SlideShare a Scribd company logo
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Christian Folini / @ChrFolini
Securing Access to
Internet Voting with the
OWASP ModSecurity
Core Rule Set
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Plan for Today
⚫ Intro to the OWASP ModSecurity Core Rule Set
⚫ History of Internet Voting in Switzerland
⚫ Applying ModSec & CRS for maximum security
Baseline / 1st
Line of Defense
Safety Belts
ModSecurity
Embedded • Rule oriented • Granular Control
Redir.:
RFI:
LFI:
XSS:
SQLi:
CRS3
Default Install
Redir.:
RFI:
LFI:
XSS:
SQLi:
0%
0%
-100%
-82%
-100%
Research based on
4.5M Burp requests.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Numbers by Tuomo Makkonen
https://blog.fraktal.fi/cloud-waf-comparison-part-2-e6e2d25f558c
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Why Open Source Beats Commercial!
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Why Open Source Beats Commercial!
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Why Open Source Beats Commercial!
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Why Open Source Beats Commercial!
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Why Open Source Beats Commercial!
true positive
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Why Open Source Beats Commercial!
true positive
false positive
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Why Open Source Beats Commercial!
true positive
false positive
false negative
$$$
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Paranoia Level 1: Minimal number of false positives
Baseline protection
Paranoia Level 2: More rules, some false positives
Real data in the service
Paranoia Level 3: Specialized rules, more false positives
Online banking level security
Paranoia Level 4: Crazy rules, many false positives
Nuclear power plant level security
Paranoia Levels
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Paranoia Level 1: Minimal number of false positives
Baseline protection
Paranoia Level 2: More rules, some false positives
Real data in the service
Paranoia Level 3: Specialized rules, more false positives
Online banking level security
Paranoia Level 4: Crazy rules, many false positives
Internet Voting level security
Paranoia Levels
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
False Positives (FPs)
• FPs are expected from PL2
• FPs are fought with rule exclusions
• Rule exclusion tutorials at netnea.com
• Rule exclusion software c-rex.netnea.com
• Attend one of my courses via netnea.com
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Summary OWASP Core Rule Set
• 1st
Line of Defense against web application attacks
• Generic set of deny-rules for WAFs
• Blocks >80% of web application attacks by default
• Paranoia Levels can push this in the >95% region
• Granular control over the behavior of the WAF
down to the parameter level
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Voting in Switzerland
Photo: Gian Ehrensberger
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Process Around Swiss Mail-in Ballots
Killer / Stiller : The Swiss Postal Voting Process and its System and Security Analysis
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Typical Swiss Election Ballot
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Typical Swiss Election Ballot
Bonus points for spotting
the content manager
from Butt-ville.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
"We simply can’t build an Internet voting
system that is secure against hacking
because of the requirement for a
secret ballot."
Bruce Schneier, Online Voting Won’t Save Democracy,
The Atlantic, May 2017
Key Argument against Internet Voting
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Arguments in Favor of Internet Voting
The Swiss Perspective
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Arguments in Favor of Internet Voting
The Swiss Perspective
• Citizens living abroad
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Arguments in Favor of Internet Voting
The Swiss Perspective
• Citizens living abroad
• Visually impaired and quadriplegic voters
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Arguments in Favor of Internet Voting
The Swiss Perspective
• Citizens living abroad
• Visually impaired and quadriplegic voters
• Formally invalid ballots
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Arguments in Favor of Internet Voting
The Swiss Perspective
• Citizens living abroad
• Visually impaired and quadriplegic voters
• Formally invalid ballots
• Security issues of physical voting
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
The Cantons of Switzerland
Graphic: Wikipedia
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Timeline Internet Voting in Switzerland
2008 2009 2011
2004
2000
1st project
1st Geneva trial
Entering Scytl
Consortium
Steering Board
1st Swiss internet voting project
is launched with three pilot
cantons.
Swiss expats are allowed to vote
via Scytl internet voting system
in canton Neuchâtel.
Federal administration and
cantons establish a joint steering
committee.
Canton Geneva runs the first
Swiss internet voting trial.
Eight Swiss cantons form a
consortium and commission
Swiss branch of American Unisys
with the creation of an internet
