I have a very warm place reserved for the ModSecurity Core Rule Set (CRS). I created it a decade ago. Actually the first release in the readme file, labeled 1.1, is dated to October 2006, so this is an anniversary. And what a great present I got for the Anniversary from Chaim Sanders, Walter Hop and my dear friend Christian Folini: a brand new major release!
If you don’t know what the CRS is, a short introduction is due. If you read my recent post defining web application firewalls and tried to place ModSecurity within it, you probably had a hard time. ModSecurity is both everything and nothing, or more precisely, you can morph it to anything you like using its rich rules language. Without such rules, it does nothing at all. So on the one hand the open source community created a potent open source web application firewall (and one cannot mention ModSecurity without mentioning Ivan Ristić who created it!), but on the other hand without rules it does not deliver a workable application protection solution.
The core rule set fills this gap. It enables many applications, web sites and even commercial products to incorporate functioning web application protection. ModSecurity and the Core Rule Set just make the world a safer place.
Apart from providing an open source web application security option, the Core Rule Set is also a unique research into web application protection. Since it is an open source project, it is open to scrutiny, refinement and can serve as a base line for assessing application security protection. Being open source, you are all welcomed to contribute to this research!
And for the more nostalgic, to commemorate the anniversary, here is my 2007 OWASP EU presentation about the CRS and (drums, drums, drums…) the first version I found of the CRS, version 1.5.1. I leave you as a challenge to find the delta: not a hard one as CRS leapfrogged so much since.