SlideShare a Scribd company logo
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Christian Folini / @ChrFolini
What’s new in CRS4?
An Update from the
OWASP CRS project
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Plan for Today
⚫ Intro to the OWASP ModSecurity Core Rule Set
⚫ News from planet CRS
⚫ New features of upcoming major release CRS v4
Baseline / 1st
Line of Defense
Safety Belts
ModSecurity
Embedded • Rule oriented • Granular Control
Redir.:
RFI:
LFI:
XSS:
SQLi:
CRS3
Default Install
Redir.:
RFI:
LFI:
XSS:
SQLi:
0%
0%
-100%
-82%
-100%
Research based on
4.5M Burp requests.
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Paranoia Level 1: Minimal number of false positives
Baseline protection
Paranoia Level 2: More rules, some false positives
Real data in the service
Paranoia Level 3: Specialized rules, more false positives
Online banking level security
Paranoia Level 4: Crazy rules, many false positives
Nuclear power plant level security
Paranoia Levels
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Numbers by Tuomo Makkonen
https://blog.fraktal.fi/cloud-waf-comparison-part-2-e6e2d25f558c
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Article in Dark Reading:
Transforming SQL Queries Bypasses WAF Security
https://www.darkreading.com/cloud/transforming-sql-queries-bypasses-waf-security
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
News from Planet CRS
● Trustwave announces EOL for their ModSecurity
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
News from Planet CRS
● Trustwave announces EOL for their ModSecurity
● New open source WAF engine: Coraza
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
News from Planet CRS
● Trustwave announces EOL for their ModSecurity
● New open source WAF engine: Coraza
● Complete overhaul of CRS documentation
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
News from Planet CRS
● Trustwave announces EOL for their ModSecurity
● New open source WAF engine: Coraza
● Complete overhaul of CRS documentation
● Launch of CRS Sandbox
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
News from Planet CRS
● Trustwave announces EOL for their ModSecurity
● New open source WAF engine: Coraza
● Complete overhaul of CRS documentation
● Launch of CRS Sandbox
● Private Bug Bounty Program
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
News from Planet CRS
● Trustwave announces EOL for their ModSecurity
● New open source WAF engine: Coraza
● Complete overhaul of CRS documentation
● Launch of CRS Sandbox
● Private Bug Bounty Program
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
News from Planet CRS
● Trustwave announces EOL for their ModSecurity
● New open source WAF engine: Coraza
● Complete overhaul of CRS documentation
● Launch of CRS Sandbox
● Private Bug Bounty Program
● Dev-on-duty program
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Major Changes for CRS v4
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
Major Changes for CRS v4
● Plugins architecture 🆕
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
Major Changes for CRS v4
● Plugins architecture 🆕
● Early blocking 🆕
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
Major Changes for CRS v4
● Plugins architecture 🆕
● Early blocking 🆕
● Scoring vars and paranoia levels renaming
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
Major Changes for CRS v4
● Plugins architecture 🆕
● Early blocking 🆕
● Scoring vars and paranoia levels renaming
● Configurable reporting levels 🆕
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
Major Changes for CRS v4
● Plugins architecture 🆕
● Early blocking 🆕
● Scoring vars and paranoia levels renaming
● Configurable reporting levels 🆕
● No longer dependent on PCRE, ready for Re2 / Hyperscan
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
Major Changes for CRS v4
● Plugins architecture 🆕
● Early blocking 🆕
● Scoring vars and paranoia levels renaming
● Configurable reporting levels 🆕
● No longer dependent on PCRE, ready for Re2 / Hyperscan
● Quality: all rules have positive and negative tests!
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
Existing Plugins
● All rule exclusions are now plugins
● Antivirus plugin 🆕
● auto-decoding 🆕
● body decompress 🆕
● fake bot 🆕
● google-oauth2 🆕
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
Plugins in the making for v4
● GeoIP plugin
● IP reputation
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
New Rules
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
New Rules
● SSRF
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
New Rules
● SSRF
● Email protocols (SMTP, POP3, IMAP)
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
New Rules
● SSRF
● Email protocols (SMTP, POP3, IMAP)
● Log4J / Log4Shell, Spring4Shell
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
New Rules
● SSRF
● Email protocols (SMTP, POP3, IMAP)
● Log4J / Log4Shell, Spring4Shell
● Common Webshell detection
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
New Rules
● SSRF
● Email protocols (SMTP, POP3, IMAP)
● Log4J / Log4Shell, Spring4Shell
● Common Webshell detection
● Improved the detection across the board for
RCE and SQLi and many more
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
CRS v4 Release Plan
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
CRS v4 Release Plan
● Originally planned for May / June 2022
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
CRS v4 Release Plan
● Originally planned for May / June 2022
● Shot to pieces by private Bug Bounty
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
CRS v4 Release Plan
● Originally planned for May / June 2022
● Shot to pieces by private Bug Bounty
● Need to fix litterally dozens of findings first
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
CRS v4 Release Plan
● Originally planned for May / June 2022
● Shot to pieces by private Bug Bounty
● Need to fix litterally dozens of findings first
● Expect backports of findings for existing release lines
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
CRS v4 Release Plan
● Originally planned for May / June 2022
● Shot to pieces by private Bug Bounty
● Need to fix litterally dozens of findings first
● Expect backports of findings for existing release lines
● New release plan after Summer
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Trustwave
CRS GOLD Sponsors
CRS SILVER Sponsors
@ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09
Questions and Answers, Contact
Contact: @ChrFolini
christian.folini@owasp.org

