It’s 2021, so why are developers still spending so much time writing custom code to validate data? Does the custom code cover all vulnerabilities? Is it secure? This presentation introduces a new open-source framework called Sanitation Web Application Firewall (SanWAF) that uses a declarative approach to validate data on both the client and server tiers. SanWAF provides a standardized mechanism to perform data validation with the aim of freeing up developer time and effort. SanWAF is tasked with providing an application layer of defense that addresses the security gaps present in traditional WAFs. Once a request passes through a WAF, it is considered partially secure. This could provide a false sense of protection and lead to an assumption that the WAF is an ultimate security barrier. This is not the case. Necessary WAF configuration changes can allow unsafe data through, creating a need for additional security around untrusted data. SanWAF provides this layer of security. The SanWAF framework works by adding custom attributes to html form elements. These attributes are processed on the browser (SanWAF-UI) and on the Server (SanWAF-Server). They can be configured to validate data types, constraints, formats, relationships between elements, and more. When the server receives data that has passed through SanWAF, it has been validated and sanitized. Unlike WAFs, SanWAFs are configured per application or endpoint, providing fine-grained security control that developers can rely on. In this presentation you will see how you can use the SanWAF framework to manage nearly all of your input validation without having to write any custom code.