voting system.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
2016 2017
2015
2011
Steering Board
Consortium dies
Scytl/Swiss Post join
Mainstreaming attempt
Federal administration and
cantons establish a joint steering
committee.
Spanish Scytl and Swiss Post
form joint venture and go into
production.
The eight consortium cantons
throw towel after federal
administration barrs system
from use in national elections.
The federal chancellor calls for
2/3 of the cantons to offer
internet voting for national
elections in 2019.
Timeline Internet Voting in Switzerland
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Geneva Quits
Source: Twitter: @GE_chancellerie (1141332323025195009)
2018: Development stopped
2019: System terminated
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Timeline Internet Voting in Switzerland
2018 2019
2017
2016
Scytl/Swiss Post join
Mainstreaming attempt
Geneva quits
Source Code Publication
Bug Bounty
Spanish Scytl and Swiss Post
form joint venture and go into
production.
Political quarrels lead to Geneva
stopping all further
development. A year later, the
system is terminated.
The federal chancellor calls for
2/3 of the cantons to offer
internet voting for national
elections in 2019.
Scytl / Swiss Post publish the
source code of their system and
run a 4 week bug bounty.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Swiss Post Bug Bounty: We got this!
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Swiss Post / Scytl Source Code: Not so good
to be continued ...
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Timeline Internet Voting in Switzerland
2018 2019 2020
2017
2016
Scytl/Swiss Post join
Mainstreaming attempt
Geneva quits
Source Code Publication
Rebooting
Spanish Scytl and Swiss Post
form joint venture and go into
production.
Political quarrels lead to Geneva
stopping all further
development. A year later, the
system is terminated.
The steering board establishes a
dialog with 25 scientists to
assess viability of internet voting
and support with writing new
regulation.
The federal chancellor calls on
2/3 of the cantons to offer
internet voting for national
elections in 2019.
Scytl / Swiss Post publish the
source code of their system.
Researchers identify three
critical vulnerabilities within
weeks. The system is put on
hold.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
https://www.bk.admin.ch/bk/en/home/politische-rechte/e-voting.html
Scientific report
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Timeline Internet Voting in Switzerland
2020.4 2020.7 2020.11
2020.3
2020.2
Survey
Covid-19 hits
Online dialogue
Additional research
Scientific report
The dialogue starts with a survey
over 62 questions sent to 25
scientists
The workshops are replaced
with a 12 weeks online dialogue
on a dedicated gitlab platform.
The steering board publishes the
70 pages report with the re-
commendations of the scientists.
When the on-site workshops
were slowly taking shape,
Switzer-land entered a lock-
down and the on-site gatherings
had to be called off.
Several separate re-search
articles are commissioned with
individual scientists to bring up
more infor-mation on individual
questions.
2021.12
New regulation
Following the public hearing on
a draft new law, the federal
chancellery is meant to put the
new regulation on internet
voting into practice. Swiss Ppost
has announced to return into
production in 2022.
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Summary Internet Voting in Switzerland
• Switzerland is a useful test bed for online voting
• Iterative process with strict supervision on federal level
• Expert dialogue with recommendations in 2020
• New regulation 2021
• New online voting trials scheduled for 2022
Download English version of scientifc report / expert dialogue from
https://www.bk.admin.ch/bk/en/home/politische-rechte/e-voting.html
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
How do you pull this off?
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Swiss Post Documentation
• Transparency Initiative (clear advice by scientific report)
• Guidelines how to deploy and tune OWASP Core Rule Set
• https://gitlab.com/swisspost-evoting/e-voting/e-voting-
documentation/-/blob/master/Operations/ModSecurity-CRS-
Tuning-Concept.md
Tune Down to Zero
Absence of False Positives • Trust in Alerts • A Liberating Moment
Positive Security Rule Set
Default Deny • List of Allowed Resources • Reduce Attack Surface
Divide and Rule
Zero tolerance • Ban attackers • fail2ban
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Additional Rule Sets Worth Considering
• Monitoring the flow of the application
• Timing and rhythm
• Client Fingerprinting
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Defenses Beyond ModSecurity
• Application Layer DDoS
• Quality of Service (QoS)
• IP Reputation / DNS Blacklisting
• GeoIP
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Key Elements of a High Security WAF
• OWASP ModSecurity CRS at Paranoia Level 4
• Complementary Positive Security Rule Set
• Application Level DDoS Defense
• QoS
• IP Reputation / DNS Blacklisting
• GeoIP
@ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25
Questions and Answers, Contact
Contact: @ChrFolini
christian.folini@netnea.com

