[GPC] Seeking Java Dev help for ModSecurity Port

Jason Li jason.li at owasp.org
Fri Apr 1 09:43:50 EDT 2011


Based on Jim's last email, that seems to be the appropriate action.

-Jason

On Apr 1, 2011, at 9:28 AM, "Paulo Coimbra" <paulo.coimbra at owasp.org> wrote:

> If you all agree, I will be waiting for the 'formal project proposal'.
> 
> Thanks,
> - Paulo
> 
> 
> Paulo Coimbra,
> OWASP Project Manager
> 
>>> -----Original Message-----
>>> From: global-projects-committee-bounces at lists.owasp.org
>>> [mailto:global-projects-committee-bounces at lists.owasp.org] On Behalf
>>> Of Jim Manico
>>> Sent: quinta-feira, 31 de Março de 2011 20:28
>>> To: Jason Li
>>> Cc: Ryan Barnett; Calderon, Juan Carlos (GE, Corporate, consultant);
>>> Arshan Dabirsiaghi; Global Projects Committee
>>> Subject: Re: [GPC] Seeking Java Dev help for ModSecurity Port
>>> 
>>> Jason,
>>> 
>>> First steps - we are stating our intention and placed the code in a
>>> formal repot at Google code. We also got permission from Arshan (the
>>> original coder) to run with it.
>>> 
>>> Next step - formal project proposal. One of us will get to it soon.
>>> 
>>> We do not want this under the "java project". As Ryan stated, we want
>>> this under the ModSecurity core ruleset project.
>>> 
>>> Aloha,
>>> Jim
>>> 
>>> 
>>> 
>>>> This is a very long thread between Ryan/Juan/Arshan/Jim and I
>>> apologize that
>>>> I haven't read through the whole thing - one reason why a project
>>> proposal
>>>> would be good so that these threads can be rolled up succinctly for
>>> OWASP
>>>> consumers :)
>>>> 
>>>> But from my very quick skim, it sounds like you guys want to create
>>> a Java
>>>> WAF based on ModSecurity?
>>>> 
>>>> For the record, I for one do *not* think that the project should be
>>> placed
>>>> under the OWASP Java project. The OWASP Java project (to me) is
>>> about
>>>> getting a knowledge base of proper application security principles
>>> for
>>>> developers using Java as their programming language. The proposed
>>> project is
>>>> just a tool/code project that happens to be written in Java.
>>> Therefore, I
>>>> think they need to be separate projects.
>>>> 
>>>> -Jason
>>>> 
>>>> On Thu, Mar 31, 2011 at 3:15 PM, Jim Manico <jim.manico at owasp.org>
>>> wrote:
>>>> 
>>>>> I just got off the phone with Arshan - and he said "guys, run with
>>> it"
>>>>> 
>>>>> So I still think we need to put Arshan's name on the project - he
>>> is our
>>>>> "Java WAF Founding Father" - but it is now our baby to do as we
>>> wish
>>>>> with it.
>>>>> 
>>>>> Rock on Juan Carlos + Ryan!
>>>>> 
>>>>> Never in my wildest AppSec dreams did I ever expect to be mixed up
>>> in
>>>>> WAF development. Forgive me if I get overly defensive about it at
>>> times.
>>>>> 
>>>>> *insert rim shot here*
>>>>> 
>>>>> - Jim
>>>>> 
>>>>> 
>>>>>> Speaking selfishly, I would love for this to be hosted under the
>>>>> ModSecurity
>>>>>> Project link as I want to bill this as a "port" of ModSecurity to
>>> Java.
>>>>> :)
>>>>>> 
>>>>>> I will defer to Juan Carlos and Jim however as they are the leads.
>>>>>> 
>>>>>> -Ryan
>>>>>> 
>>>>>> From:  Paulo Coimbra <paulo.coimbra at owasp.org>
>>>>>> Date:  Thu, 31 Mar 2011 18:46:12 +0100
>>>>>> To:  'Jim Manico' <jim.manico at owasp.org>, "'Calderon, Juan Carlos
>>> (GE,
>>>>>> Corporate, consultant)'" <juan.calderon at ge.com>
>>>>>> Cc:  Ryan Barnett <ryan.barnett at owasp.org>, 'Global Projects
>>> Committee'
>>>>>> <global-projects-committee at lists.owasp.org>
>>>>>> Subject:  RE: Seeking Java Dev help for ModSecurity Port
>>>>>> 
>>>>>>> Jim, Juan & Ryan,
>>>>>>> 
>>>>>>> It¹s always a pleasure setting up a project for any of you
>>> distinguished
>>>>> OWASP
>>>>>>> contributors and leaders. I propose though you firstly send us
>>> off a
>>>>> couple of
>>>>>>> lines defining the project¹s purpose and a roadmap. If you agree
>>> with
>>>>> doing so
>>>>>>> it will allow the GPC acting in accordance with its mission i.e.
