Let the CRS project be your Valentine: The OWASP ModSecurity Core Rule Set project will hold the first post-pandemic Community Summit at the Dublin Convention Center in Ireland on Tuesday, February 14, 2023.
We invite the whole CRS community, users, developers, integrators, and sponsors to meet with us for an exchange of thoughts, technical talks, and networking. After the “official” part of the meeting we will go out for dinner and drinks.
The OWASP ModSecurity Core Rule Set (CRS) project is proud to announce a new sponsoring partner: Bug Bounty Switzerland – a startup that has pioneered the collaboration with ethical hackers in Switzerland and today is Switzerland’s leading provider of bug bounty programs and public trust initiatives. Since 2022, they are the strategic partner of the National Cyber Security Centre NCSC and help to establish bug bounty programs for the whole Federal Administration. Their customer base includes Swiss and international clients from various fields, as well as regulated industries like banking, insurance, healthcare and providers of critical infrastructures.
Pizza, pasta, pesto … pineapple? This was one of the many important topics (and one of the most controversial) discussed at the CRS developer retreat 2022 in Italy. The annual CRS developer team retreat is always a highlight of the year, finally meeting face-to-face again and not just via chat.
This time, the backdrop for the meeting from October 29 to November 5 was the southern foothills of the Alps near Lake Varese, close to the Swiss border. Here, in Villa Cagnola, there was not only good food and drink – there was also a lot of work. The focus was on two items: preparing the rule set for the CRS v4 release and defining a strategy for the future of the project.
Astronaut? Garbage truck driver? Electrical engineer? Metalsmith? In the end, Hungarian Ervin Hegedüs became a software developer. Within the Core Rule Set project, he contributes primarily to tool development and packaging. “New team members should above all be team players,” says Ervin.
Ervin Hegedüs has had no shortage of interesting career ideas in his 51-year life. While the usual childhood dreams of becoming an astronaut or a garbage truck driver vanished as he grew older, Ervin still today sometimes wonders what would have become of him if he hadn’t found his way to IT. He thinks he might have become an electrical engineer since he is a HAM radio operator in his spare time (callsign: HA2OS). More about that later.
He likes to play board games and the guitar, and he loves to fix bypasses to CRS rules: Italian Andrea Menin joined the Core Rule Set team in 2018. The most important requirement for anybody joining the project, he says, is to enjoy it.
Unfortunately, backporting the fixes from our development branch 4.0 introduced a regression which was only found after publication. As a result, some Paranoia Level 2 rules would activate even when running in Paranoia Level 1. This did not harm security but may introduce false alarms for those running in Paranoia Level 1. We have fixed this in two new releases:
Release announcement covering fixes for CVE-2022-39955, CVE-2022-39956, CVE-2022-39957 and CVE-2022-39958, additional security fixes and security fixes in the latest ModSecurity releases 2.9.6 and 3.0.8.
The OWASP ModSecurity Core Rule Set (CRS) team is pleased to announce the release of two new CRS versions. Edit: Updated download links now to refer to the fixed versions.
A few months ago we happily announced the first Release Candidate for Core Rule Set 4.0.
Our original plan was to finish the 4.0 release as fast as possible. However, we found ourselves in a unique situation for our project.
After the Release Candidate, a large CRS user organized a CRS Bug Bounty event, where advanced WAF hackers were tasked to bypass our ruleset to earn prizes. Since a similar earlier event did not uncover any findings, we were expecting to only get a small number of bug reports. But the hackers turned out to be amazing and created more than 100 malicious payloads that bypassed our detection!
The OWASP ModSecurity Core Rule Set team is proud to announce the Release Candidate 1 for the upcoming CRS v4.0.0 release. The release candidate is available from our installation page; see also the upgrade notes on that page.
CRS 4 contains many important changes, such as:
A plugin architecture for extending CRS and minimizing attack surface. Application exclusion sets and less-used functionality have been migrated from the CRS to plugins. (See our plugin registry for the extensive list of existing plugins.)
The OWASP ModSecurity Core Rule Set project is very happy to announce Felipe Zipitría as a new and third Co-Leader. Felipe joins Walter Hop and Christian Folini in his new role.
Felipe Zipitría holds a master of computer science from the University of the Republic in Montevideo, Uruguay. He worked as a system administrator for the faculty of engineering for several years and also lectures on security at the University.