Folini Extended Introduction to ModSecurity and CRS3

•

2 likes•549 views

This document provides an introduction to ModSecurity and the OWASP Core Rule Set (CRS) presented by Christian Folini. The presentation covers what a web application firewall (WAF) and ModSecurity are, an overview of the CRS including rule groups and paranoia levels, how to install and configure ModSecurity with the CRS, and handling false positives. The goal of ModSecurity and CRS is to provide a first line of defense against web application attacks and block around 80% of attacks with minimal false positives in the default installation.

Technology

@ChrFolini Introduction to ModSecurity and CRS – BCS 2019-11-27
An Introduction to
ModSecurity and the OWASP
Core Rule Set
(BCS DevSecOps SG)
Christian Folini / @ChrFolini

Baseline / 1st
Line of Defense
Safety Belts

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Boring Bio
●
Christian Folini / ChrFolini
●
Security Engineer at netnea
in Switzerland
●
Author, teacher and speaker
●
OWASP CRS project Co-Lead

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Plan for Today
●
What is a WAF?
●
What is ModSecurity?
●
What is Core Rule Set?
●
Demo
●
Key concepts
●
Rules
●
False Positives

Web Application Firewalls
Complex • Overwhelming • Rarely Functional

ModSecurity
Embedded • Rule oriented • Granular Control

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Include in server config (depending on path):
Include /path-to-owasp-crs/crs-setup.conf
Include /path-to-owasp-crs/rules/*.conf
Clone the repository (or download latest release):
$> git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
Copy the example config:
$> cp crs-setup.conf.example crs-setup.conf
Demo Time (Installation)

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Research based on
4.5M Burp requests.
CRS3
Default Install
Redir.:
RFI:
LFI:
XSS:
SQLi:
0%
0%
-100%
-82%
-100%

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Paranoia Level 1: Minimal number of false positives
Baseline protection
Paranoia Level 2: More rules, some false positives
Real data in the service
Paranoia Level 3: Specialized rules, more FPs
Online banking level security
Paranoia Level 4: Crazy rules, many FPs
Nuclear power plant level security
Paranoia Levels

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Important Groups of Rules
Request Rules
REQUEST-910-IP-REPUTATION.conf
REQUEST-911-METHOD-ENFORCEMENT.conf
REQUEST-912-DOS-PROTECTION.conf
REQUEST-913-SCANNER-DETECTION.conf
REQUEST-920-PROTOCOL-ENFORCEMENT.conf
REQUEST-921-PROTOCOL-ATTACK.conf
REQUEST-930-APPLICATION-ATTACK-LFI.conf
REQUEST-931-APPLICATION-ATTACK-RFI.conf
REQUEST-932-APPLICATION-ATTACK-RCE.conf
REQUEST-933-APPLICATION-ATTACK-PHP.conf
REQUEST-941-APPLICATION-ATTACK-XSS.conf
REQUEST-942-APPLICATION-ATTACK-SQLI.conf
REQUEST-943-APPLICATION-ATTACK-SESS-FIX.conf
REQUEST-944-APPLICATION-ATTACK-JAVA.conf
REQUEST-949-BLOCKING-EVALUATION.conf

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Important Groups of Rules
Response Rules
RESPONSE-950-DATA-LEAKAGES.conf
RESPONSE-951-DATA-LEAKAGES-SQL.conf
RESPONSE-952-DATA-LEAKAGES-JAVA.conf
RESPONSE-953-DATA-LEAKAGES-PHP.conf
RESPONSE-954-DATA-LEAKAGES-IIS.conf
RESPONSE-959-BLOCKING-EVALUATION.conf

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Paranoia Level
Example: Protocol Enforcement Rules
Paranoia Level 1: 31 Rules
Paranoia Level 2: 7 Rules
Paranoia Level 3: 1 Rules
Paranoia Level 4: 4 Rules

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Stricter Siblings
Example: Byte Range Enforcement
Paranoia Level 1:
Rule 920270: Full ASCII range without null character
Paranoia Level 2:
Rule 920271: Full visible ASCII range, tab, newline
Paranoia Level 3:
Rule 920272: Visible lower ASCII range without %
Paranoia Level 4:
Rule 920273: A-Z a-z 0-9 = - _ . , : &

Anomaly Scoring
Adjustable Limit • Blocking Mode • Iterative Tuning

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Sampling Mode
Easing into CRS adoption / limit the impact
• Define a sampling rate of n
• Only n% of the requests are being funneled into CRS3
• 100% - n% of requests bypass CRS3
• Monitor performance and fix problems
• Slowly raise n in an iterative way until it reaches 100%

