).
This talk will explore the ModSecurity Apache module and how it can be
used as a WAF to cheaply and effectively meet the PCI webapp protection
requirement. Common deployment scenarios will be discussed, including
both in-the-cloud and client premise deployments. The ModSecurity rules
language will be covered and several ModSecurity Core Rules that are
representative of its capabilities will be dissected in depth.
Finally, some interesting uses of ModSecurity's content injection
capabilities will be discussed. Anyone up for hacking the hacker via
scripting injected into your webapp's response to an attempted attack?
This talk will show you how!