dune73 - Slashdot User

Comment Re:Naive hueristic proxies are dangerous (Score 2) 17

by dune73 on Sunday November 13, 2016 @02:39AM (#53274707) Attached to: OWASP ModSecurity Core Rule Set Version 3.0 Released

Several components of the application stack used by this system have had known serious security vulnerabilities in the past.

Could you elaborate, please?

The stack I see Apache/NginX/IIS + ModSecurity + Libinjection + Core Rule Set. What am I missing? Apache has certainly had it's share of weaknesses, but with ModSec the track records seems quite clean; as is the case of Libinjection and the CRS.

Comment False Positives mostly gone in CRS3 (Score 4, Informative) 17

by dune73 on Sunday November 13, 2016 @12:34AM (#53274329) Attached to: OWASP ModSecurity Core Rule Set Version 3.0 Released

[project committer here]

The ModSec Core Rule Set 3.0 (CRS3) comes with a reduction of at least 90% of false positives (more like 99% on my servers). The base setups of Wordpress and Drupal can be run without any FPs.

If you see FPs with a default install of the Core Rules, please report. The idea is to have next to no FPs in the standard deployment mode.

There is a series of tutorials, which explains the installation of ModSec, the inclusion of the Core Rule Set and the handling of False Positives (still important at higher Paranoia Levels).

Comment Re:Correct me if I'm wrong... (Score 1) 17

by dune73 on Sunday November 13, 2016 @12:22AM (#53274299) Attached to: OWASP ModSecurity Core Rule Set Version 3.0 Released

The ModSec Core Rule Set 3.0 (CRS3) comes with a reduction of at least 90% of false positives (more like 99% on my servers). Time to give it another go.

Submission + - OWASP ModSecurity Core Rule Set v3.0 released

Submitted by dune73 on Thursday November 10, 2016 @04:26PM

dune73 writes: The OWASP ModSecurity Core Rule Set v3.0.0 release is now available. The OWASP CRS is a widely used Open Source set of generic rules designed to protect users against threats like the OWASP Top 10. The rule set is most often deployed in conjunction with an existing Web Application Firewall (WAF) like ModSecurity. Four years into the making, this release comes with dozens of new features including: reduced false positives (by over 90% in the default setup), improved detection of SQLi, XSS, RCE and PHP injections, the introduction of a Paranoia Mode which allows to assign a certain security level to a site, and better documentation that takes the pain out of ModSecurity. We are so excited about this, we want to make it into movie. In fact, we have already started the project with a poster.

Slashdot Top Deals