Christian Folini

CRS Project News May 2019

We are back with the CRS project news. There was not too much to talk about in recent weeks, but now there is real content. So here we go. What has happened in recent weeks Security researcher Somdev Sangwan has looked into Regular Expression Denial of Service attacks. It is a more or less well …

CRS Project News May 2019 Read More »

Regular Expression DoS weaknesses in CRS

Somdev Sangwan has discovered several Regular Expression Denial of Service (ReDoS) weaknesses in the rules provided by the CRS project. They are listed under the following CVEs: CVE-2019–11387 CVE-2019–11388 CVE-2019–11389 CVE-2019–11390 CVE-2019–11391 The fact that CRS is affected by ReDoS is not particularly surprising and truth be told, we knew that was the case. We …

Regular Expression DoS weaknesses in CRS Read More »

Announcement: OWASP ModSecurity Core Rule Set Version 3.1.0

The OWASP Core Rule Set team is happy to announce the CRS release v3.1.0 at last. A wee bit over 2 years in the making, this major release represents a big step forward in terms of capabilities, usability and protection. Key features include: * A new set of rules defending against Java injections * Initial …

Announcement: OWASP ModSecurity Core Rule Set Version 3.1.0 Read More »

Some Thoughts on why Web Application Firewalls Really Make a Difference

This is a guest piece by Jamie Riden  / @pedantic_hacker. Jamie has been doing penetration tests, secure development training and security code review since 2010 – and other kinds of computer-wrangling for much, much longer. Having been a systems engineer, a coder and now a pen-tester, I’d like to take a brief moment of your …

Some Thoughts on why Web Application Firewalls Really Make a Difference Read More »

AppSec Podcast Interviewing CRS Project Co-Lead Christian Folini

Chris Romeo from the AppSec Podcast did an interview with our own Christian Folini during the AppSecEU conference in July. The 25min interview has been published lately. The interview discusses the project itself, the upcoming 3.1 release, plans to expand beyond ModSecurity and CRS fits into agile development. Here is the link to the interview: …

AppSec Podcast Interviewing CRS Project Co-Lead Christian Folini Read More »