We're excited to announce a new partnership with Edgio, a leading provider of edge security solutions, that was formed by the combination of Limelight and Edgecast. Edgio is a trusted partner for organizations looking to protect their digital assets. Its holistic suite of security solutions protects the confidentiality, integrity and availability of web applications and …
On February 14, the CRS community will meet at the Dublin Convention Center for the 2023 CRS Community Summit, the first summit after the pandemic. REGISTRATION It has been a while since last we met and many things have happened since. So, there is a lot to talk about. We start at 9 am local …
Registration for the OWASP CRS Community Summit 2023 – Dublin, Feb 14 Read More »
The OWASP ModSecurity Core Rule Set project is very happy to announce Microsoft as new GOLD sponsor. There have been sporadic contacts with the Azure WAF engineering team for several years and we are now taking the next step. Microsoft and OWASP CRS are establishing a formalized partnership in the form of a sponsoring agreement. …
The OWASP ModSecurity Core Rule Set project is very happy to announce Felipe Zipitría as a new and third Co-Leader. Felipe joins Walter Hop and Christian Folini in his new role. Felipe Zipitría holds a master of computer science from the University of the Republic in Montevideo, Uruguay. He worked as a system administrator for …
Early Blocking is a feature that CRS will deliver with the next major release, probably Spring 2022. You can use it immediately when deploying the latest dev / nightly build. This blog post will explain the feature, how to enable it and why it is very useful. What is Early Blocking? ModSecurity, the engine below …
In one of my previous blog posts, I introduced the CRS plugin mechanism that we are rolling out for the next major release. Check out the blog post to learn how you can start using plugins immediately, without waiting for the next release (hint: really simple). Several plugins are already available. One of them is …
The log4j mess allowed everybody to see security shortcomings of the IT industry on a big scale. It also shed light on the shortcomings of the WAF market, a highly contested field with a myriad of commercial players and - well - us, the OWASP ModSecurity Core Rule Set (CRS), the only general purpose open …
Comprehensive View of the WAF Market From an Open Source Perspective Read More »
Plugins are not part of the CRS 3.3.x release line. They will be released officially with the next major CRS release 4.x. In the meantime, you can use them with one of the stable releases by following the instructions below. What are Plugins? Plugins are sets of additional rules that you can plug in to …
It's time to talk about the ModSecurity engine and to introduce you to Coraza, a new contender on the WAF front. Any rule set is nothing without a WAF engine to run it, so even if our project is focused on the rules, we need to look at the underlying engine(s) from time to time. …
Talking about ModSecurity and the new Coraza WAF Read More »
We have been updating our detection for the infamous CVE-2021-44228 vulnerability and its siblings for several days now. With the new experimental rule 1005, we think we really have decent detection capabilities now. Read up on this development in the separate blog post CRS and Log4j / Log4Shell / CVE-2021-44228. Right before the log4j CVE …
Public Hunt for log4j / log4shell Evasions / WAF Bypasses Read More »