More Related Content

Similar to What’s new in CRS4? An Update from the OWASP CRS project

OpenStack Ottawa MeetUp - April 3rd 2018
OpenStack Ottawa MeetUp - April 3rd 2018OpenStack Ottawa MeetUp - April 3rd 2018
OpenStack Ottawa MeetUp - April 3rd 2018
Stacy Véronneau
 
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
RootedCON
 
Cisco IPv6 Deployment Statics, by Shishio Tsuchiya [APRICOT 2015]
Cisco IPv6 Deployment Statics, by Shishio Tsuchiya [APRICOT 2015]Cisco IPv6 Deployment Statics, by Shishio Tsuchiya [APRICOT 2015]
Cisco IPv6 Deployment Statics, by Shishio Tsuchiya [APRICOT 2015]
APNIC
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
sparkfabrik
 
Automated PCF Upgrades with Concourse
Automated PCF Upgrades with ConcourseAutomated PCF Upgrades with Concourse
Automated PCF Upgrades with Concourse
VMware Tanzu
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Software Integrity Group
 
CCIE R&S V5 Changes
CCIE R&S V5 ChangesCCIE R&S V5 Changes
CCIE R&S V5 Changes
John Berry
 
Hidden secrets of the Deliveroo Application Platform (Ben Cordero, Deliveroo)
Hidden secrets of the Deliveroo Application Platform (Ben Cordero, Deliveroo)Hidden secrets of the Deliveroo Application Platform (Ben Cordero, Deliveroo)
Hidden secrets of the Deliveroo Application Platform (Ben Cordero, Deliveroo)
London Microservices
 
FOSSology & GSOC Journey
FOSSology & GSOC JourneyFOSSology & GSOC Journey
FOSSology & GSOC Journey
Gaurav Mishra
 
Cloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
Cloud Foundry and Microservices: A Mutualistic Symbiotic RelationshipCloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
Cloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
VMware Tanzu
 
Cloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
Cloud Foundry and Microservices: A Mutualistic Symbiotic RelationshipCloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
Cloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
Matt Stine
 
Drupal 8 and 9, Backwards Compatibility, and Drupal 8.5 update
Drupal 8 and 9, Backwards Compatibility, and Drupal 8.5 updateDrupal 8 and 9, Backwards Compatibility, and Drupal 8.5 update
Drupal 8 and 9, Backwards Compatibility, and Drupal 8.5 update
Angela Byron
 