More Related Content

Similar to Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set

New developments in cyber law - Singapore and beyond
New developments in cyber law - Singapore and beyondNew developments in cyber law - Singapore and beyond
New developments in cyber law - Singapore and beyond
Benjamin Ang
 
#Semiform2020 02 11 2020
#Semiform2020 02 11 2020#Semiform2020 02 11 2020
#Semiform2020 02 11 2020
Weverify
 
Cyber security analysis presentation
Cyber security analysis presentationCyber security analysis presentation
Cyber security analysis presentation
Vaibhav R
 
IRJET- Effctive In-House Voting and Implementation using Block-Chain Veri...
IRJET-  	  Effctive In-House Voting and Implementation using Block-Chain Veri...IRJET-  	  Effctive In-House Voting and Implementation using Block-Chain Veri...
IRJET- Effctive In-House Voting and Implementation using Block-Chain Veri...
IRJET Journal
 
Unraveling Ebola One Tweet at a Time: Dynamic Network Analysis of an Ebola-Re...
Unraveling Ebola One Tweet at a Time: Dynamic Network Analysis of an Ebola-Re...Unraveling Ebola One Tweet at a Time: Dynamic Network Analysis of an Ebola-Re...
Unraveling Ebola One Tweet at a Time: Dynamic Network Analysis of an Ebola-Re...
Paragon_Science_Inc
 
FraPPE: a vocabulary to represent heterogeneous spatio-temporal data to suppo...
FraPPE: a vocabulary to represent heterogeneous spatio-temporal data to suppo...FraPPE: a vocabulary to represent heterogeneous spatio-temporal data to suppo...
FraPPE: a vocabulary to represent heterogeneous spatio-temporal data to suppo...
Marco Balduini
 
#Semiform2020 02 11 2020
#Semiform2020 02 11 2020#Semiform2020 02 11 2020
#Semiform2020 02 11 2020
Weverify
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
PECB
 
Focus on cyber threats in hacking cycle
Focus on cyber threats in hacking cycle Focus on cyber threats in hacking cycle
Focus on cyber threats in hacking cycle
David Sweigert
 
20140314 Belgian Senate Judicial action of police on social media
20140314 Belgian Senate Judicial action of police on social media20140314 Belgian Senate Judicial action of police on social media
20140314 Belgian Senate Judicial action of police on social media
Luc Beirens
 
2nd workshop em data science 08 02 2021
2nd workshop em data science 08 02 20212nd workshop em data science 08 02 2021
2nd workshop em data science 08 02 2021
Weverify
 
How consumers use technology and its impact on their lives.
How consumers use technology and its impact on their lives.How consumers use technology and its impact on their lives.
How consumers use technology and its impact on their lives.
robertpresz7
 
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Black Duck by Synopsys
 
Cyber trust: cornerstone of a digital world
Cyber trust: cornerstone of a digital worldCyber trust: cornerstone of a digital world
Cyber trust: cornerstone of a digital world
Leonardo
 
