The OWASP ModSecurity Core Rule Set Project is very excited about winning one of the OSBAR awards of the German Open Source Business Alliance. The prize is awarded to projects, start-ups and outstanding ideas from the open source environment. The increased attention should make it easier for the award winners to attract users, developers and supporters.
CRS hackers Christian Folini and Franziska Bühler with the OSBAR award trophy (photo Fridolin Zurlinden)
ModSecurity is a Web Application Firewall (WAF) with open source code that is also widely used in commercial products. The award-winning CRS project develops a set of about 150 generic rules for use with ModSecurity and related solutions. The CRS project was founded more than ten years ago and is now run as a flagship project by the Foundation Open Web Application Security Project (OWASP). The rules are available under license from the Apache Foundation and are also used in several commercial WAF solutions (where that is not always advertised).
WAFs protect web applications from attacks like those outlined by the OWASP Top Ten project. The CRS claims to be the 1st line of defense to protect against malign payloads such as SQL injections, cross site scripting, remote command execution, and violations of the HTTP protocol. In the default installation, the rule set successfully defends against over 80 percent of all attacks (as measured by several million requests by the popular BURP security scanner), while tightening the screws increases protection to over 95 percent.
ModSecurity was able to establish itself globally as the only open source offering among a large number of commercial WAF solutions. The OSBAR award for the standard ModSecurity rule set, CRS, therefore underlines the relevance of Open Source Software in a highly contested commercial market such as Web Application Firewalls.
People interested in getting their feet wet with CRS will find documentation and videos here on the site, as well as an extensive set of tutorials and also public courses (February in Zurich and Frankfurt in March).
Christian Folini / [@ChrFolini]