Apidays Paris 2023 - Managing OpenAPI Documents at Scale, Stéve Sfartz, Cisco
Apidays Paris 2023 - Managing OpenAPI Documents at Scale, Stéve Sfartz, CiscoApidays Paris 2023 - Managing OpenAPI Documents at Scale, Stéve Sfartz, Cisco
Apidays Paris 2023 - Managing OpenAPI Documents at Scale, Stéve Sfartz, Cisco
apidays
 
Harmonic's Journey Scaled-Agile In The New Generation of Cable OS v4
Harmonic's Journey Scaled-Agile In The New Generation of Cable OS v4Harmonic's Journey Scaled-Agile In The New Generation of Cable OS v4
Harmonic's Journey Scaled-Agile In The New Generation of Cable OS v4
AgileSparks
 
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
IO Visor Project
 
MyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring BudgetMyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
APNIC
 
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget  by Jamie Gillespie, A...Vulnerability Reporting Program on a Shoestring Budget  by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
MyNOG
 
Implementing Raft in RabbitMQ
Implementing Raft in RabbitMQImplementing Raft in RabbitMQ
Implementing Raft in RabbitMQ
VMware Tanzu
 
Latest CAS News 2014
Latest CAS News 2014Latest CAS News 2014
Latest CAS News 2014
Misagh Moayyed
 
OpenChain Germany Work Group Meeting 2022-11-16
OpenChain Germany Work Group Meeting 2022-11-16OpenChain Germany Work Group Meeting 2022-11-16
OpenChain Germany Work Group Meeting 2022-11-16
Shane Coughlan
 

Similar to What’s new in CRS4? An Update from the OWASP CRS project (20)

OpenStack Ottawa MeetUp - April 3rd 2018
OpenStack Ottawa MeetUp - April 3rd 2018OpenStack Ottawa MeetUp - April 3rd 2018
OpenStack Ottawa MeetUp - April 3rd 2018
 
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
 
Cisco IPv6 Deployment Statics, by Shishio Tsuchiya [APRICOT 2015]
Cisco IPv6 Deployment Statics, by Shishio Tsuchiya [APRICOT 2015]Cisco IPv6 Deployment Statics, by Shishio Tsuchiya [APRICOT 2015]
Cisco IPv6 Deployment Statics, by Shishio Tsuchiya [APRICOT 2015]
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
 
Automated PCF Upgrades with Concourse
Automated PCF Upgrades with ConcourseAutomated PCF Upgrades with Concourse
Automated PCF Upgrades with Concourse
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
 
CCIE R&S V5 Changes
CCIE R&S V5 ChangesCCIE R&S V5 Changes
CCIE R&S V5 Changes
 
Hidden secrets of the Deliveroo Application Platform (Ben Cordero, Deliveroo)
Hidden secrets of the Deliveroo Application Platform (Ben Cordero, Deliveroo)Hidden secrets of the Deliveroo Application Platform (Ben Cordero, Deliveroo)
Hidden secrets of the Deliveroo Application Platform (Ben Cordero, Deliveroo)
 
FOSSology & GSOC Journey
FOSSology & GSOC JourneyFOSSology & GSOC Journey
FOSSology & GSOC Journey
 
Cloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
Cloud Foundry and Microservices: A Mutualistic Symbiotic RelationshipCloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
Cloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
 
Cloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
Cloud Foundry and Microservices: A Mutualistic Symbiotic RelationshipCloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
Cloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
 
Drupal 8 and 9, Backwards Compatibility, and Drupal 8.5 update
Drupal 8 and 9, Backwards Compatibility, and Drupal 8.5 updateDrupal 8 and 9, Backwards Compatibility, and Drupal 8.5 update
Drupal 8 and 9, Backwards Compatibility, and Drupal 8.5 update
 
Apidays Paris 2023 - Managing OpenAPI Documents at Scale, Stéve Sfartz, Cisco
Apidays Paris 2023 - Managing OpenAPI Documents at Scale, Stéve Sfartz, CiscoApidays Paris 2023 - Managing OpenAPI Documents at Scale, Stéve Sfartz, Cisco
Apidays Paris 2023 - Managing OpenAPI Documents at Scale, Stéve Sfartz, Cisco
 
