Thursday, November 29, 2018

Announcement: OWASP ModSecurity Core Rule Set Version 3.1.0

The OWASP Core Rule Set team is happy to announce the CRS release v3.1.0 at last.
A wee bit over 2 years in the making, this major release represents a big step forward in terms of capabilities, usability and protection.
Key features include:
* A new set of rules defending against Java injections
* Initial set of file upload checks
* Add built-in exceptions for Dokuwiki, Owncloud, Nextcloud and CPanel
* Easier handling of the paranoia mode
* Many false positives fixed
* Successful source code archaeology with regular expressions
* Detailed rule cleanup for easier maintenance
* Speed improvements via the removal of unneeded regex capture groups
* Regression tests for rules, Travis support
* CRS docker image based on Ubuntu
For a complete list of new features and the changes in this release, see the CHANGES document:
CRS 3.1 is the best stable release of the OWASP ModSecurity Core Rule Set. We advise all users and providers of boxed CRS versions to update their setups. CRS 3.0 won’t see any future updates and we recommend you to migrate onto our new release.
CRS 3.1 requires an Apache/IIS/NGINX web server with ModSecurity 2.8.0 or higher. CRS 3.1 will run on libModSecurity 3.0 on NGINX.
Our GitHub repository is the preferred way to download and update CRS:
$> wget
For detailed installation instructions, see the INSTALL document:
Our desire is to see the Core Rules project as a simple baseline security feature, effectively fighting OWASP TOP 10 weaknesses with few side effects. We are committed to cut down on false positives as much as possible in the default install. We welcome reports of false positives on github.
Chaim Sanders, Walter Hop and Christian Folini on behalf of the Core Rule Set development team

Friday, November 16, 2018

Monday, 11/12/18, we were notified by our ED, Karen, that she will be taking  a new role, closer to her experience in the entertainment industry.
The board wants to thank Karen for her efforts and contribution over the last year and wishes her all the best in her future role.

Monday, November 12, 2018

The 2019 OWASP Board has been elected

Your 2019 Board has been elected

Thank you to everyone who voted in the Board of Directors election!

The OWASP Board consists of seven volunteers elected on alternating years to serve a two year term. These unpaid volunteers dedicate themselves to the organizational mission and playing a pivotal role in the software security community.  Members of the Global Board of Directors are responsible for setting the strategic direction of the organization and ensuring the financial integrity of the Foundation.

Our thanks to everyone who stood for the board this year, your willingness to take on time consuming duties to further OWASP's mission is greatly appreciated.  OWASP is fortunate to have such talented and active volunteers and we look forward to continuing to work with you.

Please help me in welcoming your new board members:
Martin Knobloch    
Richard Greenberg    
Gary Robinson

To listen to the newly chosen board member interviews click on their names or please visit our Election page.

Come January 1, 2019 these three new board members will begin their two year term. 

Full Election results:

Friday, November 2, 2018

Serverless Top 10 added to the Project Inventory

Included among the recent projects added to the OWASP Projects inventory, is the Incubator project Serverless Top 10, headed by Tal Melamed.  Please read on to find out more about the project from Tal himself.

The Serverless Top 10 project has launched a report, designed to be a first look into the leading risks in serverless security and to serve as a baseline for the project. We would like to thank everyone who participated in the project and made it possible with special thanks to our project sponsor, Protego Labs.

Shedding Light on Serverless
The aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most common and most important web application security weaknesses. The Serverless Top 10 report examines the differences in attack vectors, security weaknesses, and business impact of successful attacks on applications in the serverless world, and, most importantly, how to prevent them. This report will evaluate the famous OWASP Top 10 project risk listing by “running” them through a serverless environment, shedding light on serverless by demonstrating them from both the attacker’s and the defender’s points of view.

Changing AppSec with Changing App Design
“The OWASP Top 10 2017 report focused on traditional application security. Since applications on ey serverless architectures are vastly different, security risks have changed,” said Tal Melamed, Serverless Top 10 project lead. “With serverless, hackers must try different vectors and approaches for attacks; developers cannot employ traditional perimeter protections and need to change their way of thinking, as almost none of the mitigations suggested for traditional systems would fit in the serverless world, which is why we’re working on the serverless Top 10 project.”

 The Serverless Top 10 will also be based on data collected from real industry input through an open call and it is scheduled for a first, official, release in Q2 2019.

Visit our official project page for more information about the roadmap and how to get involved.

Tal Melamed,
OWASP Serverless Top 10 Project Lead