ModSecurity Trustwave
This blog has moved! Please update your
bookmarks to

ModSecurity Blog: January 2006

Threat Modelling Resources

I will be at the Institute of Directors tomorrow, giving a talk on threat modelling for the White Hats user group (full title of the talk: "Threat Modelling for Web Application Deployment"). As I was preparing for the talk I thought it would be a good idea to post the list of threat modelling resources online, for myself and for the others.

Web application firewalls primer

(IN)SECURE Magazine Issue 1.5 has just been published. I wrote the cover story, titled "Web application firewalls primer". There are two sides to the article. In the first half I deal with the name web application firewall itself, and with the functionality behind the name. The second half is more straight-forward; it lists the most important features present in today's web application firewalls. Check it out!

Web Application Firewall Evaluation Criteria v1 Released

The Web Application Firewall Evaluation Criteria (WAFEC) v1.0 has been released over the weekend. You can get it from here. WAFEC is a well-rounded effort to enumerate the features of web application firewalls (WAFs). I managed the project, but the work is a result of collaboration between many WAF vendors, WAF users, and security professionals. With WAFs being a very diverse subject getting a diverse group of people together was key to producing a good document. I am very happy v1.0 is out; we've been working on it for the largest part of 2005.

This document is a *must-read* if your intend to incorporate a WAF into your architecture (or consider it). It will not only help decide between the available offerings but it will also help you understand how is that these devices are protecting you. For more information go and fetch the document itself. You can also read through this NetworkWorld article. Or the press release.

ModSecurity Rules subproject added

If you are a ModSecurity user you may have noticed that I am distributing ModSecurity without any rules. This may seem strange at a first glance, but there is a good reason for it. ModSecurity did, in fact, come with some rules back in the early days. There were some rules that were meant to serve as an example, and I also included a bunch of rules that I used for regression testing. I thought people would look at the included rules to learn how to write their own.

I was very wrong. Many people simply decided to use *all* of the rules included in the distribution *and* deploy ModSecurity configured to block everything that's suspicious. Unsurprisingly, this created a lot of false positives. The regression testing rules, in particular, were tightly coupled to a specific test configuration. To cut the long story short - I removed all but a handful of rules from ModSecurity in order to save my mailbox from overflowing.

The situation is about to change again. As time went on I began to see the lack of "standard" rules as a bottleneck, a road block to further ModSecurity growth. People *do* need to have examples in order to learn how to write their own rules. To deal with this I started a new subproject called ModSecurity Rules. This is where I will keep the rules. The rules that are in the subproject right now are already in a pretty good shape by the way, as I've been using them myself for some time. They are officially in beta, but this is only because there's still some polishing left to do (for example, assigning each rule an unique ID).

Starting with ModSecurity 2.0, a snapshot of the rules will be included with the distribution. There, I've decided to bite the bullet again.


November 2010
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30


Atom Feed



Recent Entries