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
False Positives
False Positives are expected from PL2
• FPs are fought with rule exclusions
• Tutorials at https://www.netnea.com
• Get cheatsheet from Netnea
• Please report FPs at PL1 (github)

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Apache / ModSecurity / CRS Tutorials
https://www.netnea.com/cms/apache-tutorials/

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Summary ModSecurity & CRS3
• 1st
Line of Defense against web application attacks
• Generic set of blacklisting rules for WAFs
• Blocks 80% of web application attacks in the default
installation (with a minimal number of FPs)
• Granular control over the behaviour down to the
parameter level
More information at https://coreruleset.org

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Questions and Answers, Contact
Contact: christian.folini@netnea.com
@ChrFolini

This document discusses three zero-day vulnerabilities found by Alex Hernandez aka alt3kx: a CSRF and session hijacking vulnerability in Aruba Networks WiFi routers, an SQL injection and local file inclusion vulnerability in the Trixbox VoIP system, and a local denial of service vulnerability in Cisco's VPN client software. Details are provided on the affected software versions, descriptions of the vulnerabilities, and proof of concept videos. Responses are included from Aruba Networks, Trixbox/Dan Austin, and Cisco acknowledging the issues and providing bug IDs.

TechWiseTV Workshop: Programmable ASICs

Robb Boyd

Why trade performance for flexibility when you can program your network with new protocols and capabilities at wire speed? In this workshop learn how ASICs are made, why flexible silicon is critical to the future of networking and what you can do with Cisco’s next-generation UADP 2.0. Resources: Watch the related TechWiseTV episode: http://bit.ly/2fiqH1f Watch the TechWiseTV: New Era in Networking playlist: http://bit.ly/2jpoRjB

What is a blockchain api how can you integrate in your website

Blockchain Council

Introduction to ModSecurity and the OWASP Core Rule Set

Christian Folini

This document discusses ModSecurity and the OWASP Core Rule Set (CRS). ModSecurity is an open source web application firewall that can be embedded into servers. It uses rules to provide granular control over requests and responses. The CRS is a set of generic rules that can block 80% of common web attacks in its default configuration with minimal false positives. It is organized into different rule groups and has different paranoia levels to control security and false positives. The presentation demonstrates how to install and configure ModSecurity and CRS to provide a first line of defense against web application attacks.

Extensive Introduction to ModSecurity and the OWASP Core Rule Set

Christian Folini

This document outlines an introduction to ModSecurity and the OWASP Core Rule Set (CRS) presented at a security conference. It discusses what a web application firewall (WAF) and ModSecurity are and how the CRS works. The presentation covers key concepts like rule groups, paranoia levels to control false positives, and anomaly scoring. It also demonstrates installing and configuring ModSecurity and the CRS. The document promotes the CRS as a first line of defense against web attacks and provides resources for additional tutorials, courses, and support.

What’s new in CRS4? An Update from the OWASP CRS project

Christian Folini

Christian Folini presented news and updates about the OWASP ModSecurity Core Rule Set (CRS) project. Some key points included: - Trustwave announced end of life for their ModSecurity product and a new open source WAF engine called Coraza. - The CRS documentation was overhauled and a sandbox and private bug bounty program were launched. - Major changes in CRS v4 include a plugins architecture, early blocking, configurable reporting levels and removing PCRE dependency. - New rules are being added around SSRF, email protocols, Log4Shell, webshell detection and improved RCE and SQLi detection. - The CRS v4 release was delayed to fix issues

ACI Hands-on Lab

Cisco Canada

Cisco® Application Centric Infrastructure (ACI) is an innovative architecture that radically simplifies, optimizes, and accelerates the entire application deployment lifecycle. Cloud, mobility, and big data applications are causing a shift in the data center model. Cisco ACI redefines the power of IT, enabling IT to be more responsive to changing business and application needs, enhancing agility, and adding business value. Cisco ACI delivers a transformational operating model for next-generation data center and cloud applications. This Cisco ACI hands lab will step you through from the ACI Fabric concepts to deployment. • Cisco ACI Overview • ACI Fabric Discovery • ACI Building Basic Network Constructs • ACI Building Policy Filters and Contracts • : Deploying a 3-Tier Application Network Profile • ACI Integrating with VMware • Deploying a Service Graph with Application Network Profile • Exploring Monitoring and Troubleshooting

As our applications transform to cloud-native-first architectures, policy replaces configuration files to define infrastructure at all layers; networking, compute, storage, and of course application. Developers now have almost unlimited choices in how to solve their architecture, agility and scale challenges using the software defined infrastructure that powers our cloud-native world. Prescriptive topologies for networks are too rigid to support the needed agile iterations of today’s application. The software development lifecycle (SDLC) evolved to support multiple iterations for innovation and has some lessons for all of us. This session describes SDLC evolutions to help network and infrastructure experts as they strive to connect business value to applications to infrastructure while constructing the networks of the future.

