I have a very warm place reserved for the ModSecurity Core Rule Set (CRS). I created it a decade ago. Actually the first release in the readme file, labeled 1.1, is dated to October 2006, so this is an anniversary. And what a great present I got for the Anniversary from Chaim Sanders, Walter Hop and my dear friend Christian Folini: a brand new major release!

If you don’t know what the CRS is, a short introduction is due. Continue reading →

Simply put, Web Application Firewalls are security controls designed to provide the best automated operational protection for HTTP applications, whether web based on mobile. What is “the best” protection, or even “sufficient protection” is not a simple question.  As a result there is a spectrum of solutions for protecting web applications with varying quality and functionality. Which one can call itself a web application firewall is not an easy question to answer.

Probably the only way to define a web application firewall is to list the key features common to web application firewalls uniquely suited for protecting web and mobile applications and which would differentiate than other operational security controls such as intrusion prevention systems and network firewalls. The following sections touch on those key features of WAFs. A fuller discussion of the features will follow in later posts. Continue reading →

(This is the first chapter of a Web Application Firewall Guidebook to be published in the next few posts)

Before getting into web application firewalls let’s review the problem they solve and alternative solutions. As web application security is essentially a software quality problem, resolving it require fixing the way we develop, deploy and operate software. This process is usually referred to as the software development life cycle, or SDLC for short. The security aspects of the SDLC process are called Secure Development Life Cycle, which confusingly has the same abbreviation: SDLC.

Ideally, fixing the security of web applications should be done at all SDLC stages as vulnerabilities are introduced in all stage. While it is better and potentially cheaper to fix issues early on, no quality assurance is perfect and bugs are carried on to following SDLC stages.

Since there is a cost for implementing security in any stage of the SDLC, when allocating resources we need to make a choice as to where to invest and how much. If any of the solutions outlined below was a silver bullet, the decisions would have been easier, however this is not the case. Is it better to invest a lot in educating developers and having a more secure code but neglect to test or protect the code in the operational environment? probably not, after all no code is vulnerability free no matter how good the developers were. On the other hand, should we only deploy a real time operational control such as a web application firewall? It would be unnerving to release buggy software no matter what automated solutions are there to protect it.

Let’s review the available application security solutions at every stage of the SDLC: Continue reading →