Harmonic's Journey Scaled-Agile In The New Generation of Cable OS v4
Harmonic's Journey Scaled-Agile In The New Generation of Cable OS v4Harmonic's Journey Scaled-Agile In The New Generation of Cable OS v4
Harmonic's Journey Scaled-Agile In The New Generation of Cable OS v4
 
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
 
MyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring BudgetMyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
 
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget  by Jamie Gillespie, A...Vulnerability Reporting Program on a Shoestring Budget  by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
 
Implementing Raft in RabbitMQ
Implementing Raft in RabbitMQImplementing Raft in RabbitMQ
Implementing Raft in RabbitMQ
 
Latest CAS News 2014
Latest CAS News 2014Latest CAS News 2014
Latest CAS News 2014
 
OpenChain Germany Work Group Meeting 2022-11-16
OpenChain Germany Work Group Meeting 2022-11-16OpenChain Germany Work Group Meeting 2022-11-16
OpenChain Germany Work Group Meeting 2022-11-16
 

More from Christian Folini

OWASP ModSecurity - A few plot twists and what feels like a happy end
OWASP ModSecurity - A few plot twists and what feels like a happy endOWASP ModSecurity - A few plot twists and what feels like a happy end
OWASP ModSecurity - A few plot twists and what feels like a happy end
Christian Folini
 
Crazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's landCrazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's land
Christian Folini
 
Never Walk Alone - Inspirations from a Growing OWASP Project
Never Walk Alone - Inspirations from a Growing OWASP ProjectNever Walk Alone - Inspirations from a Growing OWASP Project
Never Walk Alone - Inspirations from a Growing OWASP Project
Christian Folini
 
The Adventurous Tale of Online Voting in Switzerland
The Adventurous Tale of Online Voting in SwitzerlandThe Adventurous Tale of Online Voting in Switzerland
The Adventurous Tale of Online Voting in Switzerland
Christian Folini
 
EVoting in der Schweiz - Ein Fortsetzungsroman
EVoting in der Schweiz - Ein FortsetzungsromanEVoting in der Schweiz - Ein Fortsetzungsroman
EVoting in der Schweiz - Ein Fortsetzungsroman
Christian Folini
 
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule SetSecuring Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Christian Folini
 
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
Christian Folini
 
Gedanken zur elektronischen Stimmabgabe für Datenschützer
Gedanken zur elektronischen Stimmabgabe für DatenschützerGedanken zur elektronischen Stimmabgabe für Datenschützer
Gedanken zur elektronischen Stimmabgabe für Datenschützer
Christian Folini
 
Medieval Castles and Modern Servers
Medieval Castles and Modern ServersMedieval Castles and Modern Servers
Medieval Castles and Modern Servers
Christian Folini
 
E-Voting, die Sicherheit und die Rolle der Experten
E-Voting, die Sicherheit und die Rolle der ExpertenE-Voting, die Sicherheit und die Rolle der Experten
E-Voting, die Sicherheit und die Rolle der Experten
Christian Folini
 
Black alps 2018-folini-d-dos
Black alps 2018-folini-d-dosBlack alps 2018-folini-d-dos
Black alps 2018-folini-d-dos
Christian Folini
 
Optimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusOptimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX Plus
Christian Folini
 
A General Look at the State of Security - AFCEA 2017
A General Look at the State of Security - AFCEA 2017A General Look at the State of Security - AFCEA 2017
A General Look at the State of Security - AFCEA 2017
Christian Folini
 
Introducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule SetIntroducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule Set
Christian Folini
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
Christian Folini
 

More from Christian Folini (15)

OWASP ModSecurity - A few plot twists and what feels like a happy end
OWASP ModSecurity - A few plot twists and what feels like a happy endOWASP ModSecurity - A few plot twists and what feels like a happy end
OWASP ModSecurity - A few plot twists and what feels like a happy end
 
Crazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's landCrazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's land
 
Never Walk Alone - Inspirations from a Growing OWASP Project
Never Walk Alone - Inspirations from a Growing OWASP ProjectNever Walk Alone - Inspirations from a Growing OWASP Project
Never Walk Alone - Inspirations from a Growing OWASP Project
 
The Adventurous Tale of Online Voting in Switzerland
The Adventurous Tale of Online Voting in SwitzerlandThe Adventurous Tale of Online Voting in Switzerland
The Adventurous Tale of Online Voting in Switzerland
 
EVoting in der Schweiz - Ein Fortsetzungsroman
EVoting in der Schweiz - Ein FortsetzungsromanEVoting in der Schweiz - Ein Fortsetzungsroman
EVoting in der Schweiz - Ein Fortsetzungsroman
 
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule SetSecuring Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set
 
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
 
Gedanken zur elektronischen Stimmabgabe für Datenschützer
Gedanken zur elektronischen Stimmabgabe für DatenschützerGedanken zur elektronischen Stimmabgabe für Datenschützer
Gedanken zur elektronischen Stimmabgabe für Datenschützer
 
Medieval Castles and Modern Servers
Medieval Castles and Modern ServersMedieval Castles and Modern Servers
Medieval Castles and Modern Servers
 
E-Voting, die Sicherheit und die Rolle der Experten
E-Voting, die Sicherheit und die Rolle der ExpertenE-Voting, die Sicherheit und die Rolle der Experten
E-Voting, die Sicherheit und die Rolle der Experten
 
Black alps 2018-folini-d-dos
Black alps 2018-folini-d-dosBlack alps 2018-folini-d-dos
Black alps 2018-folini-d-dos
 
Optimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusOptimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX Plus
 
A General Look at the State of Security - AFCEA 2017
A General Look at the State of Security - AFCEA 2017A General Look at the State of Security - AFCEA 2017
A General Look at the State of Security - AFCEA 2017
 
Introducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule SetIntroducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule Set
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
 

Recently uploaded

Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 

Recently uploaded (12)

Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 

What’s new in CRS4? An Update from the OWASP CRS project

  • 1. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Christian Folini / @ChrFolini What’s new in CRS4? An Update from the OWASP CRS project
  • 2. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Plan for Today ⚫ Intro to the OWASP ModSecurity Core Rule Set ⚫ News from planet CRS ⚫ New features of upcoming major release CRS v4
  • 3. Baseline / 1st Line of Defense Safety Belts
  • 4. ModSecurity Embedded • Rule oriented • Granular Control
  • 5.
  • 7. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Paranoia Level 1: Minimal number of false positives Baseline protection Paranoia Level 2: More rules, some false positives Real data in the service Paranoia Level 3: Specialized rules, more false positives Online banking level security Paranoia Level 4: Crazy rules, many false positives Nuclear power plant level security Paranoia Levels
  • 8. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Numbers by Tuomo Makkonen https://blog.fraktal.fi/cloud-waf-comparison-part-2-e6e2d25f558c
  • 9. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Article in Dark Reading: Transforming SQL Queries Bypasses WAF Security https://www.darkreading.com/cloud/transforming-sql-queries-bypasses-waf-security
  • 10. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave News from Planet CRS ● Trustwave announces EOL for their ModSecurity
  • 11. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave News from Planet CRS ● Trustwave announces EOL for their ModSecurity ● New open source WAF engine: Coraza
  • 12. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave News from Planet CRS ● Trustwave announces EOL for their ModSecurity ● New open source WAF engine: Coraza ● Complete overhaul of CRS documentation
  • 13. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave News from Planet CRS ● Trustwave announces EOL for their ModSecurity ● New open source WAF engine: Coraza ● Complete overhaul of CRS documentation ● Launch of CRS Sandbox
  • 14. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave News from Planet CRS ● Trustwave announces EOL for their ModSecurity ● New open source WAF engine: Coraza ● Complete overhaul of CRS documentation ● Launch of CRS Sandbox ● Private Bug Bounty Program
  • 15. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave News from Planet CRS ● Trustwave announces EOL for their ModSecurity ● New open source WAF engine: Coraza ● Complete overhaul of CRS documentation ● Launch of CRS Sandbox ● Private Bug Bounty Program
  • 16. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave News from Planet CRS ● Trustwave announces EOL for their ModSecurity ● New open source WAF engine: Coraza ● Complete overhaul of CRS documentation ● Launch of CRS Sandbox ● Private Bug Bounty Program ● Dev-on-duty program
  • 17. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Major Changes for CRS v4
  • 18. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave Major Changes for CRS v4 ● Plugins architecture 🆕
  • 19. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave Major Changes for CRS v4 ● Plugins architecture 🆕 ● Early blocking 🆕
  • 20. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave Major Changes for CRS v4 ● Plugins architecture 🆕 ● Early blocking 🆕 ● Scoring vars and paranoia levels renaming
  • 21. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave Major Changes for CRS v4 ● Plugins architecture 🆕 ● Early blocking 🆕 ● Scoring vars and paranoia levels renaming ● Configurable reporting levels 🆕
  • 22. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave Major Changes for CRS v4 ● Plugins architecture 🆕 ● Early blocking 🆕 ● Scoring vars and paranoia levels renaming ● Configurable reporting levels 🆕 ● No longer dependent on PCRE, ready for Re2 / Hyperscan
  • 23. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave Major Changes for CRS v4 ● Plugins architecture 🆕 ● Early blocking 🆕 ● Scoring vars and paranoia levels renaming ● Configurable reporting levels 🆕 ● No longer dependent on PCRE, ready for Re2 / Hyperscan ● Quality: all rules have positive and negative tests!
  • 24. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave Existing Plugins ● All rule exclusions are now plugins ● Antivirus plugin 🆕 ● auto-decoding 🆕 ● body decompress 🆕 ● fake bot 🆕 ● google-oauth2 🆕
  • 25. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave Plugins in the making for v4 ● GeoIP plugin ● IP reputation
  • 26. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 New Rules
  • 27. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave New Rules ● SSRF
  • 28. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave New Rules ● SSRF ● Email protocols (SMTP, POP3, IMAP)
  • 29. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave New Rules ● SSRF ● Email protocols (SMTP, POP3, IMAP) ● Log4J / Log4Shell, Spring4Shell
  • 30. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave New Rules ● SSRF ● Email protocols (SMTP, POP3, IMAP) ● Log4J / Log4Shell, Spring4Shell ● Common Webshell detection
  • 31. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave New Rules ● SSRF ● Email protocols (SMTP, POP3, IMAP) ● Log4J / Log4Shell, Spring4Shell ● Common Webshell detection ● Improved the detection across the board for RCE and SQLi and many more
  • 32. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 CRS v4 Release Plan
  • 33. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave CRS v4 Release Plan ● Originally planned for May / June 2022
  • 34. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave CRS v4 Release Plan ● Originally planned for May / June 2022 ● Shot to pieces by private Bug Bounty
  • 35. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave CRS v4 Release Plan ● Originally planned for May / June 2022 ● Shot to pieces by private Bug Bounty ● Need to fix litterally dozens of findings first
  • 36. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave CRS v4 Release Plan ● Originally planned for May / June 2022 ● Shot to pieces by private Bug Bounty ● Need to fix litterally dozens of findings first ● Expect backports of findings for existing release lines
  • 37. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave CRS v4 Release Plan ● Originally planned for May / June 2022 ● Shot to pieces by private Bug Bounty ● Need to fix litterally dozens of findings first ● Expect backports of findings for existing release lines ● New release plan after Summer
  • 38. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Trustwave CRS GOLD Sponsors CRS SILVER Sponsors
  • 39. @ChrFolini – What’s new in CRS4? – OWASP AppSec EU 2022-06-09 Questions and Answers, Contact Contact: @ChrFolini christian.folini@owasp.org