Testing WAFs, FTW Version 1.0 released

The OWASP Project maintains an open source set of rules known as the the OWASP Core Rule Set (CRS). The CRS implements protections for the well known, broad classes of web application vulnerabilities identified by OWASP. Over time, this set of rules has become the most popular ruleset for ModSecurity and also found its way into many other popular WAFs. During this same timeframe we have seen Quality Assurance (QA)/DevOps techniques adjust to new Agile development methodologies.

ModSecurity version 2.9.2 released

Trustwave has released ModSecurity version 2.9.2. This is an important update for users of the Core Rule Set. To detect SQL and XSS injections, CRS relies in part on the libinjection library by Nick Galbreath. This library is bundled with ModSecurity. It is regularly updated to address new types of injections. Therefore, to have optimal protection against SQL and XSS injections, you should always keep ModSecurity updated. The update also fixes two security vulnerabilities and contains various other improvements.

CRS3 presentation at OWASP London

OWASP London informed me that my CRS3 presentation will be live-streamed on the OWASP London Facebook page. My talk will begin around 8pm UK time. The presentation will be very similar to the one I held at AppSecEU in Belfast, but this time, we have a backup plan for the installation demo which failed due to beamer issues back in May. A record of the stream will be available on YouTube afterwards, likely the OWASP London channel.