[Owasp-modsecurity-core-rule-set] Core Rule Set Project April 2018

Chaim Sanders chaim at chaimsanders.com
Wed May 16 05:10:35 UTC 2018

This is the CRS newsletter covering the period from Early April until May

We held our monthly community chat. It is a busy time so we had quite a few
people unavailable. Thanks to all those who attended:

   - csanders
   - Oladon_work
   - lifeforms
   - emphazer
   - franbuehler
   - squared

Our agenda from before the chat is available here
<https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1077>. During
the chat we discussed the following:

   - *Travis fails due to docker issues*. This was an issued which csanders
   worked to resolve before the meeting. It was due to a change in the
   underlying CRS maintained ModSecurity Docker image (modsecurity-docker #7
   <https://github.com/CRS-support/modsecurity-docker/pull/7>). While this
   reduced the size of the underlying image it removed certificates needed
   query github, which ended up causing builds to fail.
   - *Review of PR #1076
   <https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/1076> for
   inclusion in 3.1*: franbuehler and lifeforms had looked at the PR and
   agreed it added features needed for 3.1. They both said they would test
   more in the coming weeks to ensure it made it into 3.1 with minimal
impact. squared
   said he would test this to ensure it worked with libmodsecurity.
   - *Release of 3.1*: It was suggested previously that we'd have a hard
   code stop on 3.1 features on May 7th if we were ready. We decided that the
   features we were preparing should make it into 3.1, but nothing after
   that. These features included PR #1076
   (additional monitoring or hybrid paranoia level settings), #1045
   (malicious file upload detection) and CPanel rule exclusions. emphazer said
   he would work on the CPanel rules within the next two weeks. It was agreed
   that PR 1076 could be completed within two weeks likely. At this time we'd
   generate an RC1 of CRS 3.1
   - *Other open PRs*: csanders had closed a number of the lingering test
   related issues that were blocking 3.1 release. He also committed to fixing
   the NGINX docker image before the 3.1 release. Franbuehler had reviewed
   #1045 <https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/1045>,
   she had found some issues that were acknowledged by spartantri  that
   needed to be addressed before a merge.
   - *Community Summit on July 4*: Dune73 has been working in the backend
   to coordinate this event. It is coming along nicely a dozen confirmed
   participants from various companies. CPanel has committed to sponsor the
   dinner (thanks CPanel). Official registration will be open soon via
   AppSecEU website.


   - *Franbuehler gave a talk about ModSec CRS in DevOps last week at the
   DevOpsDays ZH (Zurich), slides forthcoming, an associated git repo can be
   found here <https://github.com/franbuehler/modsecurity-crs-rp>.*

*The next community chats will be held on the following dates:*

   - June 4, 2018 20:30 CET
   - Live at AppSecEU and Online July 4th, 2018 14:30 CET **Time Change**
   - Aug 6, 2018 20:30 CET

Chaim Sanders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20180516/5f726a5f/attachment.html>

More information about the Owasp-modsecurity-core-rule-set mailing list