NS Civil Liberties & Security Supplement Sept 2014
NS Civil Liberties & Security Supplement Sept 2014NS Civil Liberties & Security Supplement Sept 2014
NS Civil Liberties & Security Supplement Sept 2014
Dominic Rae LION (Open Networker)
 
MIL-Q1M9.pptx
MIL-Q1M9.pptxMIL-Q1M9.pptx
MIL-Q1M9.pptx
razielyurag
 
How the Tubes are Strangling Their Owners: Consumer Rights Bill 2014
How the Tubes are Strangling Their Owners: Consumer Rights Bill 2014How the Tubes are Strangling Their Owners: Consumer Rights Bill 2014
How the Tubes are Strangling Their Owners: Consumer Rights Bill 2014
Chris Marsden
 
April 2021 Partners Meeting Group
April  2021 Partners Meeting GroupApril  2021 Partners Meeting Group
April 2021 Partners Meeting Group
Vbout.com
 
Future of the Internet
Future of the InternetFuture of the Internet
Future of the Internet
Yogi Schulz
 
Internet of Things (IotT) Legal Issues Privacy and Cybersecurity
Internet of Things (IotT) Legal Issues Privacy and Cybersecurity Internet of Things (IotT) Legal Issues Privacy and Cybersecurity
Internet of Things (IotT) Legal Issues Privacy and Cybersecurity
Darek Czuchaj
 

Similar to Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set (20)

New developments in cyber law - Singapore and beyond
New developments in cyber law - Singapore and beyondNew developments in cyber law - Singapore and beyond
New developments in cyber law - Singapore and beyond
 
#Semiform2020 02 11 2020
#Semiform2020 02 11 2020#Semiform2020 02 11 2020
#Semiform2020 02 11 2020
 
Cyber security analysis presentation
Cyber security analysis presentationCyber security analysis presentation
Cyber security analysis presentation
 
IRJET- Effctive In-House Voting and Implementation using Block-Chain Veri...
IRJET-  	  Effctive In-House Voting and Implementation using Block-Chain Veri...IRJET-  	  Effctive In-House Voting and Implementation using Block-Chain Veri...
IRJET- Effctive In-House Voting and Implementation using Block-Chain Veri...
 
Unraveling Ebola One Tweet at a Time: Dynamic Network Analysis of an Ebola-Re...
Unraveling Ebola One Tweet at a Time: Dynamic Network Analysis of an Ebola-Re...Unraveling Ebola One Tweet at a Time: Dynamic Network Analysis of an Ebola-Re...
Unraveling Ebola One Tweet at a Time: Dynamic Network Analysis of an Ebola-Re...
 
FraPPE: a vocabulary to represent heterogeneous spatio-temporal data to suppo...
FraPPE: a vocabulary to represent heterogeneous spatio-temporal data to suppo...FraPPE: a vocabulary to represent heterogeneous spatio-temporal data to suppo...
FraPPE: a vocabulary to represent heterogeneous spatio-temporal data to suppo...
 
#Semiform2020 02 11 2020
#Semiform2020 02 11 2020#Semiform2020 02 11 2020
#Semiform2020 02 11 2020
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
 
Focus on cyber threats in hacking cycle
Focus on cyber threats in hacking cycle Focus on cyber threats in hacking cycle
Focus on cyber threats in hacking cycle
 
20140314 Belgian Senate Judicial action of police on social media
20140314 Belgian Senate Judicial action of police on social media20140314 Belgian Senate Judicial action of police on social media
20140314 Belgian Senate Judicial action of police on social media
 
2nd workshop em data science 08 02 2021
2nd workshop em data science 08 02 20212nd workshop em data science 08 02 2021
2nd workshop em data science 08 02 2021
 
How consumers use technology and its impact on their lives.
How consumers use technology and its impact on their lives.How consumers use technology and its impact on their lives.
How consumers use technology and its impact on their lives.
 
