ModSecurity's Source Code Repository Is Now Open
I spent the last week importing ModSecurity's source code repository into subversion at Source Forge. I am proud to announce that a read-only version of ModSecurity's subversion repository is now publicly available. In addition to this, Atlassian has graciously given the ModSecurity project a license to use their software. We are currently using Jira to track reported issues, FishEye to track and analyze the code repository and have plans to add Confluence (a wiki) in the near future. Together, these tools allow users to test and apply fixes immediately as well as monitor the progress of reported issues and the progress of ModSecurity as a whole.
This is a big step forward for the ModSecurity project. The project is becoming much more open and feels more like an Open Source project should. Please take some time to look at the new tools. Comments are always welcome.
Securing WebGoat using ModSecurity
This year, the OWASP's Summer of Code event contains one project that's of particular interest to me (and possibly to you, consider that you're following this blog): Securing WebGoat Using ModSecurity. If you've even seen WebGoat (a learning sandbox that contains samples of many application security issues) then you know how difficult it might be to secure. It's true; it's probably the worst-case scenario for ModSecurity, because it's not your typical application, and it contains a number of problems that require the understanding of application state to exploit (and thus protect too). So we should all congratulate Stephen Evans for pulling through and reaching the end of the project.
I find the project interesting because it stretches the boundaries of what ModSecurity can do. For example, one of the features Stephen relied heavily on is the Lua scripting language, which is currently marked as experimental. As we are currently working on the design for ModSecurity 3, Stephen's feedback is going to be very useful to us.
If this sort of thing is indeed of interest to you then you need to know that Stephen will be sharing his experiences during the OWASP Summit in Portugal next week. If you'll be attending the summit (or even if you can schedule a trip on short notice) do consider attending.
ModSecurity at ApacheCon US 2008
In a few weeks' time I will present my favourite talk, Web Intrusion Detection with ModSecurity, at the ApacheCon US 2008
in New Orleans:
Intrusion detection is a well-known network security technique--it
introduces monitoring and correlation devices to networks, enabling
administrators to monitor events and detect attacks and anomalies in
real-time. Web intrusion detection does the same but it works on the
HTTP level, making it suitable to deal with security issues in web
applications. This session will start with an overview of web intrusion
detection and web application firewalls, discussing where they belong
in the overall protection strategy. The second part of the talk will
discuss ModSecurity and its capabilities. ModSecurity is an open source
web application firewall that can be deployed either embedded (in the
Apache HTTP server) or as a network gateway (as part of a reverse proxy
deployment). Now in it's sixth year of development, ModSecurity is
mature, robust and flexible. Due to its popularity and wide usage it is
now positioned as a de-facto standard in the web intrusion detection
This is the same talk I presented at ApacheCon Europe 2008 in Amsterdam and the OWASP AppSec US 2008
conference in New York, and it's getting better every time I do it. This
is going to be my first ApacheCon in the US and I am really looking
forward to it. It's the place to be if you are involved in any way with
the projects of the Apache Software Foundation.