What’s new in CRS4? An Update from the OWASP CRS project

1. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Christian Folini / @ChrFolini What’s new in CRS4? An Update from the OWASP CRS project

2. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Plan for Today ⚫ Intro to the OWASP ModSecurity Core Rule Set ⚫ News from planet CRS ⚫ New features of upcoming major release CRS v4

3. Baseline / 1st Line of Defense Safety Belts

4. ModSecurity Embedded • Rule oriented • Granular Control

6. Redir.: RFI: LFI: XSS: SQLi: CRS3 Default Install Redir.: RFI: LFI: XSS: SQLi: 0% 0% -100% -82% -100% Research based on 4.5M Burp requests.

7. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Paranoia Level 1: Minimal number of false positives Baseline protection Paranoia Level 2: More rules, some false positives Real data in the service Paranoia Level 3: Specialized rules, more false positives Online banking level security Paranoia Level 4: Crazy rules, many false positives Nuclear power plant level security Paranoia Levels

8. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Numbers by Tuomo Makkonen https://blog.fraktal.fi/cloud-waf-comparison-part-2-e6e2d25f558c

9. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Article in Dark Reading: Transforming SQL Queries Bypasses WAF Security https://www.darkreading.com/cloud/transforming-sql-queries-bypasses-waf-security

10. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave News from Planet CRS ● Trustwave announces EOL for their ModSecurity

11. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave News from Planet CRS ● Trustwave announces EOL for their ModSecurity ● New open source WAF engine: Coraza

12. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave News from Planet CRS ● Trustwave announces EOL for their ModSecurity ● New open source WAF engine: Coraza ● Complete overhaul of CRS documentation

13. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave News from Planet CRS ● Trustwave announces EOL for their ModSecurity ● New open source WAF engine: Coraza ● Complete overhaul of CRS documentation ● Launch of CRS Sandbox

14. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave News from Planet CRS ● Trustwave announces EOL for their ModSecurity ● New open source WAF engine: Coraza ● Complete overhaul of CRS documentation ● Launch of CRS Sandbox ● Private Bug Bounty Program

15. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave News from Planet CRS ● Trustwave announces EOL for their ModSecurity ● New open source WAF engine: Coraza ● Complete overhaul of CRS documentation ● Launch of CRS Sandbox ● Private Bug Bounty Program

16. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave News from Planet CRS ● Trustwave announces EOL for their ModSecurity ● New open source WAF engine: Coraza ● Complete overhaul of CRS documentation ● Launch of CRS Sandbox ● Private Bug Bounty Program ● Dev-on-duty program

17. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Major Changes for CRS v4

18. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave Major Changes for CRS v4 ● Plugins architecture 🆕

19. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave Major Changes for CRS v4 ● Plugins architecture 🆕 ● Early blocking 🆕

20. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave Major Changes for CRS v4 ● Plugins architecture 🆕 ● Early blocking 🆕 ● Scoring vars and paranoia levels renaming

21. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave Major Changes for CRS v4 ● Plugins architecture 🆕 ● Early blocking 🆕 ● Scoring vars and paranoia levels renaming ● Configurable reporting levels 🆕

22. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave Major Changes for CRS v4 ● Plugins architecture 🆕 ● Early blocking 🆕 ● Scoring vars and paranoia levels renaming ● Configurable reporting levels 🆕 ● No longer dependent on PCRE, ready for Re2 / Hyperscan

23. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave Major Changes for CRS v4 ● Plugins architecture 🆕 ● Early blocking 🆕 ● Scoring vars and paranoia levels renaming ● Configurable reporting levels 🆕 ● No longer dependent on PCRE, ready for Re2 / Hyperscan ● Quality: all rules have positive and negative tests!

24. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave Existing Plugins ● All rule exclusions are now plugins ● Antivirus plugin 🆕 ● auto-decoding 🆕 ● body decompress 🆕 ● fake bot 🆕 ● google-oauth2 🆕

25. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave Plugins in the making for v4 ● GeoIP plugin ● IP reputation

26. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 New Rules

27. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave New Rules ● SSRF

28. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave New Rules ● SSRF ● Email protocols (SMTP, POP3, IMAP)

29. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave New Rules ● SSRF ● Email protocols (SMTP, POP3, IMAP) ● Log4J / Log4Shell, Spring4Shell

30. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave New Rules ● SSRF ● Email protocols (SMTP, POP3, IMAP) ● Log4J / Log4Shell, Spring4Shell ● Common Webshell detection

31. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave New Rules ● SSRF ● Email protocols (SMTP, POP3, IMAP) ● Log4J / Log4Shell, Spring4Shell ● Common Webshell detection ● Improved the detection across the board for RCE and SQLi and many more

32. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 CRS v4 Release Plan

33. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave CRS v4 Release Plan ● Originally planned for May / June 2022

34. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave CRS v4 Release Plan ● Originally planned for May / June 2022 ● Shot to pieces by private Bug Bounty

35. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave CRS v4 Release Plan ● Originally planned for May / June 2022 ● Shot to pieces by private Bug Bounty ● Need to fix litterally dozens of findings first

36. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave CRS v4 Release Plan ● Originally planned for May / June 2022 ● Shot to pieces by private Bug Bounty ● Need to fix litterally dozens of findings first ● Expect backports of findings for existing release lines

37. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave CRS v4 Release Plan ● Originally planned for May / June 2022 ● Shot to pieces by private Bug Bounty ● Need to fix litterally dozens of findings first ● Expect backports of findings for existing release lines ● New release plan after Summer

38. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave CRS GOLD Sponsors CRS SILVER Sponsors

39. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Questions and Answers, Contact Contact: @ChrFolini christian.folini@owasp.org

What’s new in CRS4? An Update from the OWASP CRS project

What’s new in CRS4? An Update from the OWASP CRS project

Recommended

More Related Content

Similar to What’s new in CRS4? An Update from the OWASP CRS project

Similar to What’s new in CRS4? An Update from the OWASP CRS project(20)

More from Christian Folini

More from Christian Folini(14)

Recently uploaded

Recently uploaded(20)

What’s new in CRS4? An Update from the OWASP CRS project