Amazon CloudFront Best Practices and Anti-patterns

Abhishek Tiwari

This document outlines best practices and anti-patterns for using Amazon CloudFront. It begins with an overview of CloudFront and its key capabilities as a content delivery network. It then discusses important CloudFront concepts and provides details on best practices for caching, object invalidation, versioning, compression, expiration settings, domain sharding, and origin server configurations. Anti-patterns around expensive and unmanageable cache invalidation approaches are also presented. The document aims to help users optimize CloudFront performance and manageability.

Brksec 2048-demystifying aci-security

Cisco

The document discusses demystifying security in Application Centric Infrastructure (ACI). It provides an overview of ACI and how it helps tackle data center security challenges by integrating security into applications, accelerating security deployment, and automating security insertion. ACI leverages Cisco security technologies to better protect the data center by providing leading security capabilities and integrating smoothly with the ACI architecture.

Building Up Network Security: Intrusion Prevention and Sourcefire

Global Knowledge Training

Network security specialist Catherine Paquetl fills you in on advanced threat protection that integrates real-time contextual awareness, intelligent security automation and superior performance with industry-leading network intrusion prevention, Sourcefire. ABOUT THE PRESENTER Catherine Paquet, CCSI, CCNP Security, CCNP Routing and Switching, is a network security specialist. She began her internetworking career as a LAN manager, then MAN manager, and eventually became a nationwide WAN manager with the Department of National Defence. Paquet lectures around the world on security topics, including firewalls, VPNs, intrusion prevention, identity systems, email and Web security, and router and switch security. During her spare time, she authors Cisco Press books, and she volunteers as a network security analyst to nonprofit organizations. Paquet attended the Royal Military College Saint-Jean (Canada) and holds an MBA in Management Information Systems (MIS) from York University.

BRKSEC-2494.pdf

JacksonGonzalez14

FPR4115 - Clean install of FTD 6.6.0 - No policies configured - Default interface configuration - Default logging settings Test Setup - Ixia BreakingPoint as traffic generator - IMIX traffic profile with varying packet sizes - Short lived connections (1 packet per connection) - Ramp up rate of 100,000 CPS Expected Result - FPR4115 should handle ~800,000 new connections per second - CPU and memory utilization should remain under 80% with no packet drops This test aims to validate the maximum new connections per second claim from the Cisco datasheet. By using recommended test practices like a clean install, default configuration, short lived connections,

Security and Virtualization in the Data Center

Cisco Canada

The evolving complexity of the data center is placing increased demand on the network and security teams to come up with inventive methods for enforcing security policies in these ever-changing environments. The goal of this session is to provide participants with an understanding of features and design recommendations for integrating security into the data center environment. This session will focus on recommendations for securing next-generation data center architectures. Areas of focus include security services integration, leveraging device virtualization, and considerations and recommendations for server virtualization. The target audience are security and data center administrators.

Securing Micro Services in Cloud Foundry

PLUMgrid

This document discusses securing microservices in CloudFoundry. It begins by noting the need for microsegmentation as applications move to the cloud and become more elastic. Traditionally defining firewall rules by IP address becomes unmanageable in this environment. The document then proposes defining policies based on application roles and grouping endpoints into policy-defined segments. It provides examples of defining policies by application groups rather than individual IP addresses, avoiding state explosion. This group-based policy approach allows for secure, scalable and intent-based policy definition.

Brkcld 2215

JuanCarlosMuruchi

1) The document discusses how to build a hybrid cloud-ready IT department, including defining the hybrid cloud, building a private cloud, consuming public clouds, and using Cisco's multicloud portfolio. 2) Building a private cloud involves utilizing existing resources, implementing IT as a service, automating provisioning, and using software-defined networking and orchestration tools. 3) Consuming public clouds requires meeting user expectations for simplified portals, delivery times, costs, security and access models or enabling users directly. Factors like costs, security, connectivity and compliance must be considered for workloads. 4) Cisco's multicloud portfolio aims to provide connectivity between clouds with tools for protection, advisory services,

Hosted Security as a Service - Solution Architecture Design

Cisco Canada

he Hosted Security as a Service session provides in depth discussion on cloud based security services leveraging Cisco security solutions. This session is appropriate for service providers who are interested in delivering managed security services to their customer from their cloud infrastructure. We will provide detailed designs and guidance on: - cloud security services including FW, VPN, web and email services - architecture layers through influence of NfV and SDN - KVM and VMware based solutions - orchestration flexibility and options - Day 0 and Day 1 provisioning - Day 2 monitoring and reporting.

