█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Application Security/Web Application Firewalls and Security Testing
35 minIntermediate

Web Application Firewalls and Security Testing

After this lesson, you will be able to: Distinguish SAST/DAST/IAST tools, know when WAFs help, and analyze HTTP traffic with browser DevTools.

Tools and infrastructure round out AppSec, they catch bugs at scale and block attacks at runtime. Knowing which tool to apply where saves time and budget.

Prerequisites:Secure Coding Practices

SAST, DAST, IAST

SAST (Static Application Security Testing), reads source code looking for bug patterns. Fast, false-positive-prone, runs at code-commit. DAST (Dynamic), attacks a running app, observes responses. Slower, fewer false positives, runs against staging. IAST (Interactive), instruments the running app, watches data flow. Most accurate, requires deployment overhead.

SAST
source code
  • ·Scans code, no running app
  • ·Finds bugs early
  • ·Can be noisy (false positives)
DAST
runtime
  • ·Tests the running app
  • ·Finds real exploitable issues
  • ·Misses code it never reaches
IAST
instrumented runtime
  • ·Agent inside the running app
  • ·Combines code + runtime view
  • ·Needs instrumentation
Three testing styles that overlap. Mature programs run more than one, because each catches what the others miss.

Web Application Firewalls (WAFs)

A WAF inspects HTTP traffic and blocks known attack patterns before they reach the app. Cloud WAFs (Cloudflare, AWS WAF) sit at the edge; software WAFs (ModSecurity) sit in front of the app. Pros: stops 90% of automated attacks instantly. Cons: clever attackers bypass WAFs, and WAFs cause false positives that block real users.

💡 WAFs are insurance, not armor

Never rely on a WAF to fix a vulnerable app. Code is still the source of truth. Treat the WAF as a delay tactic that buys you time during incidents, not a permanent fix.

Inspect HTTP with browser DevTools

DevTools is free, built-in, and enough for many investigations.

  1. 1

    Open the site you're testing

  2. 2

    F12 to open DevTools, switch to the Network tab

  3. 3

    Reload the page

  4. 4

    Click any request, look at Headers, Cookies, Timing

  5. 5

    Look at Request payload (POST data) and Response

  6. 6

    Use Edit and Resend (right-click on a request) to test small modifications

Putting it together

A mature program runs SAST + SCA on every commit, DAST against staging weekly, has a WAF in production, runs a bug bounty, and trains developers continuously. Each layer catches bugs the others miss.

Quick Check

Best tool to find a logic bug like 'I can buy items for negative dollars'?

SAST, DAST, manual pen test, or WAF?

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Secure Coding Practices
Back to Application Security
Hands-on: OWASP Top 10 in DVWA and WebGoat→