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
 
Cyber trust: cornerstone of a digital world
Cyber trust: cornerstone of a digital worldCyber trust: cornerstone of a digital world
Cyber trust: cornerstone of a digital world
 
NS Civil Liberties & Security Supplement Sept 2014
NS Civil Liberties & Security Supplement Sept 2014NS Civil Liberties & Security Supplement Sept 2014
NS Civil Liberties & Security Supplement Sept 2014
 
MIL-Q1M9.pptx
MIL-Q1M9.pptxMIL-Q1M9.pptx
MIL-Q1M9.pptx
 
How the Tubes are Strangling Their Owners: Consumer Rights Bill 2014
How the Tubes are Strangling Their Owners: Consumer Rights Bill 2014How the Tubes are Strangling Their Owners: Consumer Rights Bill 2014
How the Tubes are Strangling Their Owners: Consumer Rights Bill 2014
 
April 2021 Partners Meeting Group
April  2021 Partners Meeting GroupApril  2021 Partners Meeting Group
April 2021 Partners Meeting Group
 
Future of the Internet
Future of the InternetFuture of the Internet
Future of the Internet
 
Internet of Things (IotT) Legal Issues Privacy and Cybersecurity
Internet of Things (IotT) Legal Issues Privacy and Cybersecurity Internet of Things (IotT) Legal Issues Privacy and Cybersecurity
Internet of Things (IotT) Legal Issues Privacy and Cybersecurity
 

More from Christian Folini

OWASP ModSecurity - A few plot twists and what feels like a happy end
OWASP ModSecurity - A few plot twists and what feels like a happy endOWASP ModSecurity - A few plot twists and what feels like a happy end
OWASP ModSecurity - A few plot twists and what feels like a happy end
Christian Folini
 
Crazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's landCrazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's land
Christian Folini
 
Never Walk Alone - Inspirations from a Growing OWASP Project
Never Walk Alone - Inspirations from a Growing OWASP ProjectNever Walk Alone - Inspirations from a Growing OWASP Project
Never Walk Alone - Inspirations from a Growing OWASP Project
Christian Folini
 
What’s new in CRS4? An Update from the OWASP CRS project
What’s new in CRS4? An Update from the OWASP CRS projectWhat’s new in CRS4? An Update from the OWASP CRS project
What’s new in CRS4? An Update from the OWASP CRS project
Christian Folini
 
Extensive Introduction to ModSecurity and the OWASP Core Rule Set
Extensive Introduction to ModSecurity and the OWASP Core Rule SetExtensive Introduction to ModSecurity and the OWASP Core Rule Set
Extensive Introduction to ModSecurity and the OWASP Core Rule Set
Christian Folini
 
Introduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule SetIntroduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule Set
Christian Folini
 
Folini Extended Introduction to ModSecurity and CRS3
Folini Extended Introduction to ModSecurity and CRS3Folini Extended Introduction to ModSecurity and CRS3
Folini Extended Introduction to ModSecurity and CRS3
Christian Folini
 
Gedanken zur elektronischen Stimmabgabe für Datenschützer
Gedanken zur elektronischen Stimmabgabe für DatenschützerGedanken zur elektronischen Stimmabgabe für Datenschützer
Gedanken zur elektronischen Stimmabgabe für Datenschützer
Christian Folini
 
Medieval Castles and Modern Servers
Medieval Castles and Modern ServersMedieval Castles and Modern Servers
Medieval Castles and Modern Servers
Christian Folini
 
E-Voting, die Sicherheit und die Rolle der Experten
E-Voting, die Sicherheit und die Rolle der ExpertenE-Voting, die Sicherheit und die Rolle der Experten
E-Voting, die Sicherheit und die Rolle der Experten
Christian Folini
 
Black alps 2018-folini-d-dos
Black alps 2018-folini-d-dosBlack alps 2018-folini-d-dos
Black alps 2018-folini-d-dos
Christian Folini
 
Optimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusOptimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX Plus
Christian Folini
 
A General Look at the State of Security - AFCEA 2017
A General Look at the State of Security - AFCEA 2017A General Look at the State of Security - AFCEA 2017
A General Look at the State of Security - AFCEA 2017
Christian Folini
 
Introducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule SetIntroducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule Set
Christian Folini
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
Christian Folini
 

More from Christian Folini (15)

OWASP ModSecurity - A few plot twists and what feels like a happy end
OWASP ModSecurity - A few plot twists and what feels like a happy endOWASP ModSecurity - A few plot twists and what feels like a happy end
OWASP ModSecurity - A few plot twists and what feels like a happy end
 
Crazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's landCrazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's land
 
Never Walk Alone - Inspirations from a Growing OWASP Project
Never Walk Alone - Inspirations from a Growing OWASP ProjectNever Walk Alone - Inspirations from a Growing OWASP Project
Never Walk Alone - Inspirations from a Growing OWASP Project
 
What’s new in CRS4? An Update from the OWASP CRS project
What’s new in CRS4? An Update from the OWASP CRS projectWhat’s new in CRS4? An Update from the OWASP CRS project
What’s new in CRS4? An Update from the OWASP CRS project
 
Extensive Introduction to ModSecurity and the OWASP Core Rule Set
Extensive Introduction to ModSecurity and the OWASP Core Rule SetExtensive Introduction to ModSecurity and the OWASP Core Rule Set
Extensive Introduction to ModSecurity and the OWASP Core Rule Set
 
Introduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule SetIntroduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule Set
 
Folini Extended Introduction to ModSecurity and CRS3
Folini Extended Introduction to ModSecurity and CRS3Folini Extended Introduction to ModSecurity and CRS3
Folini Extended Introduction to ModSecurity and CRS3
 
Gedanken zur elektronischen Stimmabgabe für Datenschützer
Gedanken zur elektronischen Stimmabgabe für DatenschützerGedanken zur elektronischen Stimmabgabe für Datenschützer
Gedanken zur elektronischen Stimmabgabe für Datenschützer
 
Medieval Castles and Modern Servers
Medieval Castles and Modern ServersMedieval Castles and Modern Servers
Medieval Castles and Modern Servers
 
E-Voting, die Sicherheit und die Rolle der Experten
E-Voting, die Sicherheit und die Rolle der ExpertenE-Voting, die Sicherheit und die Rolle der Experten
E-Voting, die Sicherheit und die Rolle der Experten
 
Black alps 2018-folini-d-dos
Black alps 2018-folini-d-dosBlack alps 2018-folini-d-dos
Black alps 2018-folini-d-dos
 
Optimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusOptimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX Plus
 
A General Look at the State of Security - AFCEA 2017
A General Look at the State of Security - AFCEA 2017A General Look at the State of Security - AFCEA 2017
A General Look at the State of Security - AFCEA 2017
 
Introducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule SetIntroducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule Set
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
 

Recently uploaded

Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 

Recently uploaded (20)

Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 

Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set

  • 1. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Christian Folini / @ChrFolini Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set
  • 2. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Plan for Today ⚫ Intro to the OWASP ModSecurity Core Rule Set ⚫ History of Internet Voting in Switzerland ⚫ Applying ModSec & CRS for maximum security
  • 3. Baseline / 1st Line of Defense Safety Belts
  • 4. ModSecurity Embedded • Rule oriented • Granular Control
  • 5.
  • 7. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Numbers by Tuomo Makkonen https://blog.fraktal.fi/cloud-waf-comparison-part-2-e6e2d25f558c
  • 8. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Why Open Source Beats Commercial!
  • 9. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Why Open Source Beats Commercial!
  • 10. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Why Open Source Beats Commercial!
  • 11. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Why Open Source Beats Commercial!
  • 12. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Why Open Source Beats Commercial! true positive
  • 13. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Why Open Source Beats Commercial! true positive false positive
  • 14. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Why Open Source Beats Commercial! true positive false positive false negative $$$
  • 15. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Paranoia Level 1: Minimal number of false positives Baseline protection Paranoia Level 2: More rules, some false positives Real data in the service Paranoia Level 3: Specialized rules, more false positives Online banking level security Paranoia Level 4: Crazy rules, many false positives Nuclear power plant level security Paranoia Levels
  • 16. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Paranoia Level 1: Minimal number of false positives Baseline protection Paranoia Level 2: More rules, some false positives Real data in the service Paranoia Level 3: Specialized rules, more false positives Online banking level security Paranoia Level 4: Crazy rules, many false positives Internet Voting level security Paranoia Levels
  • 17. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 False Positives (FPs) • FPs are expected from PL2 • FPs are fought with rule exclusions • Rule exclusion tutorials at netnea.com • Rule exclusion software c-rex.netnea.com • Attend one of my courses via netnea.com
  • 18. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Summary OWASP Core Rule Set • 1st Line of Defense against web application attacks • Generic set of deny-rules for WAFs • Blocks >80% of web application attacks by default • Paranoia Levels can push this in the >95% region • Granular control over the behavior of the WAF down to the parameter level
  • 19. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Voting in Switzerland Photo: Gian Ehrensberger
  • 20. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Process Around Swiss Mail-in Ballots Killer / Stiller : The Swiss Postal Voting Process and its System and Security Analysis
  • 21. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Typical Swiss Election Ballot
  • 22. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Typical Swiss Election Ballot Bonus points for spotting the content manager from Butt-ville.
  • 23. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 "We simply can’t build an Internet voting system that is secure against hacking because of the requirement for a secret ballot." Bruce Schneier, Online Voting Won’t Save Democracy, The Atlantic, May 2017 Key Argument against Internet Voting
  • 24. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Arguments in Favor of Internet Voting The Swiss Perspective
  • 25. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Arguments in Favor of Internet Voting The Swiss Perspective • Citizens living abroad
  • 26. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Arguments in Favor of Internet Voting The Swiss Perspective • Citizens living abroad • Visually impaired and quadriplegic voters
  • 27. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Arguments in Favor of Internet Voting The Swiss Perspective • Citizens living abroad • Visually impaired and quadriplegic voters • Formally invalid ballots
  • 28. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Arguments in Favor of Internet Voting The Swiss Perspective • Citizens living abroad • Visually impaired and quadriplegic voters • Formally invalid ballots • Security issues of physical voting
  • 29. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 The Cantons of Switzerland Graphic: Wikipedia
  • 30. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Timeline Internet Voting in Switzerland 2008 2009 2011 2004 2000 1st project 1st Geneva trial Entering Scytl Consortium Steering Board 1st Swiss internet voting project is launched with three pilot cantons. Swiss expats are allowed to vote via Scytl internet voting system in canton Neuchâtel. Federal administration and cantons establish a joint steering committee. Canton Geneva runs the first Swiss internet voting trial. Eight Swiss cantons form a consortium and commission Swiss branch of American Unisys with the creation of an internet voting system.
