[GPC] Seeking Java Dev help for ModSecurity Port

Paulo Coimbra paulo.coimbra at owasp.org
Fri Apr 1 09:28:30 EDT 2011


If you all agree, I will be waiting for the 'formal project proposal'.

Thanks,
- Paulo


Paulo Coimbra,
OWASP Project Manager

> >-----Original Message-----
> >From: global-projects-committee-bounces at lists.owasp.org
> >[mailto:global-projects-committee-bounces at lists.owasp.org] On Behalf
> >Of Jim Manico
> >Sent: quinta-feira, 31 de Março de 2011 20:28
> >To: Jason Li
> >Cc: Ryan Barnett; Calderon, Juan Carlos (GE, Corporate, consultant);
> >Arshan Dabirsiaghi; Global Projects Committee
> >Subject: Re: [GPC] Seeking Java Dev help for ModSecurity Port
> >
> >Jason,
> >
> >First steps - we are stating our intention and placed the code in a
> >formal repot at Google code. We also got permission from Arshan (the
> >original coder) to run with it.
> >
> >Next step - formal project proposal. One of us will get to it soon.
> >
> >We do not want this under the "java project". As Ryan stated, we want
> >this under the ModSecurity core ruleset project.
> >
> >Aloha,
> >Jim
> >
> >
> >
> >> This is a very long thread between Ryan/Juan/Arshan/Jim and I
> >apologize that
> >> I haven't read through the whole thing - one reason why a project
> >proposal
> >> would be good so that these threads can be rolled up succinctly for
> >OWASP
> >> consumers :)
> >>
> >> But from my very quick skim, it sounds like you guys want to create
> >a Java
> >> WAF based on ModSecurity?
> >>
> >> For the record, I for one do *not* think that the project should be
> >placed
> >> under the OWASP Java project. The OWASP Java project (to me) is
> >about
> >> getting a knowledge base of proper application security principles
> >for
> >> developers using Java as their programming language. The proposed
> >project is
> >> just a tool/code project that happens to be written in Java.
> >Therefore, I
> >> think they need to be separate projects.
> >>
> >> -Jason
> >>
> >> On Thu, Mar 31, 2011 at 3:15 PM, Jim Manico <jim.manico at owasp.org>
> >wrote:
> >>
> >>> I just got off the phone with Arshan - and he said "guys, run with
> >it"
> >>>
> >>> So I still think we need to put Arshan's name on the project - he
> >is our
> >>> "Java WAF Founding Father" - but it is now our baby to do as we
> >wish
> >>> with it.
> >>>
> >>> Rock on Juan Carlos + Ryan!
> >>>
> >>> Never in my wildest AppSec dreams did I ever expect to be mixed up
> >in
> >>> WAF development. Forgive me if I get overly defensive about it at
> >times.
> >>>
> >>> *insert rim shot here*
> >>>
> >>> - Jim
> >>>
> >>>
> >>>> Speaking selfishly, I would love for this to be hosted under the
> >>> ModSecurity
> >>>> Project link as I want to bill this as a "port" of ModSecurity to
> >Java.
> >>> :)
> >>>>
> >>>> I will defer to Juan Carlos and Jim however as they are the leads.
> >>>>
> >>>> -Ryan
> >>>>
> >>>> From:  Paulo Coimbra <paulo.coimbra at owasp.org>
> >>>> Date:  Thu, 31 Mar 2011 18:46:12 +0100
> >>>> To:  'Jim Manico' <jim.manico at owasp.org>, "'Calderon, Juan Carlos
> >(GE,
> >>>> Corporate, consultant)'" <juan.calderon at ge.com>
> >>>> Cc:  Ryan Barnett <ryan.barnett at owasp.org>, 'Global Projects
> >Committee'
> >>>> <global-projects-committee at lists.owasp.org>
> >>>> Subject:  RE: Seeking Java Dev help for ModSecurity Port
> >>>>
> >>>>> Jim, Juan & Ryan,
> >>>>>
> >>>>> It¹s always a pleasure setting up a project for any of you
> >distinguished
> >>> OWASP
> >>>>> contributors and leaders. I propose though you firstly send us
> >off a
> >>> couple of
> >>>>> lines defining the project¹s purpose and a roadmap. If you agree
> >with
> >>> doing so
> >>>>> it will allow the GPC acting in accordance with its mission i.e.
> >³(...)
> >>> the
> >>>>> GPC shall provide support and direction for new projects. (...)².
> >>> Additionally
> >>>>> from what I¹ve understood from the thread below, I was unsure
> >whether or
> >>> not
> >>>>> this new project could be placed under a broaden Java Project hat
> >or if
> >>> it
> >>>>> could be hosted in a common root link also shared by the
> >ModSecurity
> >>> Core Rule
> >>>>> Set Project ­ does my interrogation make any sense?