Cisco Live: Containers on Enterprise Compute and Networks

Michael Duarte

Containers are the next evolutionary step in how applications are managed and consumed. Allowing application teams to control and optimize their application deployment process. Along with the advantages provided to application teams, it's also a dynamic shift for data center design. Allowing for better resource utilization, and management resulting in both cost savings and faster IT. This session will explain how Cisco IT has delivered this new paradigm in Cloud Technology by using Cisco ACI, Cisco UCS and open-source solutions like Kubernetes.

DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...

DevSecCon

Jan Harrie Security Analyst at ERNW GmbH OpenShift by Red Hat is one of the major Platform as a Service (PaaS) solutions on the market. It is used to automatically deploy Kubernetes clusters and provides useful extensions for cluster management mixed with some magic under the hood. Instantiating a Kubernetes cluster is often a crucial step in setting up a modern application stack. But be aware – a lot of configuration parameters are awaiting you. And here several misconfigurations may occur that can lead up to a compromise of the cluster. Privileged containers, tainting of masters and executing workloads on them, missing role-based access controls, and misconfigured Service Accounts are part of the problem. In this talk, I will explain which configuration parameters of an OpenShift environment are critical to ensure the overall security of the deployed Kubernetes clusters. Implications of misconfigurations will be demonstrated during live demos. Finally, recommendations for a secure configuration are provided.

Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...

IO Visor Project

As microservices grow, traditional firewall rules based on network ACLs are no longer scalable and fall short of providing fine-grained enforcement. Group Based Policy (GBP) is a flexible policy language that allows users to specify policy enforcement based on intent, independent of network infrastructure and IP addressing. Using micro-segmented virtual domains, administrators can define policies at a centralized location and use IO Visor technology for distributed enforcement. This provides infrastructure independent rules, template-based policy definitions, and scale-out policy enforcement for a solution that secures and scales with microservices. This session will be presented by members of the IO Visor community and will cover how IO Visor technology can be used to define and enforce GBP. The discussion will also cover using GBP for cloud foundry application spaces where microservices are deployed and need scalable, efficient security policies.

Cisco Strategic Profile

sezzzwho

The document provides an overview of Cisco Systems including: 1) Cisco's history developing networking products and acquiring over 300 companies, achieving $34.9 billion in revenue in 2007. 2) Cisco's product portfolio including routers, switches, security solutions, WebEx, and TelePresence as well as professional services. 3) An analysis of Cisco's financial performance, competitors, geographic markets, and strategies for future growth in areas like unified communications and emerging markets.

IBOSEC-3000-2.pdf

Andrew Benhase

The presentation discusses critical network defenses and strategies for airgapping networks in emergency situations. It notes that most networks are not designed to disconnect from the internet quickly when needed. A scenario is presented where data exfiltration is actively occurring and must be stopped immediately. However, finding the right person to disconnect all networks could take over an hour, allowing significant damage. This highlights the need to design networks so that internet disconnection can occur in just a few minutes through automated and centralized controls.

OpenChain Monthly Meeting 2023-02-21 (North America and Asia)

Shane Coughlan

The document summarizes the agenda and discussions from an OpenChain monthly meeting on February 21, 2023. Key discussion points included: - Reminders about anti-trust policies for the meeting. - Updates on adoption of OpenChain specifications, security assurance certification programs, and free online training courses. - Discussion of definitions in the specifications to harmonize licensing and security definitions. - Proposed changes to the security assurance specification in response to issues raised on GitHub, including adding definitions for "remediate" and "mitigate", adding requirements under the "Competence" category, and including references to relevant ISO standards.

Cisco Connect Vancouver 2017 - Cisco's Digital Network Architecture - deeper ...

Cisco Canada

Building The Right Network

Cisco Canada

TFI2014 Session II - Requirements for SDN - Brian Field

Colorado Internet Society (CO ISOC)

The document discusses software-defined networking (SDN) and an alternative paradigm called hybrid open (HOpen) architecture. HOpen architecture separates the control plane from the forwarding plane, like in SDN, but also leverages existing vendor code while allowing operators to develop new features independently. The author provides examples of how Comcast has added new protocols and capabilities to the HOpen platform to innovate more quickly without relying solely on vendors or standards bodies. HOpen represents a middle ground between traditional vendor-controlled networks and pure open SDN and could change how new protocols are developed and adopted.

Application Policy Enforcement Using APIC

Cisco Canada

This document provides an overview of Cisco Application Centric Infrastructure (ACI) and the Application Policy Infrastructure Controller (APIC). It discusses how ACI solves problems with overloaded network constructs and language barriers between developers and infrastructure teams. It defines key ACI concepts like tenants, endpoint groups, contracts, filters, and actions. It also describes how ACI uses a centralized policy model to define application connectivity and control network traffic in application-centric terms through provider-consumer relationships between endpoint groups. The document concludes by reserving time for attendees to complete hands-on labs demonstrating ACI concepts.

