Friday, December 22, 2017

Google Summer of Code 2018 (GSOC) - Deadline January 21st

The OWASP Foundation will be applying as a Mentor Organization for Google Summer of Code 2018 (GSOC)!  GSOC is an international grant program that promotes open source projects by providing a stipend for university students to code for open source projects. During the Google Summer of Code your project can choose a student to mentor from a wide range of applicants. The student will complete a project defined by an OWASP Project leader aimed at improving an OWASP Project.  Each student will be assigned a volunteer mentor (who does not need to be an OWASP Project Leader) to help guide and evaluate the student throughout the process.  

We need your help in a making this program a success and the more mentors the more slots for OWASP!

GSOC for Project Leaders:
  • Add your idea on our GSOC 2018 Ideas wiki page ASAP; Deadline January 21st! 
  • Students will start applying for projects on March 12, 2018 but many are already exploring ideas on our wiki page.
  • You may submit multiple ideas (but each accepted idea will need its own mentor)
  • Leaders are welcome but not required to also be mentors
Become a Mentor: 
  • Do you want to become a mentor for a student?
  • Choose a participating OWASP Project Idea from the wiki page listed below preferably the one you are most familiar with on the GSOC 2018 Ideas page
  • If you have an idea for mentoring a student that is not listed, reach out the the Project Leader to pitch your idea.
Help OWASP Invite Students: 
  • Are you somehow affiliated with a university? Share this opportunity in the classroom, with instructors, and with the appropriate department secretary. 
  • Invite students who already volunteer with OWASP and Students associated with your chapter.

Interested but need more information?

Touch base with Claudia claudia.aviles-casanovas at, Kostas konstantinos at or Fabio  fcerullo at to get started today.  Thank you in advance for your time; we look forward to your participation. 

Wednesday, December 20, 2017

Core Rule Set: The evolution of an OWASP Project
Let me put one thing straight: there are two things when we talk about ModSecurity. There is the naked ModSecurity engine running inside NGINX or Apache and there is the rule set that instructs the engine what to do. Many different rule sets exist. But the rule set with the largest user base (and longest name) is the OWASP ModSecurity Core Rule Set or CRS for short.

CRS started in 2006 and moved under the OWASP umbrella in 2009. While widely used, it was essentially run as a one man show until late 2015 when Chaim Sanders took over and asked Walter Hop and me to join the project. We formed a three person leadership team with Chaim having the final say. Our new team undertook an informal review of CRS and identified four areas where the CRS sucked:
  • usability
  • documentation
  • ugly code
  • non-existent community

Additionally, there were also - and still are - blind spots in the rule base. Despite this CRS has always been very good at detecting attacks - easily catching 80% - 90% of the attacks aimed at web applications. If we could solve the four pressing issues, we were sure the project would flourish, so we worked tirelessly throughout 2016 to release CRS v3.0 in November 2016.

False positives really kill the experience when running a web application firewall. The CRS3 release brought a painless out-of-the-box installation that has very few false positives due to our new Paranoia Level. This value lets you decide how aggressive you want the rule set to behave. The default Paranoia Level means you are satisfied with detecting 80% of the attacks - as long as you do not get any false positives. You can raise the level to reach 95% or even 99% of the attacks. But this comes at the expense of a substantial number of false positives and you need to tune away these alerts in order to run your service seamlessly again.

With CRS3, we heard users exclaim that the new CRS just works without much tuning by default. People do a default install on their existing sites and they hardly notice it's there until they try out sql injections on the login screen. As if to underline this, in the year since we released CRS3 we received roughly 20 github issues due to false positives. Having run the old Core Rule Set for many years, 20 false positives used to be what I would eat for breakfast in the old days.

Still, we knew there was room for improvement and so I wrote a series of tutorials in the form of several guides and accompanying scripts to help people streamline the tuning process.

As expected, the CRS3 release brought an increased interest in the project. In order to foster this interest and to build our community we timed the release with a new movie poster style graphic and I began to run ModSecurity / CRS courses in several cities. All these efforts paid off as in October we saw almost 1600 people visit the CRS integration tutorial. On top of that, almost 1000 people visited the tutorial covering false positives. That's a doubling within 12 months. My CRS classes have attracted the interest of internet service providers, appliance manufacturers, big banks, university services and even IT teachers. New developers started to show up with @victorhora leading the way. In early November, we promoted three members of our growing community to active developers and we are now the ten of us. Ten developers is an ass-kicking number and we were able to address the ugly rule base. Developer @fgsch championed a cleanup project in summer. He received immediate supported by @fzipi and @spartantri. This has greatly improved the readability of the rules and spurred a set of coding guidelines that will guide future development.
The new CRS project logo with the OWASP wasp protected by an additional layer of defense.

