We are proud to present Swiss Post as new silver sponsor for the OWASP ModSecurity Core Rule Set. Swiss Post is one of the longest-standing and best-known brands in Switzerland since its establishment in 1849. The company uses many open-source solutions for development and operation and in turn supports the community where possible. Ties between Swiss Post and the CRS project team have traditionally been strong with different core team members having worked for the premier Swiss provider of mail and logistics services.
Swiss Post uses CRS as its primary web application firewall in a dedicated platform since 2012, when – in order to reduce operating costs and establish a lean infrastructure – a heterogeneous landscape was replaced with a landmark SecDevOps setup with ModSecurity and CRS at its heart. Since 2016, the Core Rule Set is also an important part of Swiss Post’s emerging online voting (e-voting) solution. Here, CRS is used in conjunction with ModSecurity for all four production and seven non-production environments.
The use of CRS has proven itself for Swiss Post in recent years, including several public intrusion tests with the e-voting system. The final report on the public intrusion test in 2022 states: “Access to the e-voting system is protected by the web application firewall (WAF) OWASP ModSecurity Core Rule Set 3 (CRS). The CRS is configured to paranoia level 4, the highest level of protection available in the rule set. Swiss Post has been fine-tuning the CRS installation and the rule set for several years. As a result, there were very few false positives.” You can read more about Swiss Post’s e-voting architecture here and here.
In an interview published on Swiss Post’s e-government blog, CISO Marcel Zumbühl gives more insight into the reasons for the sponsoring of CRS. You can find more about information security at Swiss Post here.