Primend Praktiline Konverents - Rakenduse keskne IT infrastruktuur / Cisco Ap...

Primend

OWASP ModSecurity - A few plot twists and what feels like a happy end

Christian Folini

Crazy incentives and how they drive security into no man's land

Christian Folini

Everybody, Blueteam and Redteam players alike, are driven by incentives. Good incentives persuade us to do the right thing and patch our servers. Bad incentives make us eat unhealthy food and follow stupid security practices. There is a huge resource problem in the IT industry and especially in the security industry. So you would expect people to pay attention to the existing incentives and th incentives they create with their documentation, their awareness trainings, their security reports, etc. But reality paints a different picture: Bad incentives all around! We see insane security practices eating valuable time and online trainings annoying users, slowly teaching them to become a brainless zombie whenever they hear the keyword "security". But it's even worse. I've come across incentives that lure companies into creating bad products and I've seen companies create products that incentivize their customers to waste their time and money. Sometimes the mechanisms are too strong to fight. But sometimes it takes people like you and me to say NO and stand up for real security! Follow me on a journey and security will never look the same to you again!

Similar to Folini Extended Introduction to ModSecurity and CRS3

What network architects need to know about the evolving software lifecycle (S...

Marco Coulter

Amazon CloudFront Best Practices and Anti-patterns

Abhishek Tiwari

Brksec 2048-demystifying aci-security

Cisco

Building Up Network Security: Intrusion Prevention and Sourcefire

Global Knowledge Training

BRKSEC-2494.pdf

JacksonGonzalez14

Security and Virtualization in the Data Center

Cisco Canada

Securing Micro Services in Cloud Foundry

PLUMgrid

Brkcld 2215

JuanCarlosMuruchi

Hosted Security as a Service - Solution Architecture Design

Cisco Canada

Cisco Live: Containers on Enterprise Compute and Networks

Michael Duarte

DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...

DevSecCon

Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...

IO Visor Project

Cisco Strategic Profile

sezzzwho

IBOSEC-3000-2.pdf

Andrew Benhase

OpenChain Monthly Meeting 2023-02-21 (North America and Asia)

Shane Coughlan

Cisco Connect Vancouver 2017 - Cisco's Digital Network Architecture - deeper ...

Cisco Canada

Building The Right Network

Cisco Canada

TFI2014 Session II - Requirements for SDN - Brian Field

Colorado Internet Society (CO ISOC)

Application Policy Enforcement Using APIC

Cisco Canada

Primend Praktiline Konverents - Rakenduse keskne IT infrastruktuur / Cisco Ap...

Primend

Similar to Folini Extended Introduction to ModSecurity and CRS3 (20)

What network architects need to know about the evolving software lifecycle (S...

Amazon CloudFront Best Practices and Anti-patterns

Brksec 2048-demystifying aci-security

Building Up Network Security: Intrusion Prevention and Sourcefire

BRKSEC-2494.pdf

Security and Virtualization in the Data Center

Securing Micro Services in Cloud Foundry

Brkcld 2215

Hosted Security as a Service - Solution Architecture Design

Cisco Live: Containers on Enterprise Compute and Networks

DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...

Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...

Cisco Strategic Profile

IBOSEC-3000-2.pdf

OpenChain Monthly Meeting 2023-02-21 (North America and Asia)

Cisco Connect Vancouver 2017 - Cisco's Digital Network Architecture - deeper ...

Building The Right Network

TFI2014 Session II - Requirements for SDN - Brian Field

Application Policy Enforcement Using APIC

Primend Praktiline Konverents - Rakenduse keskne IT infrastruktuur / Cisco Ap...

More from Christian Folini

OWASP ModSecurity - A few plot twists and what feels like a happy end

Christian Folini

Crazy incentives and how they drive security into no man's land

Christian Folini

Never Walk Alone - Inspirations from a Growing OWASP Project

Christian Folini

The OWASP ModSecurity Core Rule Set (CRS) was a dormant project, when a group of three developers picked it up in 2016. Today, this open source web application firewall project counts 14 active developers, annual sponsoring of over 40K USD and the rules run on over 100Tbit/s. This presentation explains how the new management took over the project and developed it in three key areas: (1) the code, (2) the developers and (3) the users and partners. The growth of OWASP CRS serves as an example how you can grow and mature your project too.

The Adventurous Tale of Online Voting in Switzerland

Christian Folini

EVoting in der Schweiz - Ein Fortsetzungsroman

Christian Folini

Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set

Christian Folini

The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...