> >>>>>
> >>>>> http://www.owasp.org/index.php/OWASP_Java_Project
> >>>>>
> >>>>>
> >>>
> >http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Se
> >t_Projec
> >>>>> t
> >>>>>
> >>>>> Please note that my above path proposal doesn¹t intend at all to
> >impose
> >>> any
> >>>>> kind of constraint to OWASP contributors¹ initiative and
> >therefore if
> >>> you
> >>>>> think is best that I set the templates right now before further
> >input
> >>> being
> >>>>> put available, as long as GPC also agrees, it will be done. Truly
> >I am
> >>> just
> >>>>> looking for an approach to allow us a shared effort to create as
> >much
> >>> value
> >>>>> and synergies as possible.
> >>>>>
> >>>>> PS. Pablo is fine and, happy for being in people¹s minds, sends
> >regards
> >>> J
> >>>>>
> >>>>>
> >>>>> Thanks,
> >>>>> - Paulo
> >>>>>
> >>>>>
> >>>>> Paulo Coimbra,
> >>>>> OWASP Project Manager <
> >>> http://www.owasp.org/index.php/User:Paulo_Coimbra>
> >>>>>
> >>>>>
> >>>>> From: Jim Manico [mailto:jim.manico at owasp.org]
> >>>>> Sent: quarta-feira, 30 de Março de 2011 21:31
> >>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant)
> >>>>> Cc: Ryan Barnett; Paulo Coimbra
> >>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
> >>>>>
> >>>>> Paulo,
> >>>>>
> >>>>> We would like to start a new project -
> >>>>>
> >>>>> "The OWASP Java Web Application Firewall"
> >>>>>
> >>>>> Could you send us a project template please? And could you tell
> >Pablo
> >>> hello
> >>>>> for us? (joking ;)
> >>>>>
> >>>>> Thanks all.
> >>>>> - Jim
> >>>>>
> >>>>> PS: Juan Carlos - I'm so very grateful someone of your skill is
> >jumping
> >>> in to
> >>>>> help us!!!
> >>>>>
> >>>>>>> Not yet, there is not even a project page so far, as this is
> >very new.
> >>>>>>>
> >>>>>>> We should let Pablo know about this "new" project. Would you do
> >it Jim
> >>>>>>> or should I do it?
> >>>>>>>
> >>>>>>> Regards,
> >>>>>>> Juan C Calderon
> >>>>>>> Softtek GDC Aguascalientes
> >>>>>>>
> >>>>>>> -----Original Message-----
> >>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
> >>>>>>> Sent: Wednesday, March 30, 2011 1:20 PM
> >>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim
> >Manico
> >>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
> >>>>>>>
> >>>>>>> Should I CC Arshan on this topic?  Or is there an owasp-java-
> >waf
> >>>>>>> mail-list?
> >>>>>>>
> >>>>>>> -Ryan
> >>>>>>>
> >>>>>>> On 3/30/11 12:00 PM, "Calderon, Juan Carlos (GE, Corporate,
> >>> consultant)"
> >>>>>>> <juan.calderon at ge.com> wrote:
> >>>>>>>
> >>>>>>>>> It's OK for me, the more visibility I get on the OWASP WAF
> >the
> >>>>>>>>> better, I expect some people get interested and test it on
> >real
> >>> world.
> >>>>>>>>>
> >>>>>>>>> Regards,
> >>>>>>>>> Juan C Calderon
> >>>>>>>>>
> >>>>>>>>> -----Original Message-----
> >>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
> >>>>>>>>> Sent: Wednesday, March 30, 2011 9:51 AM
> >>>>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim
> >Manico
> >>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
> >>>>>>>>>
> >>>>>>>>> Awesome news Juan Carlos!  We are putting together a minimum
> >spec
> >>> for
> >>>>>>>>> porting/supporting the rules language.  I will let you know
> >as soon
> >>>>>>>>> as we have it.  You are right though that it will be a a
> >subset of
> >>>>>>>>> variables and operators.
> >>>>>>>>>
> >>>>>>>>> Is it OK with you both if I announce this to the leaders
> >list?
> >>>>>>>>>
> >>>>>>>>> Cheers,
> >>>>>>>>> Ryan
> >>>>>>>>>
> >>>>>>>>> On 3/30/11 11:03 AM, "Calderon, Juan Carlos (GE, Corporate,
> >>>>>>> consultant)"
> >>>>>>>>> <juan.calderon at ge.com> wrote:
> >>>>>>>>>
> >>>>>>>>>>> I make sense to me and I agree, adding support for a basic
> >set of
> >>>>>>>>>>> ModSecurity rules will also make it easier to maintain that
> >>>>>>>>>>> compatibility.
