Last week, we have released CRS v4.1.0. The new release is the first according to the new monthly release schedule and brings a couple of new features and fixes.
It includes quality improvements via better rule linting and fixes for false positives across a handful of rules.
And: new developer Esad Cetiner has joined the team intime for the 4.1 release.
Read the changelog here.
One of the new features added in CRS 4 is Early Blocking. This optional new setting allows blocking decisions to be made earlier than usual.
CRS request detection rules take place in two phases. The rules of the first phase are executed after the server has received the HTTP request line and the request headers. The rules of the second phase are executed once the request body has been received and parsed.
Walter died last week and we are at a loss of words. For CRS, he has been a wonderful friend, a strong colleague, a developer with an impressive knowledge of PHP and WordPress in particular, a very smart thinker and one of very few regex wizards. He was also a dedicated Pokemon Go player and I remember how he would go for walks in the afterhours of IT conferences to hunt for some rare beasts. He enjoyed nature that way and the occasional catch in remote places.
What a Valentine’s Day present we have got for you: today, the Core Rule Set project is releasing CRS 4!
Finally, you may say – and would be absolutely right: it took us a long time to get there. But we wanted to do it right, especially after the bug bounty program we took part in left us with over 500 individual findings in roughly 180 reports. Fixing all these needed more time than we originally thought. But the result is a CRS that has never been more secure.
With the new year comes good news: last week, Trustwave and the OWASP Foundation have announced the agreement to transfer ModSecurity to OWASP. The transition will commence on January 25. The incubation phase of the new OWASP ModSecurity project will focus on the establishment of a development community to lay the basis for a successful continuation of the project under the new stewardship. This entails the three areas: communication, administration and development. OWASP calls all interested parties to join hands and help with the future development of ModSecurity.
We are proud to present Swiss Post as new silver sponsor for the OWASP ModSecurity Core Rule Set. Swiss Post is one of the longest-standing and best-known brands in Switzerland since its establishment in 1849. The company uses many open-source solutions for development and operation and in turn supports the community where possible. Ties between Swiss Post and the CRS project team have traditionally been strong with different core team members having worked for the premier Swiss provider of mail and logistics services.
Our man in South America: Felipe Zipitría enjoys the views of Budpest at the CRS Developer Retreat 2023
After the lofty ideas of Sunday (keyword: universe domination), things got a little more down-to-earth on Monday. After the participants had split up into the four projects, work began on them. Things got more exciting again in the afternoon when the next steps and the project roadmap were discussed.
Two results from the intensive discussion about the long-term development of the project should be mentioned here in particular: Firstly, in order to not being restricted by the SecRule language the project decided to slowly start preparing an alternative structured format for a rule language. Secondly, as a lesson from the delayed release of version 4 as a result of the bug bunty program, we agreed on a new and faster serial release – without getting rid of the LTS releases. There were many other points to discuss, which we will report on in due course when things are ready.
Full steam ahead: CRS core team member Andrew Howe lives in the same place where the Titanic started
It’s hard to believe that it’s already been another year since the last OWASP ModSecurity Core Rule Set Developer Retreat in Varese near Milan in northern Italy. This year, the core team is meeting in the Hungarian capital Budapest from November 5th to 12th. The team members travelled from all directions – some got up inhumanly early, others flew across the Atlantic and still others had been travelling by train for two days … but not even the Deutsche Bahn could prevent all registered participants from arriving at the Hotel Nádas Pihenőpark by late afternoon on Sunday.