  • 31. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 2016 2017 2015 2011 Steering Board Consortium dies Scytl/Swiss Post join Mainstreaming attempt Federal administration and cantons establish a joint steering committee. Spanish Scytl and Swiss Post form joint venture and go into production. The eight consortium cantons throw towel after federal administration barrs system from use in national elections. The federal chancellor calls for 2/3 of the cantons to offer internet voting for national elections in 2019. Timeline Internet Voting in Switzerland
  • 32. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Geneva Quits Source: Twitter: @GE_chancellerie (1141332323025195009) 2018: Development stopped 2019: System terminated
  • 33. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Timeline Internet Voting in Switzerland 2018 2019 2017 2016 Scytl/Swiss Post join Mainstreaming attempt Geneva quits Source Code Publication Bug Bounty Spanish Scytl and Swiss Post form joint venture and go into production. Political quarrels lead to Geneva stopping all further development. A year later, the system is terminated. The federal chancellor calls for 2/3 of the cantons to offer internet voting for national elections in 2019. Scytl / Swiss Post publish the source code of their system and run a 4 week bug bounty.
  • 34. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Swiss Post Bug Bounty: We got this!
  • 35. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Swiss Post / Scytl Source Code: Not so good to be continued ...
  • 36. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Timeline Internet Voting in Switzerland 2018 2019 2020 2017 2016 Scytl/Swiss Post join Mainstreaming attempt Geneva quits Source Code Publication Rebooting Spanish Scytl and Swiss Post form joint venture and go into production. Political quarrels lead to Geneva stopping all further development. A year later, the system is terminated. The steering board establishes a dialog with 25 scientists to assess viability of internet voting and support with writing new regulation. The federal chancellor calls on 2/3 of the cantons to offer internet voting for national elections in 2019. Scytl / Swiss Post publish the source code of their system. Researchers identify three critical vulnerabilities within weeks. The system is put on hold.
  • 37. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 https://www.bk.admin.ch/bk/en/home/politische-rechte/e-voting.html Scientific report
  • 38. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Timeline Internet Voting in Switzerland 2020.4 2020.7 2020.11 2020.3 2020.2 Survey Covid-19 hits Online dialogue Additional research Scientific report The dialogue starts with a survey over 62 questions sent to 25 scientists The workshops are replaced with a 12 weeks online dialogue on a dedicated gitlab platform. The steering board publishes the 70 pages report with the re- commendations of the scientists. When the on-site workshops were slowly taking shape, Switzer-land entered a lock- down and the on-site gatherings had to be called off. Several separate re-search articles are commissioned with individual scientists to bring up more infor-mation on individual questions. 2021.12 New regulation Following the public hearing on a draft new law, the federal chancellery is meant to put the new regulation on internet voting into practice. Swiss Ppost has announced to return into production in 2022.
  • 39. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Summary Internet Voting in Switzerland • Switzerland is a useful test bed for online voting • Iterative process with strict supervision on federal level • Expert dialogue with recommendations in 2020 • New regulation 2021 • New online voting trials scheduled for 2022 Download English version of scientifc report / expert dialogue from https://www.bk.admin.ch/bk/en/home/politische-rechte/e-voting.html
  • 40. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 How do you pull this off?
  • 41. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Swiss Post Documentation • Transparency Initiative (clear advice by scientific report) • Guidelines how to deploy and tune OWASP Core Rule Set • https://gitlab.com/swisspost-evoting/e-voting/e-voting- documentation/-/blob/master/Operations/ModSecurity-CRS- Tuning-Concept.md
  • 42. Tune Down to Zero Absence of False Positives • Trust in Alerts • A Liberating Moment
  • 43. Positive Security Rule Set Default Deny • List of Allowed Resources • Reduce Attack Surface
  • 44. Divide and Rule Zero tolerance • Ban attackers • fail2ban
  • 45. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Additional Rule Sets Worth Considering • Monitoring the flow of the application • Timing and rhythm • Client Fingerprinting
  • 46. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Defenses Beyond ModSecurity • Application Layer DDoS • Quality of Service (QoS) • IP Reputation / DNS Blacklisting • GeoIP
  • 47. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Key Elements of a High Security WAF • OWASP ModSecurity CRS at Paranoia Level 4 • Complementary Positive Security Rule Set • Application Level DDoS Defense • QoS • IP Reputation / DNS Blacklisting • GeoIP
  • 48. @ChrFolini – Securing Internet Voting – #RomHack2021– 2021-09-25 Questions and Answers, Contact Contact: @ChrFolini christian.folini@netnea.com