In late Summer 2017, @franbuehler announced that our legacy of dozens of machine optimized regular expressions were a mess. She proved that the project had lost the readable sources to these patterns a long time ago. So she disassembled the regexes of over 1000 characters width into a list of human readable source patterns. Her solutions were merged to much acclaim in early November. This had the further benefit of galvanizing our community. The monthly CRS community chat evolved into a monthly planning session. We use it to talk about the project and sort out controversial pull requests or issues. This has been very beneficial. It allows us to give positive feedback to new community members. And it lets everybody feel much more like being part of a real community where their input is valued and where they receive guidance with contributing of their own.

This new momentum of the project has not gone unnoticed. The 2017 edition of the OWASP Top Ten includes a reference to the CRS project under A10 Insufficient Monitoring and Logging. And when attending a Hacknight in Berne, Switzerland, one of the board members of the German Open Source Business Alliance approached me and asked to submit our project for the German Open Source Business Awards OSBAR. I gladly complied and on December 6, 2018, CRS 3.0 was invited to receive an OSBAR award together with a handful of other projects including the RUST language. I have never won an award for anything I have done ever, so this felt extremely cool!

With the code base cleanup nearing completion, we are now using our larger developer base to add better coverage and close existing gaps. A hot area in this regard are attacks on Java services. CRS would have detected the Equifax hack, but only at a high paranoia setting. Walter Hop (@lifeforms) and @emphazer are working on a new group of rules to expand the rule coverage for this attack class and include it into the upcoming CRS 3.1 release. Parallel to this, we are also adding unit tests to all our rules. This should protect us from ruining the existing rules with a stupid mistake and from adding false positives when we commit changes. In fact, there is a separate project, FTW, created to support our unit testing process. This is done by providing a Framework for Testing WAFs (hence FTW). It's a great tool and I hope other projects can profit from it's simplicity too. With hundreds of tests merged into OWASP CRS, we are seeing good progress there.

What's next for the project:

  • Release 3.1.0, possibly also 3.0.3, is on the list for the next few months.
  • We aim for a CRS summit at one of the European OWASP conferences in 2018. The idea is to meet with various parties using CRS in their setups or as part of their services or products.
  • We hope to achieve mainstream adoption of CRS with online offerings. Let's encrypt is included with your hosting plan and we think an OWASP ModSecurity Core Rule Set installation should also be added to the package.
  • Now that CRS is being featured in the OWASP Top Ten (2017), we need to open up to the people looking at OWASP Top Ten. They are looking for guidance on how they can take the best out of CRS with their existing setups. Here is a first blog post with this goal.
If you feel like supporting our project read through our blog post aimed for new project members and check out the CRS website.

Or why don't you join our monthly chat. We meet on the first Monday of a month on freenode IRC, channel ModSecurity at 20:30 CET, and we are very open to newcomers. We’re all newcomers, actually.

Christian Folini (Follow him on twitter @ChrFolini)

[EDIT: Typos and formatting]

Labels: , , ,

Monday, December 18, 2017

September - December 2017 Corporate Members

September - December 2017 
Corporate Members

We would like to thank the following companies for supporting the OWASP Foundation.  
The companies listed below have contributed over the past couple months by either renewing their existing 
Corporate Membership or joining OWASP as a new Corporate Member.  

Details about Corporate Membership can be found here.

Premier Corporate Members

Netsparker develops an industry leading automated web application security scanner. Available as Windows desktop software and as a Cloud service, the Netsparker scanner is very easy to use and its proof-based vulnerability scanning technology enables you to easily and automatically detect SQL Injection, Cross-site scripting and other vulnerabilities in your websites, web applications and web services. Netsparker’s unique scanning, detection and auto exploitation techniques allow it to be dead accurate. Therefore you do not have to waste time manually verifying the scanner’s findings and instead can focus on fixing the identified vulnerabilities. Netsparker is trusted and used by world renowned companies such as Samsung, Ernst & Young, Skype, NASA, ISACA and ING Bank. To learn more, please visit:

Since 2002, organizations have relied on Security Innovation for their unique software and application security expertise to help secure and protect sensitive data in the most challenging environments - automobiles, desktops, web applications, mobile devices and in the cloud. Recognized as a Leader in the Gartner Magic Quadrant for Security Awareness for the third year in a row, Security Innovation is dedicated to making the world (and your organization) a safer place, one employee and one application at a time. Security Innovation is privately held and headquartered in Wilmington, MA USA. For more information, visit

Signal Sciences is the industry’s first Web Protection Platform using both Next Generation WAF as well as RASP technologies. Signal Sciences WPP was built in response to our own frustrations of trying to use legacy WAFs while enabling business initiatives like DevOps, cloud adoption and CI/CD. The Signal Sciences NGWAF works seamlessly across cloud, physical, and containerized infrastructure, providing security without breaking production traffic. Please visit for more information.

