CRS #3: WAF Performance Testing Framework

Performance evaluation is one of the concerns about using ModSecurity and Core Rule Sets. More specifically, people take different approaches to examine the performance, such as stability tests (e.g., the peak of I/O, speed of re-connection) and capacity tests (e.g., use of disks). However, individuals often miss measuring before/after using the Firewall. Secondly, although there are many open-source utilities (e.g., Apache JMeter, httperf), no specific tool is designed to evaluate performance affected by a firewall. To address the issue, I suggest creating a CLI tool to benchmark the performance with CRS. A list of deliverables includes: 1) Define a framework for testing performance for a generic WAF. 2) Research existing utilities for performance testing on WAF. 3) Create a CLI tool to achieve the framework and define different types of testing performed by the tool. 4) Implement different types of performance testing. 5) Integrate the CLI tool with pipelines (e.g., GitHub pipeline). 6) Based on the existing Docker images, perform different evaluations with different configurations/versions. 7) Documentation.