diff --git a/ddtrace/appsec/_ddwaf.pyx b/ddtrace/appsec/_ddwaf.pyx
index 17d99026fb0..35c5a2f31ea 100644
--- a/ddtrace/appsec/_ddwaf.pyx
+++ b/ddtrace/appsec/_ddwaf.pyx
@@ -56,6 +56,7 @@ def version():
 
 
 cdef inline object _string_to_bytes(object string, const char **ptr, ssize_t *length):
+    ptr[0] = NULL
     if isinstance(string, six.binary_type):
         ptr[0] = PyBytes_AsString(string)
         length[0] = PyBytes_Size(string)
diff --git a/releasenotes/notes/asm-fix-python-2-error-reading-ddwaf-rules-d3653031f2ba84ba.yaml b/releasenotes/notes/asm-fix-python-2-error-reading-ddwaf-rules-d3653031f2ba84ba.yaml
new file mode 100644
index 00000000000..8b3d33b3ef0
--- /dev/null
+++ b/releasenotes/notes/asm-fix-python-2-error-reading-ddwaf-rules-d3653031f2ba84ba.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    ASM: fix Python 2 error reading WAF rules.
\ No newline at end of file
diff --git a/tests/appsec/test_processor.py b/tests/appsec/test_processor.py
index f7eef041591..ed243b0a235 100644
--- a/tests/appsec/test_processor.py
+++ b/tests/appsec/test_processor.py
@@ -3,7 +3,15 @@
 
 import pytest
 
+from ddtrace.appsec._ddwaf import DDWaf
 from ddtrace.appsec.processor import AppSecSpanProcessor
+<<<<<<< HEAD
+=======
+from ddtrace.appsec.processor import DEFAULT_RULES
+from ddtrace.appsec.processor import _transform_headers
+from ddtrace.constants import USER_KEEP
+from ddtrace.contrib.trace_utils import set_http_meta
+>>>>>>> 399940a8 (feat(asm): fix segmentation fault parsing JSON in Python2 (#4082))
 from ddtrace.ext import SpanTypes
 from ddtrace.ext import priority
 from tests.utils import override_env
@@ -75,3 +83,36 @@ def test_appsec_span_tags_snapshot(tracer):
         span.set_tag("http.status_code", "404")
 
     assert "triggers" in json.loads(span.get_tag("_dd.appsec.json"))
+<<<<<<< HEAD
+=======
+
+
+def test_appsec_span_rate_limit(tracer):
+    with override_env(dict(DD_APPSEC_TRACE_RATE_LIMIT="1")):
+        _enable_appsec(tracer)
+
+        # we have 2 spans going through with a rate limit of 1: this is because the first span will update the rate
+        # limiter last update timestamp. In other words, we need a first call to reset the rate limiter's clock
+        # DEV: aligning rate limiter clock with this span (this
+        #      span will go through as it is linked to the init window)
+        with tracer.trace("test", span_type=SpanTypes.WEB) as span1:
+            set_http_meta(span1, {}, raw_uri="http://example.com/.git", status_code="404")
+
+        with tracer.trace("test", span_type=SpanTypes.WEB) as span2:
+            set_http_meta(span2, {}, raw_uri="http://example.com/.git", status_code="404")
+            span2.start_ns = span1.start_ns + 1
+
+        with tracer.trace("test", span_type=SpanTypes.WEB) as span3:
+            set_http_meta(span3, {}, raw_uri="http://example.com/.git", status_code="404")
+            span2.start_ns = span1.start_ns + 2
+
+        assert span1.get_tag("_dd.appsec.json") is not None
+        assert span2.get_tag("_dd.appsec.json") is not None
+        assert span3.get_tag("_dd.appsec.json") is None
+
+
+def test_ddwaf_not_raises_exception():
+    with open(DEFAULT_RULES) as rules:
+        rules_json = json.loads(rules.read())
+        DDWaf(rules_json)
+>>>>>>> 399940a8 (feat(asm): fix segmentation fault parsing JSON in Python2 (#4082))