>>> ³(...)
>>>>> the
>>>>>>> GPC shall provide support and direction for new projects. (...)².
>>>>> Additionally
>>>>>>> from what I¹ve understood from the thread below, I was unsure
>>> whether or
>>>>> not
>>>>>>> this new project could be placed under a broaden Java Project hat
>>> or if
>>>>> it
>>>>>>> could be hosted in a common root link also shared by the
>>> ModSecurity
>>>>> Core Rule
>>>>>>> Set Project  does my interrogation make any sense?
>>>>>>> 
>>>>>>> http://www.owasp.org/index.php/OWASP_Java_Project
>>>>>>> 
>>>>>>> 
>>>>> 
>>> http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Se
>>> t_Projec
>>>>>>> t
>>>>>>> 
>>>>>>> Please note that my above path proposal doesn¹t intend at all to
>>> impose
>>>>> any
>>>>>>> kind of constraint to OWASP contributors¹ initiative and
>>> therefore if
>>>>> you
>>>>>>> think is best that I set the templates right now before further
>>> input
>>>>> being
>>>>>>> put available, as long as GPC also agrees, it will be done. Truly
>>> I am
>>>>> just
>>>>>>> looking for an approach to allow us a shared effort to create as
>>> much
>>>>> value
>>>>>>> and synergies as possible.
>>>>>>> 
>>>>>>> PS. Pablo is fine and, happy for being in people¹s minds, sends
>>> regards
>>>>> J
>>>>>>> 
>>>>>>> 
>>>>>>> Thanks,
>>>>>>> - Paulo
>>>>>>> 
>>>>>>> 
>>>>>>> Paulo Coimbra,
>>>>>>> OWASP Project Manager <
>>>>> http://www.owasp.org/index.php/User:Paulo_Coimbra>
>>>>>>> 
>>>>>>> 
>>>>>>> From: Jim Manico [mailto:jim.manico at owasp.org]
>>>>>>> Sent: quarta-feira, 30 de Março de 2011 21:31
>>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant)
>>>>>>> Cc: Ryan Barnett; Paulo Coimbra
>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>>>> 
>>>>>>> Paulo,
>>>>>>> 
>>>>>>> We would like to start a new project -
>>>>>>> 
>>>>>>> "The OWASP Java Web Application Firewall"
>>>>>>> 
>>>>>>> Could you send us a project template please? And could you tell
>>> Pablo
>>>>> hello
>>>>>>> for us? (joking ;)
>>>>>>> 
>>>>>>> Thanks all.
>>>>>>> - Jim
>>>>>>> 
>>>>>>> PS: Juan Carlos - I'm so very grateful someone of your skill is
>>> jumping
>>>>> in to
>>>>>>> help us!!!
>>>>>>> 
>>>>>>>>> Not yet, there is not even a project page so far, as this is
>>> very new.
>>>>>>>>> 
>>>>>>>>> We should let Pablo know about this "new" project. Would you do
>>> it Jim
>>>>>>>>> or should I do it?
>>>>>>>>> 
>>>>>>>>> Regards,
>>>>>>>>> Juan C Calderon
>>>>>>>>> Softtek GDC Aguascalientes
>>>>>>>>> 
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>>>>>>> Sent: Wednesday, March 30, 2011 1:20 PM
>>>>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim
>>> Manico
>>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>>>>>> 
>>>>>>>>> Should I CC Arshan on this topic?  Or is there an owasp-java-
>>> waf
>>>>>>>>> mail-list?
>>>>>>>>> 
>>>>>>>>> -Ryan
>>>>>>>>> 
>>>>>>>>> On 3/30/11 12:00 PM, "Calderon, Juan Carlos (GE, Corporate,
>>>>> consultant)"
>>>>>>>>> <juan.calderon at ge.com> wrote:
>>>>>>>>> 
>>>>>>>>>>> It's OK for me, the more visibility I get on the OWASP WAF
>>> the
>>>>>>>>>>> better, I expect some people get interested and test it on
>>> real
>>>>> world.
>>>>>>>>>>> 
>>>>>>>>>>> Regards,
>>>>>>>>>>> Juan C Calderon
>>>>>>>>>>> 
>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>>>>>>>>> Sent: Wednesday, March 30, 2011 9:51 AM
>>>>>>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim
>>> Manico
>>>>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>>>>>>>> 
>>>>>>>>>>> Awesome news Juan Carlos!  We are putting together a minimum
>>> spec
>>>>> for
>>>>>>>>>>> porting/supporting the rules language.  I will let you know
>>> as soon
>>>>>>>>>>> as we have it.  You are right though that it will be a a
>>> subset of
>>>>>>>>>>> variables and operators.