Contributor Corporate Members

Acunetix logo 200.png
Acunetix’s team of experienced engineers developed a lead in website, web application, and Internet-facing server analysis and vulnerability detection. Available both on-premise and online, Acunetix uses deep crawling techniques to detect exploitable vulnerabilities such as SQL injection, and all forms of Cross-Site scripting – while providing concise vulnerability reports and information on how to fix them allowing you to protect your business against impending hacker attacks. Acunetix customers include Cisco, NASA, American Express, Sony, HSBC, The Pentagon, Skype, and many more. You can find us online at

Checkmarx is an Application Security software company, whose mission is to provide enterprise organizations with application security testing products and services that empower developers to deliver secure applications. Amongst the company's 1,000 customers are 5 of the world's top 10 software vendors and many Fortune 500 and government organizations. Checkmarx CxSAST is a highly accurate and flexible Source Code Analysis product that allows organizations to automatically scan un-compiled/un-built code and identify hundreds of security vulnerabilities in the most prevalent coding languages. Learn more at

Distil Networks, the global leader in bot detection and mitigation, is the only easy and accurate way to protect web applications from bad bots, API abuse, and fraud. With Distil, you automatically block 99.9% of malicious traffic without impacting legitimate users. Distil Web Security defends websites against web scraping, brute force attacks, competitive data mining, account takeovers, online fraud, unauthorized vulnerability scans, spam, man-in-the-middle attacks, digital ad fraud, and downtime. Distil API Security protects all types of APIs including those serving web browsers, mobile applications, and Internet of Things (IoT) connected devices. Distil API Security defends APIs against developer errors, integration bugs, automated scraping, and web and mobile hijacking. For more information on Distil Networks, visit us at http://www.distilnetworks.comor follow @DISTIL on Twitter.

Gosecure word red.jpg
At GoSecure, our reason for being is to protect your IT assets and allow you to focus on business. As a cybersecurity services provider, our offering is focused on increased security operations ROI, cutting-edge security testing for IT and facilitating integrated security in new or existing software and hardware systems. Strengthened by over a decade of experience dedicated exclusively to cybersecurity, our team has had to deal with a wide gamut of security breaches and threats and stands today as a group of leaders in technologically complex security mandates in the industry. We continue to invest in advanced security research with our private and public partners. For us, security only makes sense when it serves the best interest of your organization and helps you reach your goals. You can count on us as your long-term partner in assessing and developing all the elements of your technical security for current and future threats. Our clients recognize us as the partner of choice for operationalization of their security strategy as we excel at making security work “where the rubber meets the road”. We offer a full range of managed security services from our two security operations centers. For more information, visit

IMMUNIO LOGO 150x45.png
Please visit for more information

For more information, please visit:
Johnson Controls is a global diversified technology and industrial leader serving customers in more than 150 countries. Our 130,000 employees create quality products, services and solutions to optimize energy and operational efficiencies of buildings; lead-acid automotive batteries and advanced batteries for hybrid and electric vehicles; and seating components and systems for automobiles. Our commitment to sustainability dates back to our roots in 1885, with the invention of the first electric room thermostat. Through our growth strategies and by increasing market share we are committed to delivering value to shareholders and making our customers successful. In 2015, Corporate Responsibility Magazine recognized Johnson Controls as the #14 company in its annual “100 Best Corporate Citizens” list.” Please visit

To learn more, please visit:

Security Compass focuses on helping you deliver secure software through deliberate practice while maintaining the speed of your business. Our goal is to help you build secure software by seamlessly unifying your application security needs through eLearning, Security Requirements and Verification. Visit to learn more!

For more information visit:

To learn more, please visit:

WhiteSource helps software security teams manage open source components used in their products, automatically and continuously. It becomes part of your SDLC and automates the entire process of open source components selection, approval, and management, including finding and fixing vulnerable components. To learn more, please visit:

Want your company name here? 
Find out how by visiting our Corporate Member page, or contact Kelly Santalucia, our Membership & Business Liaison today!  

Thank you to all of our Premier and Contributor Corporate Members for your support!