ModSecurity Blog: January 2006

I will be at the Institute of Directors tomorrow, giving a talk on threat modelling for the White Hats user group (full title of the talk: "Threat Modelling for Web Application Deployment"). As I was preparing for the talk I thought it would be a good idea to post the list of threat modelling resources online, for myself and for the others.

• Part I of Improving Web Application Security, Threats and Countermeasures, from Microsoft:

• Attack Modeling for Information Security and Survivability (PDF)
  
  
• OCTAVE (risk-based
  strategic assessment and planning technique for security)

• Collaborative Attack Modeling
  
  
• Attack Trees
  
  
• Systematic Network Vulnerability Analysis based on Attack Graphs (PDF)

• Book Managing Information Security Risks: The OCTAVE Approach
  
  
• Chapter 4 in Writing Secure Code

• Book Threat Modeling, also from Microsoft

• Free Threat Modelling Tool from Microsoft

• Threat Modeling Portal @ MSDN
  

(IN)SECURE Magazine Issue 1.5 has just been published. I wrote the cover story, titled "Web application firewalls primer". There are two sides to the article. In the first half I deal with the name web application firewall itself, and with the functionality behind the name. The second half is more straight-forward; it lists the most important features present in today's web application firewalls. Check it out!

The Web Application Firewall Evaluation Criteria (WAFEC) v1.0 has been released over the weekend. You can get it from here. WAFEC is a well-rounded effort to enumerate the features of web application firewalls (WAFs). I managed the project, but the work is a result of collaboration between many WAF vendors, WAF users, and security professionals. With WAFs being a very diverse subject getting a diverse group of people together was key to producing a good document. I am very happy v1.0 is out; we've been working on it for the largest part of 2005.

This document is a *must-read* if your intend to incorporate a WAF into your architecture (or consider it). It will not only help decide between the available offerings but it will also help you understand how is that these devices are protecting you. For more information go and fetch the document itself. You can also read through this NetworkWorld article. Or the press release.

If you are a ModSecurity user you may have noticed that I am distributing ModSecurity without any rules. This may seem strange at a first glance, but there is a good reason for it. ModSecurity did, in fact, come with some rules back in the early days. There were some rules that were meant to serve as an example, and I also included a bunch of rules that I used for regression testing. I thought people would look at the included rules to learn how to write their own.

I was very wrong. Many people simply decided to use *all* of the rules included in the distribution *and* deploy ModSecurity configured to block everything that's suspicious. Unsurprisingly, this created a lot of false positives. The regression testing rules, in particular, were tightly coupled to a specific test configuration. To cut the long story short - I removed all but a handful of rules from ModSecurity in order to save my mailbox from overflowing.

The situation is about to change again. As time went on I began to see the lack of "standard" rules as a bottleneck, a road block to further ModSecurity growth. People *do* need to have examples in order to learn how to write their own rules. To deal with this I started a new subproject called ModSecurity Rules. This is where I will keep the rules. The rules that are in the subproject right now are already in a pretty good shape by the way, as I've been using them myself for some time. They are officially in beta, but this is only because there's still some polishing left to do (for example, assigning each rule an unique ID).

Starting with ModSecurity 2.0, a snapshot of the rules will be included with the distribution. There, I've decided to bite the bullet again.