> >>>>>>>>>>>
> >>>>>>>>>>> Ok I will plan to add support in the next release for
> >SecRule with
> >>> a
> >>>>>>>>>>> limited number of variables and operators (to begin with),
> >and
> >>> maybe
> >>>>>>>>>>> include the rule updater as well.
> >>>>>>>>>>>
> >>>>>>>>>>> Do you have any BNF of Rules grammar? I could use that to
> >create a
> >>>>>>>>>>> rule
> >>>>>>>>>
> >>>>>>>>>>> parser.
> >>>>>>>>>>>
> >>>>>>>>>>> Regards,
> >>>>>>>>>>> Juan C Calderon
> >>>>>>>>>>>
> >>>>>>>>>>> -----Original Message-----
> >>>>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
> >>>>>>>>>>> Sent: Wednesday, March 30, 2011 8:45 AM
> >>>>>>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim
> >Manico
> >>>>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
> >>>>>>>>>>>
> >>>>>>>>>>> I agree with you that creating similar OWASP WAF policies
> >to match
> >>>>>>>>>>> what
> >>>>>>>>>
> >>>>>>>>>>> is in the OWASP ModSec CRS would be faster, however that is
> >not my
> >>>>>>>>>>> goal
> >>>>>>>>>>> :)  I am looking for "ports" of ModSecurity to different
> >>> platforms.
> >>>>>>>>>>> They way it stands today, if someone is running a Java
> >server
> >>>>>>>>>>> (Tomcat,
> >>>>>>>>>>> etc...) and they want to use ModSecurity, they have to
> >setup a
> >>> local
> >>>>>>>>>>> Apache reverse proxy with ModSec on it and then setup
> >Tomcat on a
> >>>>>>>>>>> different port and proxy to it.  This is kludgy...  While I
> >agree
> >>>>>>>>>>> that
> >>>>>>>
> >>>>>>>>>>> you could get similar coverage by expanding the OWASP WAF
> >policies
> >>>>>>>>>>> to detect similar attacks, the key to an actual "port" is
> >using
> >>> the
> >>>>>>>>>>> ModSecurity rule language.  This would allow Java app
> >server users
> >>>>>>>>>>> to use the OWASP ModSec CRS rules.
> >>>>>>>>>>>
> >>>>>>>>>>> One thing to keep in mind - you don't have to implement all
> >ModSec
> >>>>>>>>>>> functionality for a v1 port.  We are working on documenting
> >a
> >>> "Core"
> >>>>>>>>>>> spec that outlines what base capabilities you would need.
> >The
> >>> main
> >>>>>>>>>>> ones are use of SecRule -
> >>>>>>>>>>>
> >>> https://sourceforge.net/apps/mediawiki/mod-
> >security/index.php?title=
> >>>>>>>>>>> Re
> >>>>>>>>>>> f
> >>>>>>>>>>> e
> >>>>>>>>>>> ren
> >>>>>>>>>>> ce_Manual#SecRule
> >>>>>>>>>>>
> >>>>>>>>>>> Does this make sense?
> >>>>>>>>>>>
> >>>>>>>>>>> -Ryan
> >>>>>>>>>>>
> >>>>>>>>>>> On 3/29/11 8:35 PM, "Calderon, Juan Carlos (GE, Corporate,
> >>>>>>> consultant)"
> >>>>>>>>>>> <juan.calderon at ge.com> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>>>> Ok I just checked the documentation, I think the best
> >approach
> >>> to
> >>>>>>>>>>>>> get
> >>>>>>>
> >>>>>>>>>>>>> the faster resultis to create a ModSecurity WAF policy
> >>> containing
> >>>>>>>>>>>>> equivalent OWASP WAF rules. Creating a parser for
> >ModSecurity
> >>> Rules
> >>>>>>>>>>>>> will be much harder.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> What do you think?
