The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. In this post, I will show you which AWS Managed Rule Group is addressing which Web Application Security Risk from the OWASP TOP 10.
Managed rule groups are collections of predefined rules that AWS and AWS Marketplace sellers will maintain for you. There is one difference between AWS and Marketplace rule groups. AWS is mostly available for free (only AWS WAF Bot Control and AWS WAF Fraud Control account takeover prevention rule groups have additional fees) whereas Marketplace managed rule groups are available by subscription through AWS Marketplace.
🚨 Just as a side note Amazon Managed Rules should be considered first-layer of application defense strategy. You still need to consider using custom rules that cover specific vulnerabilities of your applications, or partner managed rules that are more relevant for your specifics.
If you are searching for a solution to deploy, update, and stage your Web Application Firewalls while managing them centrally via AWS Firewall Manager take a look at the AWS Firewall Factory tool. AWS Firewall Factory is able to test your deployed firewall using GoTestWAF. GoTestWAF is a tool for API and OWASP attack simulation that supports a wide range of API protocols including REST, GraphQL, gRPC, WebSockets, SOAP, XMLRPC and many more. It was designed to evaluate web application security solutions, such as API security proxies, Web Application Firewalls, IPS, API gateways, etc.