Christian Folini

The Swiss tale with online voting serves as a typical example of the iterative development of highly critical IT systems and the growing involvement of scientists as a necessary step for a government that is willing to learn from past mistakes. Switzerland has been experimenting with online voting for over 15 years. Several generations of electronic voting systems have been implemented and almost all of them died along the way because of their profound security problems or when the money ran out. In 2019, Swiss Post published the source code of its online voting system, the last system that was still in the race. Several highly critical findings were discovered in a matter of weeks and the system was stopped right before the national elections. In 2020, the government rebooted the process and invited two dozen international researchers into an intense dialogue that lasted several months. The resulting report is the base for the renewed regulation that will pave the way forward in 2021.

Gedanken zur elektronischen Stimmabgabe für Datenschützer

Christian Folini

Medieval Castles and Modern Servers

Christian Folini

We have been building castles and fortifications for thousands of years. Many of them were never breached. IT security, on the other hand, is a very young discipline where defense mechanisms have not really stood the test of time and breaches are happening every day. Looking at historical defense techniques and fortress architectures can therefore serve as an inspiration for strong IT security architectures. This presentation looks at agile and flexible defenses, layered security and whitelisting. None of these concepts are entirely new to the IT security industry. But implementations usually stop with the buzzword or at the network level. This talk brings evidence for the effectiveness of the concepts across the centuries and hopes to help them achieve a breakthrough on all levels. Furthermore, the talk educates the audience about medieval castles and how the metaphor can be put to use when explaining complicated IT security concepts to non-technical audiences. Again, the metaphor is not new, but people are usually only scratching the surface when they talk of medieval castles and modern servers.

E-Voting, die Sicherheit und die Rolle der Experten

Christian Folini

Black alps 2018-folini-d-dos

Christian Folini

- Trend I: DDoS attacks are increasing in size over time - Trend II: More attacks are targeting applications instead of just bandwidth or servers - Trend III: Increased encryption makes defense against DDoS attacks more difficult - CDNs like Cloudflare play a large role in defending against DDoS attacks and their infrastructure controls much of the internet - Using local route announcements could guarantee better geographic blocking of attacks but risks balkanizing the internet - Nation states may fail to protect internet traffic that moves outside their jurisdictions

Optimizing ModSecurity on NGINX and NGINX Plus

Christian Folini

Christian Folini gave a presentation on optimizing ModSecurity on NGINX and NGINX Plus. Some key points: - ModSecurity is an open source web application firewall that provides a rule-based system. The OWASP ModSecurity Core Rule Set (CRS) is the default rule set that blocks over 80% of attacks. - To use ModSecurity with NGINX, one must compile ModSecurity 3.0 and the ModSecurity NGINX connector module, then compile NGINX with the connector. Alternatively, precompiled binaries are available with NGINX Plus. - Initial optimization steps include adjusting the anomaly threshold, learning to read logs using aliases, and handling false positives by

A General Look at the State of Security - AFCEA 2017

Christian Folini

Introducing the OWASP ModSecurity Core Rule Set

Christian Folini

The CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls that saw a new major release in November 2016 (3.0 -> CRS3). CRS is the 1st line of defense against web application attacks like those summarized in the OWASP Top Ten and all with a minimum of false alerts. This talk demonstrates the installation of the rule set and introduces the most important groups of rules. It covers key concepts like anomaly scoring and thresholds, paranoia levels, stricter siblings and the sampling mode. The important handling of false positives is also covered as well as pre-defined lists of rule exclusions for popular web applications helping to avoid false positives. This presentation was delivered at AppSecEU 2017 in Belfast.

OWASP ModSecurity Core Rules Paranoia Mode

Christian Folini

Running ModSecurity with the OWASP ModSecurity Core Rules is hard. A huge wave of false positives drowns sysadmins and logfile servers alike. The upcoming 3.0.0 release of the Core Rules comes with a new paranoia mode. This feature organises the various rules in different paranoia levels. The higher the paranoia level, the more paranoid the rules and the more false positives you will get. However, the default installation gives you a decent security level without too many false positives. This allows for a straight forward ModSecurity setup which is not threatening an existing productive service. Instead you start with a limited set of rules and then you raise the paranoia level step by step to the number that suits the desired security level of your site. In this talk, we will look at the configuration of the paranoia mode. We will look at rules and we will look at ModSecurity defending against popular attack kits at various paranoia levels

More from Christian Folini (15)

OWASP ModSecurity - A few plot twists and what feels like a happy end

Crazy incentives and how they drive security into no man's land

Never Walk Alone - Inspirations from a Growing OWASP Project

The Adventurous Tale of Online Voting in Switzerland

EVoting in der Schweiz - Ein Fortsetzungsroman

Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set

The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...

