Chris Romeo from the AppSec Podcast did an interview with our own Christian Folini during the AppSecEU conference in July. The 25min interview has been published lately.
The interview discusses the project itself, the upcoming 3.1 release, plans to expand beyond ModSecurity and CRS fits into agile development.
Here is the link to the interview: https://www.securityjourney.com/blog/crs-and-an-abstraction-layer-s04e02/
We are launching the monthly news anew. The idea is to look beyond the pure CRS development again and to bring you additional information that touch on our project. As the editor, I (-> Christian Folini) am planning to release this in the first half of the month. This did not work in July, though, but I have a very cute excuse: She’s called Giovanna and she is only a couple of days old. We’re going to be a bit earlier in August, but also less news apparently.
This is a brief coverage of the CRS Community Summit during AppSecEU in London last week.
Over 25 people followed our call for this first face to face meeting of the CRS developer team (6 of 10 developers with commit rights in the same room!) and the community. We have been very happy to have several end users, Trustwave representing the ModSecurity development, but also some of the big integrators in the room. There was AviNetworks, BitSensor, cPanel, Fastly, Kemp, Microsoft, NGINX, Verizon, etc. Finally also researchers and a representative from KISA, the Korean Internet Security Agency, and Ivan Ristić, original developer of ModSecurity for old times sake.
The very first meetup of the CRS community is only one week away now and it’s time to announce our program. As stated here on the blog before, this is meant as an opportunity to build ties, to get inspiration from the community and to understand what people are doing with CRS. So there are going to be talks, but there is a lot of room for talking and discussion.
So we are going to do a networking / poster session that lives on your contributions. You are invited to bring along a poster, put it up on the wall in our room and we will give you time to present it to our audience. We are interested in use cases, success stories or unique approaches to integrating CRS3. Also ideas and pitches for new projects within our community are welcome. Standard flipchart format. Please be aware you should bring it along in physical form: we can’t print it on site. But we will have tape available for you.
A Web Application Firewall (WAF) raises concerns that it does not fit into the DevOps methodology. The problem is that when a WAF is added to production, the impact on the application is tested too late. The application developer gets extremely late feedback and the WAF could break the application. This can lead to production issues.
But what if a WAF is involved in the DevOps process very early on and not just at the end, at production?
The organisation of the CRS community summit at the OWASP AppSecEU conference is coming along nicely.
Remember, we are going to meet in London on Wednesday, July 4 at 4pm, to talk about CRS, and about the way our users, our integrators and their users work with CRS. The program will include information about CRS 3.1, a recent proposal for a rule meta language above CRS (to give the rule set a wider audience) and the most important thing: Time to meet and talk to fellow users!
The OWASP ModSecurity Core Rule Set project will meet on Wednesday July 4, at 4pm in London to hold it’s first community summit. We scheduled this for the night before the AppSecEU conference in London on Thursday and Friday so people would have a real incentive to make the trip.
{{ figure src=“images/2018/03/16367769605_dec3772aa8_k.jpg” caption=“London Tower Bridge by night (Photo by Arijit_Roy; flickr)” >}}
Truth be told, the three project leads, Chaim, Walter and me have never met in person and physical contact is similarly rare between the committers, let alone the commercial suppliers or the thousands of users worldwide.
This is the CRS newsletter covering the period from Early February until today.
We held our monthly community chat. We had quite a few people stop by.
Our agenda from before the chat is available here. During the chat we discussed the following:
We added support for ModSecurity-v3/Apache and Modsecurity-v2/Nginx to the CRS Support ModSecurity Docker Repos. These will be used when testing before a release. Additionally, we will be adding testing with Nginx+FTW in addition to Apache+FTW.
So many technologies in one title!
Recently I’ve been spending quite a bit of time investigating ModSecurity as a potential replacement Web Application Firewall, and I’ve had some really positive results. The purpose of this post is to share with you how I’ve set this up, so you can do something similar yourself. After all, who wouldn’t want to be alerted to suspicious behaviour on their site in slack:
To help our customers secure their sites and applications — while continuing to give their users reliable online experiences — we’ve built a performant, highly configurable, and comprehensive Web Application Firewall (WAF). In our last post, we shared some of the tech behind our WAF, including how we chose our ruleset and leverage our findings. In order to provide a fully comprehensive solution for securing your infrastructure, it’s critical to continuously test that solution. Because technology and threats are constantly evolving, the rulesets also need to evolve to ensure proper visibility and mitigation into emerging attacks methods.