This talk will be the official introduction of the ESAPI WAF! We'll present a new way of thinking about WAFs & our tool provides all the usable, up-front security one can get from a WAF without suffering from any of the design flaws and integration patterns that make them a maintenance nightmare. It's a small-footprint technology that can do all the following with ease & and for FREE, BSD licensed! * Virtual patches * Enforce authentication * Enforce access control * Egress filtering/detection * Enforce HTTPS It also has capabilities not yet imagined by today's WAFs because it is deployed much closer to the application. Because of its proximity, the ESAPI WAF can use custom code and session storage to integrate meaningful, complex and customized security into an application. Don't have the source? Not a problem! ESAPI can sit in front without any code changes. Don't have $200k to buy a commercial WAF? Don't feel comfortable with mod_security? ESAPI WAF is your answer! Assuming some knowledge of WAFs, the talk will cover its capabilities (with demonstrations), testing strategy (to provide assurance) and integration strategies.