Gedanken zur elektronischen Stimmabgabe für Datenschützer

Medieval Castles and Modern Servers

E-Voting, die Sicherheit und die Rolle der Experten

Black alps 2018-folini-d-dos

Optimizing ModSecurity on NGINX and NGINX Plus

A General Look at the State of Security - AFCEA 2017

Introducing the OWASP ModSecurity Core Rule Set

OWASP ModSecurity Core Rules Paranoia Mode

Recently uploaded

zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...

Alex Pruden

Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security. Paper Link: https://eprint.iacr.org/2024/257

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

akankshawande

Main news related to the CCS TSI 2023 (2023/1695)

Jakub Marek

An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers. The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 . The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .

Skybuffer SAM4U tool for SAP license adoption

Tatiana Kojar

Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool. SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.

Digital Marketing Trends in 2024 | Guide for Staying Ahead

Wask

https://www.wask.co/ebooks/digital-marketing-trends-in-2024 Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.

Columbus Data & Analytics Wednesdays - June 2024

Jason Packer

Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency

ScyllaDB

Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe

Precisely

Inconsistent user experience and siloed data, high costs, and changing customer expectations – Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market. Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their “modern digital bank” experiences.

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

panagenda

Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/ DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen! Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell. Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten. Diese Themen werden behandelt - Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten - Wie funktionieren CCB- und CCX-Lizenzen wirklich? - Verstehen des DLAU-Tools und wie man es am besten nutzt - Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw. - Praxisbeispiele und Best Practices zum sofortigen Umsetzen

Serial Arm Control in Real Time Presentation

tolgahangng

System Design Case Study: Building a Scalable E-Commerce Platform - Hiike

Hiike

Driving Business Innovation: Latest Generative AI Advancements & Success Story

Safe Software

Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency. During the hour, we’ll take you through: Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board. Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes. Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI. We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI. This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf

Chart Kalyan

Public CyberSecurity Awareness Presentation 2024.pptx

marufrahmanstratejm

Presentation of the OECD Artificial Intelligence Review of Germany

innovationoecd

Monitoring and Managing Anomaly Detection on OpenShift.pdf

Tosin Akinosho

Monitoring and Managing Anomaly Detection on OpenShift Overview Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices. Key Topics Covered 1. Introduction to Anomaly Detection - Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems. 2. Understanding Edge (IoT) - Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source. 3. What is ArgoCD? - Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices. 4. Deployment Using ArgoCD for Edge Devices - Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD. 5. Introduction to Apache Kafka and S3 - Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions. 6. Viewing Kafka Messages in the Data Lake - Learn how to view and analyze Kafka messages stored in a data lake for better insights. 7. What is Prometheus? - Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices. 8. Monitoring Application Metrics with Prometheus - Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system. 9. What is Camel K? - Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes. 10. Configuring Camel K Integrations for Data Pipelines - Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow. 11. What is a Jupyter Notebook? - Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text. 12. Jupyter Notebooks with Code Examples - Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.

Azure API Management to expose backend services securely

Dinusha Kumarasiri

dbms calicut university B. sc Cs 4th sem.pdf

Shinana2

Best 20 SEO Techniques To Improve Website Visibility In SERP

Pixlogix Infotech

Introduction of Cybersecurity with OSS at Code Europe 2024

Hiroshi SHIBATA

I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems. The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS. Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application. I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.

Recently uploaded (20)

zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

Main news related to the CCS TSI 2023 (2023/1695)

Skybuffer SAM4U tool for SAP license adoption

Digital Marketing Trends in 2024 | Guide for Staying Ahead

Columbus Data & Analytics Wednesdays - June 2024

Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency

Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

Serial Arm Control in Real Time Presentation

System Design Case Study: Building a Scalable E-Commerce Platform - Hiike

Driving Business Innovation: Latest Generative AI Advancements & Success Story

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf

Public CyberSecurity Awareness Presentation 2024.pptx

Presentation of the OECD Artificial Intelligence Review of Germany

Monitoring and Managing Anomaly Detection on OpenShift.pdf

Azure API Management to expose backend services securely

dbms calicut university B. sc Cs 4th sem.pdf

Best 20 SEO Techniques To Improve Website Visibility In SERP

Introduction of Cybersecurity with OSS at Code Europe 2024

Folini Extended Introduction to ModSecurity and CRS3

1. @ChrFolini Introduction to ModSecurity and CRS – BCS 2019-11-27 An Introduction to ModSecurity and the OWASP Core Rule Set (BCS DevSecOps SG) Christian Folini / @ChrFolini

2. Baseline / 1st Line of Defense Safety Belts

3. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Boring Bio ● Christian Folini / ChrFolini ● Security Engineer at netnea in Switzerland ● Author, teacher and speaker ● OWASP CRS project Co-Lead

4. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Plan for Today ● What is a WAF? ● What is ModSecurity? ● What is Core Rule Set? ● Demo ● Key concepts ● Rules ● False Positives

5. Web Application Firewalls Complex • Overwhelming • Rarely Functional

6. ModSecurity Embedded • Rule oriented • Granular Control

9. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Include in server config (depending on path): Include /path-to-owasp-crs/crs-setup.conf Include /path-to-owasp-crs/rules/*.conf Clone the repository (or download latest release): $> git clone https://github.com/SpiderLabs/owasp-modsecurity-crs Copy the example config: $> cp crs-setup.conf.example crs-setup.conf Demo Time (Installation)

10. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Research based on 4.5M Burp requests. CRS3 Default Install Redir.: RFI: LFI: XSS: SQLi: 0% 0% -100% -82% -100%

11. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Paranoia Level 1: Minimal number of false positives Baseline protection Paranoia Level 2: More rules, some false positives Real data in the service Paranoia Level 3: Specialized rules, more FPs Online banking level security Paranoia Level 4: Crazy rules, many FPs Nuclear power plant level security Paranoia Levels

12. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Important Groups of Rules Request Rules REQUEST-910-IP-REPUTATION.conf REQUEST-911-METHOD-ENFORCEMENT.conf REQUEST-912-DOS-PROTECTION.conf REQUEST-913-SCANNER-DETECTION.conf REQUEST-920-PROTOCOL-ENFORCEMENT.conf REQUEST-921-PROTOCOL-ATTACK.conf REQUEST-930-APPLICATION-ATTACK-LFI.conf REQUEST-931-APPLICATION-ATTACK-RFI.conf REQUEST-932-APPLICATION-ATTACK-RCE.conf REQUEST-933-APPLICATION-ATTACK-PHP.conf REQUEST-941-APPLICATION-ATTACK-XSS.conf REQUEST-942-APPLICATION-ATTACK-SQLI.conf REQUEST-943-APPLICATION-ATTACK-SESS-FIX.conf REQUEST-944-APPLICATION-ATTACK-JAVA.conf REQUEST-949-BLOCKING-EVALUATION.conf

13. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Important Groups of Rules Response Rules RESPONSE-950-DATA-LEAKAGES.conf RESPONSE-951-DATA-LEAKAGES-SQL.conf RESPONSE-952-DATA-LEAKAGES-JAVA.conf RESPONSE-953-DATA-LEAKAGES-PHP.conf RESPONSE-954-DATA-LEAKAGES-IIS.conf RESPONSE-959-BLOCKING-EVALUATION.conf

14. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Paranoia Level Example: Protocol Enforcement Rules Paranoia Level 1: 31 Rules Paranoia Level 2: 7 Rules Paranoia Level 3: 1 Rules Paranoia Level 4: 4 Rules

15. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Stricter Siblings Example: Byte Range Enforcement Paranoia Level 1: Rule 920270: Full ASCII range without null character Paranoia Level 2: Rule 920271: Full visible ASCII range, tab, newline Paranoia Level 3: Rule 920272: Visible lower ASCII range without % Paranoia Level 4: Rule 920273: A-Z a-z 0-9 = - _ . , : &

16. Anomaly Scoring Adjustable Limit • Blocking Mode • Iterative Tuning

17. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Sampling Mode Easing into CRS adoption / limit the impact • Define a sampling rate of n • Only n% of the requests are being funneled into CRS3 • 100% - n% of requests bypass CRS3 • Monitor performance and fix problems • Slowly raise n in an iterative way until it reaches 100%

18. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27

19. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27

20. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27

21. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27

22. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27

23. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27

24. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 False Positives False Positives are expected from PL2 • FPs are fought with rule exclusions • Tutorials at https://www.netnea.com • Get cheatsheet from Netnea • Please report FPs at PL1 (github)

25. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Apache / ModSecurity / CRS Tutorials https://www.netnea.com/cms/apache-tutorials/

26. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Summary ModSecurity & CRS3 • 1st Line of Defense against web application attacks • Generic set of blacklisting rules for WAFs • Blocks 80% of web application attacks in the default installation (with a minimal number of FPs) • Granular control over the behaviour down to the parameter level More information at https://coreruleset.org

27. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Questions and Answers, Contact Contact: christian.folini@netnea.com @ChrFolini

Folini Extended Introduction to ModSecurity and CRS3

Recommended

Recommended

More Related Content

Similar to Folini Extended Introduction to ModSecurity and CRS3

Similar to Folini Extended Introduction to ModSecurity and CRS3 (20)

More from Christian Folini

More from Christian Folini (15)

Recently uploaded

Recently uploaded (20)

Folini Extended Introduction to ModSecurity and CRS3