[GPC] Seeking Java Dev help for ModSecurity Port

Paulo Coimbra paulo.coimbra at owasp.org
Thu Mar 31 13:46:12 EDT 2011


Jim, Juan & Ryan,

 

It’s always a pleasure setting up a project for any of you distinguished
OWASP contributors and leaders. I propose though you firstly send us off a
couple of lines defining the project’s purpose and a roadmap. If you agree
with doing so it will allow the GPC acting in accordance with its mission
i.e. “(...) the GPC shall provide support and direction for new projects.
(...)”. Additionally from what I’ve understood from the thread below, I was
unsure whether or not this new project could be placed under a broaden Java
Project hat or if it could be hosted in a common root link also shared by
the ModSecurity Core Rule Set Project – does my interrogation make any
sense?

 

http://www.owasp.org/index.php/OWASP_Java_Project 

 

http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Proj
ect 

 

Please note that my above path proposal doesn’t intend at all to impose any
kind of constraint to OWASP contributors’ initiative and therefore if you
think is best that I set the templates right now before further input being
put available, as long as GPC also agrees, it will be done. Truly I am just
looking for an approach to allow us a shared effort to create as much value
and synergies as possible.

 

PS. Pablo is fine and, happy for being in people’s minds, sends regards J 

 

Thanks,

- Paulo

 

 

Paulo Coimbra,

 <http://www.owasp.org/index.php/User:Paulo_Coimbra> OWASP Project Manager

 

From: Jim Manico [mailto:jim.manico at owasp.org] 
Sent: quarta-feira, 30 de Março de 2011 21:31
To: Calderon, Juan Carlos (GE, Corporate, consultant)
Cc: Ryan Barnett; Paulo Coimbra
Subject: Re: Seeking Java Dev help for ModSecurity Port

 

Paulo,

 

We would like to start a new project -

 

"The OWASP Java Web Application Firewall"

 

Could you send us a project template please? And could you tell Pablo hello
for us? (joking ;)

 

Thanks all.

- Jim

 

PS: Juan Carlos - I'm so very grateful someone of your skill is jumping in
to  help us!!!

 

> Not yet, there is not even a project page so far, as this is very new.

> 

> We should let Pablo know about this "new" project. Would you do it Jim 

> or should I do it?

> 

> Regards,

> Juan C Calderon

> Softtek GDC Aguascalientes

> 

> -----Original Message-----

> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]

> Sent: Wednesday, March 30, 2011 1:20 PM

> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico

> Subject: Re: Seeking Java Dev help for ModSecurity Port

> 

> Should I CC Arshan on this topic?  Or is there an owasp-java-waf 

> mail-list?

> 

> -Ryan

> 

> On 3/30/11 12:00 PM, "Calderon, Juan Carlos (GE, Corporate, consultant)"

> <juan.calderon at ge.com> wrote:

> 

>> It's OK for me, the more visibility I get on the OWASP WAF the 

>> better, I expect some people get interested and test it on real world.

>> 

>> Regards,

>> Juan C Calderon

>> 

>> -----Original Message-----

>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]

>> Sent: Wednesday, March 30, 2011 9:51 AM

>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico

>> Subject: Re: Seeking Java Dev help for ModSecurity Port

>> 

>> Awesome news Juan Carlos!  We are putting together a minimum spec for 

>> porting/supporting the rules language.  I will let you know as soon 

>> as we have it.  You are right though that it will be a a subset of 

>> variables and operators.

>> 

>> Is it OK with you both if I announce this to the leaders list?

>> 

>> Cheers,

>> Ryan

>> 

>> On 3/30/11 11:03 AM, "Calderon, Juan Carlos (GE, Corporate,

> consultant)"

>> <juan.calderon at ge.com> wrote:

>> 

>>> I make sense to me and I agree, adding support for a basic set of 

>>> ModSecurity rules will also make it easier to maintain that 

>>> compatibility.

>>> 

>>> Ok I will plan to add support in the next release for SecRule with a 

>>> limited number of variables and operators (to begin with), and maybe 

>>> include the rule updater as well.

>>> 

>>> Do you have any BNF of Rules grammar? I could use that to create a 

>>> rule

>> 

>>> parser.

>>> 

>>> Regards,

>>> Juan C Calderon

>>> 

>>> -----Original Message-----

>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]

>>> Sent: Wednesday, March 30, 2011 8:45 AM

>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico

>>> Subject: Re: Seeking Java Dev help for ModSecurity Port

>>> 

>>> I agree with you that creating similar OWASP WAF policies to match 

>>> what

>> 

>>> is in the OWASP ModSec CRS would be faster, however that is not my 

>>> goal

>>> :)  I am looking for "ports" of ModSecurity to different platforms.

>>> They way it stands today, if someone is running a Java server 

>>> (Tomcat,

>>> etc...) and they want to use ModSecurity, they have to setup a local 

>>> Apache reverse proxy with ModSec on it and then setup Tomcat on a 

>>> different port and proxy to it.  This is kludgy...  While I agree 

>>> that

> 

>>> you could get similar coverage by expanding the OWASP WAF policies 

>>> to detect similar attacks, the key to an actual "port" is using the 

>>> ModSecurity rule language.  This would allow Java app server users 

>>> to use the OWASP ModSec CRS rules.