>>>>>>>>>>> 
>>>>>>>>>>> Is it OK with you both if I announce this to the leaders
>>> list?
>>>>>>>>>>> 
>>>>>>>>>>> Cheers,
>>>>>>>>>>> Ryan
>>>>>>>>>>> 
>>>>>>>>>>> On 3/30/11 11:03 AM, "Calderon, Juan Carlos (GE, Corporate,
>>>>>>>>> consultant)"
>>>>>>>>>>> <juan.calderon at ge.com> wrote:
>>>>>>>>>>> 
>>>>>>>>>>>>> I make sense to me and I agree, adding support for a basic
>>> set of
>>>>>>>>>>>>> ModSecurity rules will also make it easier to maintain that
>>>>>>>>>>>>> compatibility.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Ok I will plan to add support in the next release for
>>> SecRule with
>>>>> a
>>>>>>>>>>>>> limited number of variables and operators (to begin with),
>>> and
>>>>> maybe
>>>>>>>>>>>>> include the rule updater as well.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Do you have any BNF of Rules grammar? I could use that to
>>> create a
>>>>>>>>>>>>> rule
>>>>>>>>>>> 
>>>>>>>>>>>>> parser.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>> Juan C Calderon
>>>>>>>>>>>>> 
>>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>>>>>>>>>>> Sent: Wednesday, March 30, 2011 8:45 AM
>>>>>>>>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim
>>> Manico
>>>>>>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>>>>>>>>>> 
>>>>>>>>>>>>> I agree with you that creating similar OWASP WAF policies
>>> to match
>>>>>>>>>>>>> what
>>>>>>>>>>> 
>>>>>>>>>>>>> is in the OWASP ModSec CRS would be faster, however that is
>>> not my
>>>>>>>>>>>>> goal
>>>>>>>>>>>>> :)  I am looking for "ports" of ModSecurity to different
>>>>> platforms.
>>>>>>>>>>>>> They way it stands today, if someone is running a Java
>>> server
>>>>>>>>>>>>> (Tomcat,
>>>>>>>>>>>>> etc...) and they want to use ModSecurity, they have to
>>> setup a
>>>>> local
>>>>>>>>>>>>> Apache reverse proxy with ModSec on it and then setup
>>> Tomcat on a
>>>>>>>>>>>>> different port and proxy to it.  This is kludgy...  While I
>>> agree
>>>>>>>>>>>>> that
>>>>>>>>> 
>>>>>>>>>>>>> you could get similar coverage by expanding the OWASP WAF
>>> policies
>>>>>>>>>>>>> to detect similar attacks, the key to an actual "port" is
>>> using
>>>>> the
>>>>>>>>>>>>> ModSecurity rule language.  This would allow Java app
>>> server users
>>>>>>>>>>>>> to use the OWASP ModSec CRS rules.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> One thing to keep in mind - you don't have to implement all
>>> ModSec
>>>>>>>>>>>>> functionality for a v1 port.  We are working on documenting
>>> a
>>>>> "Core"
>>>>>>>>>>>>> spec that outlines what base capabilities you would need.
>>> The
>>>>> main
>>>>>>>>>>>>> ones are use of SecRule -
>>>>>>>>>>>>> 
>>>>> https://sourceforge.net/apps/mediawiki/mod-
>>> security/index.php?title=
>>>>>>>>>>>>> Re
>>>>>>>>>>>>> f
>>>>>>>>>>>>> e
>>>>>>>>>>>>> ren
>>>>>>>>>>>>> ce_Manual#SecRule
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Does this make sense?
>>>>>>>>>>>>> 
>>>>>>>>>>>>> -Ryan
>>>>>>>>>>>>> 
>>>>>>>>>>>>> On 3/29/11 8:35 PM, "Calderon, Juan Carlos (GE, Corporate,
>>>>>>>>> consultant)"
>>>>>>>>>>>>> <juan.calderon at ge.com> wrote:
>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Ok I just checked the documentation, I think the best
>>> approach
>>>>> to
>>>>>>>>>>>>>>> get
>>>>>>>>> 
>>>>>>>>>>>>>>> the faster resultis to create a ModSecurity WAF policy
>>>>> containing
>>>>>>>>>>>>>>> equivalent OWASP WAF rules. Creating a parser for
>>> ModSecurity
>>>>> Rules
>>>>>>>>>>>>>>> will be much harder.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> What do you think?