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Regards,
> >>>>>>>>>>>>> Juan C Calderon
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> -----Original Message-----
> >>>>>>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
> >>>>>>>>>>>>> Sent: Tuesday, March 29, 2011 11:16 AM
> >>>>>>>>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant);
> >Jim
> >>> Manico
> >>>>>>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Outstanding!  Thanks Juan Carlos.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> FYI - check out the "Ports" section of our Projects page
> >to see
> >>>>>>>>>>>>> what other ports are in progress/on the roadmap -
> >>>>>>>>>>>>> http://www.modsecurity.org/projects/
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> We have a really old Java Servlet Filter version of
> >ModSecurity
> >>>>>>>>>>>>> that may be of some help.  I think that updating the
> >current
> >>>>>>>>>>>>> owasp-java-waf
> >>>>>>>>>
> >>>>>>>>>>>>> code would probably be better though as the version we
> >had uses
> >>> the
> >>>>>>>>>>>>> old
> >>>>>>>>>>>
> >>>>>>>>>>>>> ModSecurity v.1 rules language syntax.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> If you look at the link for "Sun Java Web Server Version
> >7.0
> >>> Update
> >>>>>>>>>>>>> 2
> >>>>>>>
> >>>>>>>>>>>>> link
> >>>>>>>>>>>>> -
> >>> http://blogs.sun.com/meena/entry/intrusion_detection_in_sun_java
> >>>>>>>>>>>>> - you can see the ModSecurity rules language components
> >they
> >>> have
> >>>>>>>>>>>>> implemented thus far.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Let me know if you need any help!
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Thanks again,
> >>>>>>>>>>>>> Ryan
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> On 3/29/11 1:10 PM, "Calderon, Juan Carlos (GE,
> >Corporate,
> >>>>>>>>> consultant)"
> >>>>>>>>>>>>> <juan.calderon at ge.com> wrote:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>>> @Ryan, hello again villa-mate :)
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> @Jim, Yes I do have interest in continuing with this
> >effort at
> >>>>>>>>>>>>>>> least
> >>>>>>>
> >>>>>>>>>>>>>>> to
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>>> make the WAF reach release level.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Let me give the rules a look to see what would it take
> >to
> >>>>>>>>>>>>>>> implement them in the OWASP Java WAF.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Regards,
> >>>>>>>>>>>>>>> Juan C Calderon
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> -----Original Message-----
> >>>>>>>>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
> >>>>>>>>>>>>>>> Sent: Tuesday, March 29, 2011 11:02 AM
> >>>>>>>>>>>>>>> To: Jim Manico; Calderon, Juan Carlos (GE, Corporate,
> >>> consultant)
> >>>>>>>>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Ha, Juan Carlos and I were Villa mates in Portugal! :)
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Juan Carlos - let me know what you think about the idea
> >of
> >>>>>>>>>>>>>>> updating the
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>>> owasp-java-waf code to be able to use the ModSecurity
> >Rules
> >>>>>>>>>>>>>>> Language
> >>>>>>>
> >>>>>>>>>>>>>>> syntax (SecRules, etc...).
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Thanks,
> >>>>>>>>>>>>>>> Ryan
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> On 3/29/11 12:56 PM, "Jim Manico"
> ><jim.manico at owasp.org>
> >>> wrote:
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> On 3/29/2011 9:46 AM, Ryan Barnett wrote:
> >>>>>>>>>>>>>>>>>>> Yeah,
> >>>>>>>>>>>>>>>>>>> Let's see if we can move forward with the idea of
> >>> migrating
> >>>>>>>>>>>>>>>>>>> ESAPI
> >>>>>>>
> >>>>>>>>>>>>>>>>>>> WAF
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> to be a stand-alone project.  Then the Java lead
> >(whoever
> >>> that
> >>>>>>>>>>>>>>>>>>> is)
> >>>>>>>>>
> >>>>>>>>>>>>>>>>>>> can implement the ModSecurity rules language and
> >redub it
> >>>>>>>>>>>>>>>>>>> "ModSecurity Java Servlet WAF".
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> The migration to a standalone project is already
> >done, Ryan
> >>> -
> >>>>>>>>>>>>>>>>> meet Juan
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Carlos Calderon; he is "by default" the current owner
> >of the
> >>>>>>>>>>>>>>>>> owasp-java-waf project :)
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> http://code.google.com/p/owasp-java-waf/
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> As you can see, we have work to do :)
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Juan Carlos - meet Ryan Barnett. Ryan is one of the
> >most
> >>>>>>>>>>>>>>>>> respected WAF'ers on the planet. He is currently the
> >leaders
> >>> of
> >>>>>>>>>>>>>>>>> the OWASP ModSecurity Core Ruleset.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Juan Carlos, do you have any interest in continuing
> >to work
> >>> on
> >>>>>>>>>>>>>>>>> this
> >>>>>>>
> >>>>>>>>>>>>>>>>> project sir?
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Aloha!
> >>>>>>>>>>>>>>>>> - Jim
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>> _______________________________________________
> >>> Global-projects-committee mailing list
> >>> Global-projects-committee at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/global-projects-committee
> >>>
> >>
> >
> >_______________________________________________
> >Global-projects-committee mailing list
> >Global-projects-committee at lists.owasp.org
> >https://lists.owasp.org/mailman/listinfo/global-projects-committee



More information about the Global-projects-committee mailing list