>>> 

>>> One thing to keep in mind - you don't have to implement all ModSec 

>>> functionality for a v1 port.  We are working on documenting a "Core"

>>> spec that outlines what base capabilities you would need.  The main 

>>> ones are use of SecRule - 

>>> https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=

>>> Re

>>> f

>>> e

>>> ren

>>> ce_Manual#SecRule

>>> 

>>> Does this make sense?

>>> 

>>> -Ryan

>>> 

>>> On 3/29/11 8:35 PM, "Calderon, Juan Carlos (GE, Corporate,

> consultant)"

>>> <juan.calderon at ge.com> wrote:

>>> 

>>>> Ok I just checked the documentation, I think the best approach to 

>>>> get

> 

>>>> the faster resultis to create a ModSecurity WAF policy containing 

>>>> equivalent OWASP WAF rules. Creating a parser for ModSecurity Rules 

>>>> will be much harder.

>>>> 

>>>> What do you think?

>>>> 

>>>> Regards,

>>>> Juan C Calderon

>>>> 

>>>> -----Original Message-----

>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]

>>>> Sent: Tuesday, March 29, 2011 11:16 AM

>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico

>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port

>>>> 

>>>> Outstanding!  Thanks Juan Carlos.

>>>> 

>>>> FYI - check out the "Ports" section of our Projects page to see 

>>>> what other ports are in progress/on the roadmap - 

>>>> http://www.modsecurity.org/projects/

>>>> 

>>>> We have a really old Java Servlet Filter version of ModSecurity 

>>>> that may be of some help.  I think that updating the current 

>>>> owasp-java-waf

>> 

>>>> code would probably be better though as the version we had uses the 

>>>> old

>>> 

>>>> ModSecurity v.1 rules language syntax.

>>>> 

>>>> If you look at the link for "Sun Java Web Server Version 7.0 Update 

>>>> 2

> 

>>>> link

>>>> - http://blogs.sun.com/meena/entry/intrusion_detection_in_sun_java 

>>>> - you can see the ModSecurity rules language components they have 

>>>> implemented thus far.

>>>> 

>>>> Let me know if you need any help!

>>>> 

>>>> Thanks again,

>>>> Ryan

>>>> 

>>>> On 3/29/11 1:10 PM, "Calderon, Juan Carlos (GE, Corporate,

>> consultant)"

>>>> <juan.calderon at ge.com> wrote:

>>>> 

>>>>> @Ryan, hello again villa-mate :)

>>>>> 

>>>>> @Jim, Yes I do have interest in continuing with this effort at 

>>>>> least

> 

>>>>> to

>>>> 

>>>>> make the WAF reach release level.

>>>>> 

>>>>> Let me give the rules a look to see what would it take to 

>>>>> implement them in the OWASP Java WAF.

>>>>> 

>>>>> Regards,

>>>>> Juan C Calderon

>>>>> 

>>>>> -----Original Message-----

>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]

>>>>> Sent: Tuesday, March 29, 2011 11:02 AM

>>>>> To: Jim Manico; Calderon, Juan Carlos (GE, Corporate, consultant)

>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port

>>>>> 

>>>>> Ha, Juan Carlos and I were Villa mates in Portugal! :)

>>>>> 

>>>>> Juan Carlos - let me know what you think about the idea of 

>>>>> updating the

>>>> 

>>>>> owasp-java-waf code to be able to use the ModSecurity Rules 

>>>>> Language

> 

>>>>> syntax (SecRules, etc...).

>>>>> 

>>>>> Thanks,

>>>>> Ryan

>>>>> 

>>>>> On 3/29/11 12:56 PM, "Jim Manico" <jim.manico at owasp.org> wrote:

>>>>> 

>>>>>> On 3/29/2011 9:46 AM, Ryan Barnett wrote:

>>>>>>> Yeah,

>>>>>>> Let's see if we can move forward with the idea of migrating 

>>>>>>> ESAPI

> 

>>>>>>> WAF

>>>>> 

>>>>>>> to be a stand-alone project.  Then the Java lead (whoever that

>>>>>>> is)

>> 

>>>>>>> can implement the ModSecurity rules language and redub it 

>>>>>>> "ModSecurity Java Servlet WAF".

>>>>>> 

>>>>>> 

>>>>>> The migration to a standalone project is already done, Ryan - 

>>>>>> meet Juan

>>>>> 

>>>>>> Carlos Calderon; he is "by default" the current owner of the 

>>>>>> owasp-java-waf project :)

>>>>>> 

>>>>>> http://code.google.com/p/owasp-java-waf/

>>>>>> 

>>>>>> As you can see, we have work to do :)

>>>>>> 

>>>>>> Juan Carlos - meet Ryan Barnett. Ryan is one of the most 

>>>>>> respected WAF'ers on the planet. He is currently the leaders of 

>>>>>> the OWASP ModSecurity Core Ruleset.

>>>>>> 

>>>>>> Juan Carlos, do you have any interest in continuing to work on 

>>>>>> this

> 

>>>>>> project sir?

>>>>>> 

>>>>>> Aloha!

>>>>>> - Jim

>>>>> 

>>>>> 

>>>> 

>>>> 

>>> 

>>> 

>> 

>> 

> 

> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global-projects-committee/attachments/20110331/47296def/attachment-0001.html 


More information about the Global-projects-committee mailing list