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>>> Juan C Calderon
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>>>>>>>>>>>>> Sent: Tuesday, March 29, 2011 11:16 AM
>>>>>>>>>>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant);
>>> Jim
>>>>> Manico
>>>>>>>>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Outstanding!  Thanks Juan Carlos.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> FYI - check out the "Ports" section of our Projects page
>>> to see
>>>>>>>>>>>>>>> what other ports are in progress/on the roadmap -
>>>>>>>>>>>>>>> http://www.modsecurity.org/projects/
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> We have a really old Java Servlet Filter version of
>>> ModSecurity
>>>>>>>>>>>>>>> that may be of some help.  I think that updating the
>>> current
>>>>>>>>>>>>>>> owasp-java-waf
>>>>>>>>>>> 
>>>>>>>>>>>>>>> code would probably be better though as the version we
>>> had uses
>>>>> the
>>>>>>>>>>>>>>> old
>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> ModSecurity v.1 rules language syntax.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> If you look at the link for "Sun Java Web Server Version
>>> 7.0
>>>>> Update
>>>>>>>>>>>>>>> 2
>>>>>>>>> 
>>>>>>>>>>>>>>> link
>>>>>>>>>>>>>>> -
>>>>> http://blogs.sun.com/meena/entry/intrusion_detection_in_sun_java
>>>>>>>>>>>>>>> - you can see the ModSecurity rules language components
>>> they
>>>>> have
>>>>>>>>>>>>>>> implemented thus far.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Let me know if you need any help!
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Thanks again,
>>>>>>>>>>>>>>> Ryan
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> On 3/29/11 1:10 PM, "Calderon, Juan Carlos (GE,
>>> Corporate,
>>>>>>>>>>> consultant)"
>>>>>>>>>>>>>>> <juan.calderon at ge.com> wrote:
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>> @Ryan, hello again villa-mate :)
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>> @Jim, Yes I do have interest in continuing with this
>>> effort at
>>>>>>>>>>>>>>>>> least
>>>>>>>>> 
>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>> make the WAF reach release level.
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>> Let me give the rules a look to see what would it take
>>> to
>>>>>>>>>>>>>>>>> implement them in the OWASP Java WAF.
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>>>>> Juan C Calderon
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>>>>>>>>>>>>>>> Sent: Tuesday, March 29, 2011 11:02 AM
>>>>>>>>>>>>>>>>> To: Jim Manico; Calderon, Juan Carlos (GE, Corporate,
>>>>> consultant)
>>>>>>>>>>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>> Ha, Juan Carlos and I were Villa mates in Portugal! :)
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>> Juan Carlos - let me know what you think about the idea
>>> of
>>>>>>>>>>>>>>>>> updating the
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>> owasp-java-waf code to be able to use the ModSecurity
>>> Rules
>>>>>>>>>>>>>>>>> Language
>>>>>>>>> 
>>>>>>>>>>>>>>>>> syntax (SecRules, etc...).
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>>>>> Ryan
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>> On 3/29/11 12:56 PM, "Jim Manico"
>>> <jim.manico at owasp.org>
>>>>> wrote:
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>> On 3/29/2011 9:46 AM, Ryan Barnett wrote:
>>>>>>>>>>>>>>>>>>>>> Yeah,
>>>>>>>>>>>>>>>>>>>>> Let's see if we can move forward with the idea of
>>>>> migrating
>>>>>>>>>>>>>>>>>>>>> ESAPI
>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>> WAF
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>> to be a stand-alone project.  Then the Java lead
>>> (whoever
>>>>> that
>>>>>>>>>>>>>>>>>>>>> is)
>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>> can implement the ModSecurity rules language and
>>> redub it
>>>>>>>>>>>>>>>>>>>>> "ModSecurity Java Servlet WAF".
>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>> The migration to a standalone project is already
>>> done, Ryan
>>>>> -
>>>>>>>>>>>>>>>>>>> meet Juan
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>> Carlos Calderon; he is "by default" the current owner
>>> of the
>>>>>>>>>>>>>>>>>>> owasp-java-waf project :)
>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>> http://code.google.com/p/owasp-java-waf/
>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>> As you can see, we have work to do :)
>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>> Juan Carlos - meet Ryan Barnett. Ryan is one of the
>>> most
>>>>>>>>>>>>>>>>>>> respected WAF'ers on the planet. He is currently the
>>> leaders
>>>>> of
>>>>>>>>>>>>>>>>>>> the OWASP ModSecurity Core Ruleset.
>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>> Juan Carlos, do you have any interest in continuing
>>> to work
>>>>> on
>>>>>>>>>>>>>>>>>>> this
>>>>>>>>> 
>>>>>>>>>>>>>>>>>>> project sir?
>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>> Aloha!
>>>>>>>>>>>>>>>>>>> - Jim
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> Global-projects-committee mailing list
>>>>> Global-projects-committee at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/global-projects-committee
>>>>> 
>>>> 
>>> 
>>> _______________________________________________
>>> Global-projects-committee mailing list
>>> Global-projects-committee at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/global-projects-committee
> 


More information about the Global-projects-committee mailing list