The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
Thursday, November 29, 2018
Announcement: OWASP ModSecurity Core Rule Set Version 3.1.0
The OWASP Core Rule Set team is happy to announce the CRS release v3.1.0 at last.
A wee bit over 2 years in the making, this major release represents a big step forward in terms of capabilities, usability and protection.
Key features include:
* A new set of rules defending against Java injections * Initial set of file upload checks * Add built-in exceptions for Dokuwiki, Owncloud, Nextcloud and CPanel * Easier handling of the paranoia mode * Many false positives fixed * Successful source code archaeology with regular expressions * Detailed rule cleanup for easier maintenance * Speed improvements via the removal of unneeded regex capture groups * Regression tests for rules, Travis support * CRS docker image based on Ubuntu
CRS 3.1 is the best stable release of the OWASP ModSecurity Core Rule Set. We advise all users and providers of boxed CRS versions to update their setups. CRS 3.0 won’t see any future updates and we recommend you to migrate onto our new release.
CRS 3.1 requires an Apache/IIS/NGINX web server with ModSecurity 2.8.0 or higher. CRS 3.1 will run on libModSecurity 3.0 on NGINX.
Our GitHub repository is the preferred way to download and update CRS:
Our desire is to see the Core Rules project as a simple baseline security feature, effectively fighting OWASP TOP 10 weaknesses with few side effects. We are committed to cut down on false positives as much as possible in the default install. We welcome reports of false positives on github.
Chaim Sanders, Walter Hop and Christian Folini on behalf of the Core Rule Set development team