All the WAF power to the devs - why it reduces friction… and where it backfires (god2025)

Web application firewalls are often seen as a hindrance when going live, as perimeter WAFs can clash with GitOps-driven platforms. Empowering development teams with an application-centric WAF setup allows them to run and tune the WAF throughout the entire development lifecycle. It also enables full integration into any CI/CD pipeline or GitOps approach, reducing late surprises during deployment. In this talk, we demonstrate the application-centric approach with Envoy Proxy, OWASP Coraza, and the OWASP Core Rule Set (components are examples and interchangeable; focus is on principles and selection criteria), and take you along our real-world journey - highlighting the challenges and lessons learned. What you'll take away: We show where this reusable reference design reduces friction and where it backfires, and we outline the governance and guardrails needed to make it work in practice. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de