Edge Insights from Re:Inforce 2024

Edge Insights from Re:Inforce 2024

I am sharing with you some insights from sessions In Re:Inforce that were focused on protecting Web applications using AWS Edge services like AWS WAF.

How Catch Group uses AWS WAF Bot Control on their ecommerce platform (NIS306)

The first confirmed trend is the evolution of DDoS attacks towards application level vectors, away from layer 3 and layer 4 volumetric attacks, that Cloud providers became very efficient at blocking. For example, in 2022, the biggest HTTP flood seen on AWS was at 8.4M RPS, but reached 155M RPS in 2023. On one hand, this is pushing customers to give more attention to application level security controls, such as hardening their WAF rules. On the other hand, it's driving internal efforts in AWS to add more native protections in public facing services like CloudFront and ALB, placed as early as possible in the networking stack to make it faster and cheaper to operate them.

In the testimony of Catch Group, I noted two important points to be considered by customers looking for web application protection solutions:

  • Such turn key solutions are quite expensive. AWS provides building blocks, that require initial investment (50K$ worth of engineering time for Catch Group) to build a solution, but reduces total costs by 4 times in the future.

  • Catch Group partnered with AWS, by providing continuous feedback about the Bot Control product. This feedback helped AWS to quickly iterate and improve the product, allowing Catch Group to consolidate it's bot management solutions into a single one centered on AWS WAF Bot Control.

Protect your internet-facing web applications hosted on AWS (NIS304)

I love the way the presenters gamified the key messages they wanted to send to their audience, and I will most likely steal it for my next presentations. The first presenter played the role of the bad guy trying to attack an internet facing application, and our famous Tom Adamski playing the role of the good guy, protecting the application from the attacks. One of the key messages, that I often repeat to my customers, is the important of defense in depth using multiple security controls on different layers.

One notable trend across the sessions is the focus on bot management techniques, knowing that 47% of internet traffic is generated by automated bots, according to a mentioned study. The following lightening talks focus on this topic:

Other relevant sessions:

Build, deploy, and manage your applications securely with AWS (NIS225)

Secure your APIs the Well-Architected way from foundation to perimeter (NIS305)




To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics