[GPC] Seeking Java Dev help for ModSecurity Port

Ryan Barnett ryan.barnett at owasp.org
Mon Apr 4 11:42:43 EDT 2011


My $.02 -

A combination 1 and 2.  We can host the official OWASP pages off the
existing ModSecurity CRS Project page.  As for #2 - I was thinking that
you can just piggy-back off our existing infrastructure for the CRS.  We
host the CRS code on SourceForge, etc... So we can easily create a new SVN
repo for the Java WAF code.  As for a mailing list, we can easily create
that as well, however I know that OWASP likes for each project to have its
own on the owasp list domain.

Not a big deal either way, just let me know what you would like do.

-Ryan

On 4/4/11 11:23 AM, "Calderon, Juan Carlos (GE, Corporate, consultant)"
<juan.calderon at ge.com> wrote:

>Excuse me, I am still confused, can Project committee please clarify to
>me, where is the project going to be hosted?
>
>1. As part of OWASP ModSecurity CRS
>2. As a port of ModSecurity at ModSecurity.org (Ryan offered hosting ,
>code repository and mailing lists)
>3. New OWASP project
>
>Juan C Calderon
>
>-----Original Message-----
>From: Jason Li [mailto:jason.li at owasp.org]
>Sent: Friday, April 01, 2011 7:44 AM
>To: Paulo Coimbra
>Cc: Jim Manico; Ryan Barnett; Calderon, Juan Carlos (GE, Corporate,
>consultant); Arshan Dabirsiaghi; Global Projects Committee
>Subject: Re: [GPC] Seeking Java Dev help for ModSecurity Port
>
>Based on Jim's last email, that seems to be the appropriate action.
>
>-Jason
>
>On Apr 1, 2011, at 9:28 AM, "Paulo Coimbra" <paulo.coimbra at owasp.org>
>wrote:
>
>> If you all agree, I will be waiting for the 'formal project proposal'.
>> 
>> Thanks,
>> - Paulo
>> 
>> 
>> Paulo Coimbra,
>> OWASP Project Manager
>> 
>>>> -----Original Message-----
>>>> From: global-projects-committee-bounces at lists.owasp.org
>>>> [mailto:global-projects-committee-bounces at lists.owasp.org] On Behalf
>>>> Of Jim Manico
>>>> Sent: quinta-feira, 31 de Março de 2011 20:28
>>>> To: Jason Li
>>>> Cc: Ryan Barnett; Calderon, Juan Carlos (GE, Corporate, consultant);
>>>> Arshan Dabirsiaghi; Global Projects Committee
>>>> Subject: Re: [GPC] Seeking Java Dev help for ModSecurity Port
>>>> 
>>>> Jason,
>>>> 
>>>> First steps - we are stating our intention and placed the code in a
>>>> formal repot at Google code. We also got permission from Arshan (the
>>>> original coder) to run with it.
>>>> 
>>>> Next step - formal project proposal. One of us will get to it soon.
>>>> 
>>>> We do not want this under the "java project". As Ryan stated, we
>>>> want this under the ModSecurity core ruleset project.
>>>> 
>>>> Aloha,
>>>> Jim
>>>> 
>>>> 
>>>> 
>>>>> This is a very long thread between Ryan/Juan/Arshan/Jim and I
>>>> apologize that
>>>>> I haven't read through the whole thing - one reason why a project
>>>> proposal
>>>>> would be good so that these threads can be rolled up succinctly for
>>>> OWASP
>>>>> consumers :)
>>>>> 
>>>>> But from my very quick skim, it sounds like you guys want to create
>>>> a Java
>>>>> WAF based on ModSecurity?
>>>>> 
>>>>> For the record, I for one do *not* think that the project should be
>>>> placed
>>>>> under the OWASP Java project. The OWASP Java project (to me) is
>>>> about
>>>>> getting a knowledge base of proper application security principles
>>>> for
>>>>> developers using Java as their programming language. The proposed
>>>> project is
>>>>> just a tool/code project that happens to be written in Java.
>>>> Therefore, I
>>>>> think they need to be separate projects.
>>>>> 
>>>>> -Jason
>>>>> 
>>>>> On Thu, Mar 31, 2011 at 3:15 PM, Jim Manico <jim.manico at owasp.org>
>>>> wrote:
>>>>> 
>>>>>> I just got off the phone with Arshan - and he said "guys, run with
>>>> it"
>>>>>> 
>>>>>> So I still think we need to put Arshan's name on the project - he
>>>> is our
>>>>>> "Java WAF Founding Father" - but it is now our baby to do as we
>>>> wish
>>>>>> with it.
>>>>>> 
>>>>>> Rock on Juan Carlos + Ryan!
>>>>>> 
>>>>>> Never in my wildest AppSec dreams did I ever expect to be mixed up
>>>> in
>>>>>> WAF development. Forgive me if I get overly defensive about it at
>>>> times.
>>>>>> 
>>>>>> *insert rim shot here*
>>>>>> 
>>>>>> - Jim
>>>>>> 
>>>>>> 
>>>>>>> Speaking selfishly, I would love for this to be hosted under the
>>>>>> ModSecurity
>>>>>>> Project link as I want to bill this as a "port" of ModSecurity to
>>>> Java.
>>>>>> :)
>>>>>>> 
>>>>>>> I will defer to Juan Carlos and Jim however as they are the leads.
>>>>>>> 
>>>>>>> -Ryan
>>>>>>> 
>>>>>>> From:  Paulo Coimbra <paulo.coimbra at owasp.org>
>>>>>>> Date:  Thu, 31 Mar 2011 18:46:12 +0100
>>>>>>> To:  'Jim Manico' <jim.manico at owasp.org>, "'Calderon, Juan Carlos
>>>> (GE,
>>>>>>> Corporate, consultant)'" <juan.calderon at ge.com>
>>>>>>> Cc:  Ryan Barnett <ryan.barnett at owasp.org>, 'Global Projects
>>>> Committee'
>>>>>>> <global-projects-committee at lists.owasp.org>
>>>>>>> Subject:  RE: Seeking Java Dev help for ModSecurity Port
>>>>>>> 
>>>>>>>> Jim, Juan & Ryan,
>>>>>>>> 
>>>>>>>> It¹s always a pleasure setting up a project for any of you
>>>> distinguished
>>>>>> OWASP
>>>>>>>> contributors and leaders. I propose though you firstly send us
>>>> off a
>>>>>> couple of
>>>>>>>> lines defining the project¹s purpose and a roadmap. If you agree
>>>> with
>>>>>> doing so
>>>>>>>> it will allow the GPC acting in accordance with its mission i.e.
>>>> ³(...)
>>>>>> the
>>>>>>>> GPC shall provide support and direction for new projects. (...)².
>>>>>> Additionally
>>>>>>>> from what I¹ve understood from the thread below, I was unsure
>>>> whether or
>>>>>> not
>>>>>>>> this new project could be placed under a broaden Java Project
>>>>>>>> hat
>>>> or if
>>>>>> it
>>>>>>>> could be hosted in a common root link also shared by the
>>>> ModSecurity
>>>>>> Core Rule
>>>>>>>> Set Project  does my interrogation make any sense?
>>>>>>>> 
>>>>>>>> http://www.owasp.org/index.php/OWASP_Java_Project
>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_
>>>> Se
>>>> t_Projec
>>>>>>>> t
>>>>>>>> 
>>>>>>>> Please note that my above path proposal doesn¹t intend at all to
>>>> impose
>>>>>> any
>>>>>>>> kind of constraint to OWASP contributors¹ initiative and
>>>> therefore if
>>>>>> you
>>>>>>>> think is best that I set the templates right now before further
>>>> input
>>>>>> being
>>>>>>>> put available, as long as GPC also agrees, it will be done.
>>>>>>>> Truly
>>>> I am
>>>>>> just
>>>>>>>> looking for an approach to allow us a shared effort to create as
>>>> much
>>>>>> value
>>>>>>>> and synergies as possible.
>>>>>>>> 
>>>>>>>> PS. Pablo is fine and, happy for being in people¹s minds, sends
>>>> regards
>>>>>> J
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Thanks,
>>>>>>>> - Paulo
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Paulo Coimbra,
>>>>>>>> OWASP Project Manager <
>>>>>> http://www.owasp.org/index.php/User:Paulo_Coimbra>
>>>>>>>> 
>>>>>>>> 
>>>>>>>> From: Jim Manico [mailto:jim.manico at owasp.org]
>>>>>>>> Sent: quarta-feira, 30 de Março de 2011 21:31
>>>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant)
>>>>>>>> Cc: Ryan Barnett; Paulo Coimbra
>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>>>>> 
>>>>>>>> Paulo,
>>>>>>>> 
>>>>>>>> We would like to start a new project -
>>>>>>>> 
>>>>>>>> "The OWASP Java Web Application Firewall"
>>>>>>>> 
>>>>>>>> Could you send us a project template please? And could you tell
>>>> Pablo
>>>>>> hello
>>>>>>>> for us? (joking ;)
>>>>>>>> 
>>>>>>>> Thanks all.
>>>>>>>> - Jim
>>>>>>>> 
>>>>>>>> PS: Juan Carlos - I'm so very grateful someone of your skill is
>>>> jumping
>>>>>> in to
>>>>>>>> help us!!!
>>>>>>>> 
>>>>>>>>>> Not yet, there is not even a project page so far, as this is
>>>> very new.
>>>>>>>>>> 
>>>>>>>>>> We should let Pablo know about this "new" project. Would you
>>>>>>>>>> do
>>>> it Jim
>>>>>>>>>> or should I do it?
>>>>>>>>>> 
>>>>>>>>>> Regards,
>>>>>>>>>> Juan C Calderon
>>>>>>>>>> Softtek GDC Aguascalientes
>>>>>>>>>> 
>>>>>>>>>> -----Original Message-----
>>>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>>>>>>>> Sent: Wednesday, March 30, 2011 1:20 PM
>>>>>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim
>>>> Manico
>>>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>>>>>>> 
>>>>>>>>>> Should I CC Arshan on this topic?  Or is there an owasp-java-
>>>> waf
>>>>>>>>>> mail-list?
>>>>>>>>>> 
>>>>>>>>>> -Ryan
>>>>>>>>>> 
>>>>>>>>>> On 3/30/11 12:00 PM, "Calderon, Juan Carlos (GE, Corporate,
>>>>>> consultant)"
>>>>>>>>>> <juan.calderon at ge.com> wrote:
>>>>>>>>>> 
>>>>>>>>>>>> It's OK for me, the more visibility I get on the OWASP WAF
>>>> the
>>>>>>>>>>>> better, I expect some people get interested and test it on
>>>> real
>>>>>> world.
>>>>>>>>>>>> 
>>>>>>>>>>>> Regards,
>>>>>>>>>>>> Juan C Calderon
>>>>>>>>>>>> 
>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>>>>>>>>>> Sent: Wednesday, March 30, 2011 9:51 AM
>>>>>>>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim
>>>> Manico
>>>>>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>>>>>>>>> 
>>>>>>>>>>>> Awesome news Juan Carlos!  We are putting together a minimum
>>>> spec
>>>>>> for
>>>>>>>>>>>> porting/supporting the rules language.  I will let you know
>>>> as soon
>>>>>>>>>>>> as we have it.  You are right though that it will be a a
>>>> subset of
>>>>>>>>>>>> variables and operators.
>>>>>>>>>>>> 
>>>>>>>>>>>> Is it OK with you both if I announce this to the leaders
>>>> list?
>>>>>>>>>>>> 
>>>>>>>>>>>> Cheers,
>>>>>>>>>>>> Ryan
>>>>>>>>>>>> 
>>>>>>>>>>>> On 3/30/11 11:03 AM, "Calderon, Juan Carlos (GE, Corporate,
>>>>>>>>>> consultant)"
>>>>>>>>>>>> <juan.calderon at ge.com> wrote:
>>>>>>>>>>>> 
>>>>>>>>>>>>>> I make sense to me and I agree, adding support for a basic
>>>> set of
>>>>>>>>>>>>>> ModSecurity rules will also make it easier to maintain
>>>>>>>>>>>>>> that compatibility.
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Ok I will plan to add support in the next release for
>>>> SecRule with
>>>>>> a
>>>>>>>>>>>>>> limited number of variables and operators (to begin with),
>>>> and
>>>>>> maybe
>>>>>>>>>>>>>> include the rule updater as well.
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Do you have any BNF of Rules grammar? I could use that to
>>>> create a
>>>>>>>>>>>>>> rule
>>>>>>>>>>>> 
>>>>>>>>>>>>>> parser.
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>> Juan C Calderon
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>>>>>>>>>>>> Sent: Wednesday, March 30, 2011 8:45 AM
>>>>>>>>>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim
>>>> Manico
>>>>>>>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> I agree with you that creating similar OWASP WAF policies
>>>> to match
>>>>>>>>>>>>>> what
>>>>>>>>>>>> 
>>>>>>>>>>>>>> is in the OWASP ModSec CRS would be faster, however that
>>>>>>>>>>>>>> is
>>>> not my
>>>>>>>>>>>>>> goal
>>>>>>>>>>>>>> :)  I am looking for "ports" of ModSecurity to different
>>>>>> platforms.
>>>>>>>>>>>>>> They way it stands today, if someone is running a Java
>>>> server
>>>>>>>>>>>>>> (Tomcat,
>>>>>>>>>>>>>> etc...) and they want to use ModSecurity, they have to
>>>> setup a
>>>>>> local
>>>>>>>>>>>>>> Apache reverse proxy with ModSec on it and then setup
>>>> Tomcat on a
>>>>>>>>>>>>>> different port and proxy to it.  This is kludgy...  While
>>>>>>>>>>>>>> I
>>>> agree
>>>>>>>>>>>>>> that
>>>>>>>>>> 
>>>>>>>>>>>>>> you could get similar coverage by expanding the OWASP WAF
>>>> policies
>>>>>>>>>>>>>> to detect similar attacks, the key to an actual "port" is
>>>> using
>>>>>> the
>>>>>>>>>>>>>> ModSecurity rule language.  This would allow Java app
>>>> server users
>>>>>>>>>>>>>> to use the OWASP ModSec CRS rules.
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> One thing to keep in mind - you don't have to implement
>>>>>>>>>>>>>> all
>>>> ModSec
>>>>>>>>>>>>>> functionality for a v1 port.  We are working on
>>>>>>>>>>>>>> documenting
>>>> a
>>>>>> "Core"
>>>>>>>>>>>>>> spec that outlines what base capabilities you would need.
>>>> The
>>>>>> main
>>>>>>>>>>>>>> ones are use of SecRule -
>>>>>>>>>>>>>> 
>>>>>> https://sourceforge.net/apps/mediawiki/mod-
>>>> security/index.php?title=
>>>>>>>>>>>>>> Re
>>>>>>>>>>>>>> f
>>>>>>>>>>>>>> e
>>>>>>>>>>>>>> ren
>>>>>>>>>>>>>> ce_Manual#SecRule
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Does this make sense?
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> -Ryan
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> On 3/29/11 8:35 PM, "Calderon, Juan Carlos (GE, Corporate,
>>>>>>>>>> consultant)"
>>>>>>>>>>>>>> <juan.calderon at ge.com> wrote:
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> Ok I just checked the documentation, I think the best
>>>> approach
>>>>>> to
>>>>>>>>>>>>>>>> get
>>>>>>>>>> 
>>>>>>>>>>>>>>>> the faster resultis to create a ModSecurity WAF policy
>>>>>> containing
>>>>>>>>>>>>>>>> equivalent OWASP WAF rules. Creating a parser for
>>>> ModSecurity
>>>>>> Rules
>>>>>>>>>>>>>>>> will be much harder.
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> What do you think?
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>>>> Juan C Calderon
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>>>>>>>>>>>>>> Sent: Tuesday, March 29, 2011 11:16 AM
>>>>>>>>>>>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant);
>>>> Jim
>>>>>> Manico
>>>>>>>>>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> Outstanding!  Thanks Juan Carlos.
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> FYI - check out the "Ports" section of our Projects page
>>>> to see
>>>>>>>>>>>>>>>> what other ports are in progress/on the roadmap -
>>>>>>>>>>>>>>>> http://www.modsecurity.org/projects/
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> We have a really old Java Servlet Filter version of
>>>> ModSecurity
>>>>>>>>>>>>>>>> that may be of some help.  I think that updating the
>>>> current
>>>>>>>>>>>>>>>> owasp-java-waf
>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> code would probably be better though as the version we
>>>> had uses
>>>>>> the
>>>>>>>>>>>>>>>> old
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> ModSecurity v.1 rules language syntax.
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> If you look at the link for "Sun Java Web Server Version
>>>> 7.0
>>>>>> Update
>>>>>>>>>>>>>>>> 2
>>>>>>>>>> 
>>>>>>>>>>>>>>>> link
>>>>>>>>>>>>>>>> -
>>>>>> http://blogs.sun.com/meena/entry/intrusion_detection_in_sun_java
>>>>>>>>>>>>>>>> - you can see the ModSecurity rules language components
>>>> they
>>>>>> have
>>>>>>>>>>>>>>>> implemented thus far.
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> Let me know if you need any help!
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> Thanks again,
>>>>>>>>>>>>>>>> Ryan
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> On 3/29/11 1:10 PM, "Calderon, Juan Carlos (GE,
>>>> Corporate,
>>>>>>>>>>>> consultant)"
>>>>>>>>>>>>>>>> <juan.calderon at ge.com> wrote:
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>> @Ryan, hello again villa-mate :)
>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>> @Jim, Yes I do have interest in continuing with this
>>>> effort at
>>>>>>>>>>>>>>>>>> least
>>>>>>>>>> 
>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>> make the WAF reach release level.
>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>> Let me give the rules a look to see what would it take
>>>> to
>>>>>>>>>>>>>>>>>> implement them in the OWASP Java WAF.
>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>>>>>> Juan C Calderon
>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>>>>>>>>>>>>>>>> Sent: Tuesday, March 29, 2011 11:02 AM
>>>>>>>>>>>>>>>>>> To: Jim Manico; Calderon, Juan Carlos (GE, Corporate,
>>>>>> consultant)
>>>>>>>>>>>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity
>>>>>>>>>>>>>>>>>> Port
>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>> Ha, Juan Carlos and I were Villa mates in Portugal! :)
>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>> Juan Carlos - let me know what you think about the
>>>>>>>>>>>>>>>>>> idea
>>>> of
>>>>>>>>>>>>>>>>>> updating the
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>> owasp-java-waf code to be able to use the ModSecurity
>>>> Rules
>>>>>>>>>>>>>>>>>> Language
>>>>>>>>>> 
>>>>>>>>>>>>>>>>>> syntax (SecRules, etc...).
>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>>>>>> Ryan
>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>> On 3/29/11 12:56 PM, "Jim Manico"
>>>> <jim.manico at owasp.org>
>>>>>> wrote:
>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>> On 3/29/2011 9:46 AM, Ryan Barnett wrote:
>>>>>>>>>>>>>>>>>>>>>> Yeah,
>>>>>>>>>>>>>>>>>>>>>> Let's see if we can move forward with the idea of
>>>>>> migrating
>>>>>>>>>>>>>>>>>>>>>> ESAPI
>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> WAF
>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> to be a stand-alone project.  Then the Java lead
>>>> (whoever
>>>>>> that
>>>>>>>>>>>>>>>>>>>>>> is)
>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> can implement the ModSecurity rules language and
>>>> redub it
>>>>>>>>>>>>>>>>>>>>>> "ModSecurity Java Servlet WAF".
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> The migration to a standalone project is already
>>>> done, Ryan
>>>>>> -
>>>>>>>>>>>>>>>>>>>> meet Juan
>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>> Carlos Calderon; he is "by default" the current
>>>>>>>>>>>>>>>>>>>> owner
>>>> of the
>>>>>>>>>>>>>>>>>>>> owasp-java-waf project :)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> http://code.google.com/p/owasp-java-waf/
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> As you can see, we have work to do :)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Juan Carlos - meet Ryan Barnett. Ryan is one of the
>>>> most
>>>>>>>>>>>>>>>>>>>> respected WAF'ers on the planet. He is currently the
>>>> leaders
>>>>>> of
>>>>>>>>>>>>>>>>>>>> the OWASP ModSecurity Core Ruleset.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Juan Carlos, do you have any interest in continuing
>>>> to work
>>>>>> on
>>>>>>>>>>>>>>>>>>>> this
>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>> project sir?
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Aloha!
>>>>>>>>>>>>>>>>>>>> - Jim
>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Global-projects-committee mailing list
>>>>>> Global-projects-committee at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/global-projects-committee
>>>>>> 
>>>>> 
>>>> 
>>>> _______________________________________________
>>>> Global-projects-committee mailing list
>>>> Global-projects-committee at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/global-projects-committee
>> 




More information about the Global-projects-committee mailing list