[GPC] Seeking Java Dev help for ModSecurity Port

Ryan Barnett ryan.barnett at owasp.org
Thu Mar 31 13:59:55 EDT 2011


Speaking selfishly, I would love for this to be hosted under the ModSecurity
Project link as I want to bill this as a "port" of ModSecurity to Java. :)

I will defer to Juan Carlos and Jim however as they are the leads.

-Ryan

From:  Paulo Coimbra <paulo.coimbra at owasp.org>
Date:  Thu, 31 Mar 2011 18:46:12 +0100
To:  'Jim Manico' <jim.manico at owasp.org>, "'Calderon, Juan Carlos (GE,
Corporate, consultant)'" <juan.calderon at ge.com>
Cc:  Ryan Barnett <ryan.barnett at owasp.org>, 'Global Projects Committee'
<global-projects-committee at lists.owasp.org>
Subject:  RE: Seeking Java Dev help for ModSecurity Port

> Jim, Juan & Ryan,
>  
> It¹s always a pleasure setting up a project for any of you distinguished OWASP
> contributors and leaders. I propose though you firstly send us off a couple of
> lines defining the project¹s purpose and a roadmap. If you agree with doing so
> it will allow the GPC acting in accordance with its mission i.e. ³(...) the
> GPC shall provide support and direction for new projects. (...)². Additionally
> from what I¹ve understood from the thread below, I was unsure whether or not
> this new project could be placed under a broaden Java Project hat or if it
> could be hosted in a common root link also shared by the ModSecurity Core Rule
> Set Project ­ does my interrogation make any sense?
>  
> http://www.owasp.org/index.php/OWASP_Java_Project
>  
> http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Projec
> t 
>  
> Please note that my above path proposal doesn¹t intend at all to impose any
> kind of constraint to OWASP contributors¹ initiative and therefore if you
> think is best that I set the templates right now before further input being
> put available, as long as GPC also agrees, it will be done. Truly I am just
> looking for an approach to allow us a shared effort to create as much value
> and synergies as possible.
>  
> PS. Pablo is fine and, happy for being in people¹s minds, sends regards J
> 
>  
> Thanks,
> - Paulo
>  
>  
> Paulo Coimbra,
> OWASP Project Manager <http://www.owasp.org/index.php/User:Paulo_Coimbra>
>  
> 
> From: Jim Manico [mailto:jim.manico at owasp.org]
> Sent: quarta-feira, 30 de Março de 2011 21:31
> To: Calderon, Juan Carlos (GE, Corporate, consultant)
> Cc: Ryan Barnett; Paulo Coimbra
> Subject: Re: Seeking Java Dev help for ModSecurity Port
>  
> Paulo,
>  
> We would like to start a new project -
>  
> "The OWASP Java Web Application Firewall"
>  
> Could you send us a project template please? And could you tell Pablo hello
> for us? (joking ;)
>  
> Thanks all.
> - Jim
>  
> PS: Juan Carlos - I'm so very grateful someone of your skill is jumping in to
> help us!!!
>  
>> > Not yet, there is not even a project page so far, as this is very new.
>> > 
>> > We should let Pablo know about this "new" project. Would you do it Jim
>> > or should I do it?
>> > 
>> > Regards,
>> > Juan C Calderon
>> > Softtek GDC Aguascalientes
>> > 
>> > -----Original Message-----
>> > From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>> > Sent: Wednesday, March 30, 2011 1:20 PM
>> > To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico
>> > Subject: Re: Seeking Java Dev help for ModSecurity Port
>> > 
>> > Should I CC Arshan on this topic?  Or is there an owasp-java-waf
>> > mail-list?
>> > 
>> > -Ryan
>> > 
>> > On 3/30/11 12:00 PM, "Calderon, Juan Carlos (GE, Corporate, consultant)"
>> > <juan.calderon at ge.com> wrote:
>> > 
>>> >> It's OK for me, the more visibility I get on the OWASP WAF the
>>> >> better, I expect some people get interested and test it on real world.
>>> >> 
>>> >> Regards,
>>> >> Juan C Calderon
>>> >> 
>>> >> -----Original Message-----
>>> >> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>> >> Sent: Wednesday, March 30, 2011 9:51 AM
>>> >> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico
>>> >> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>> >> 
>>> >> Awesome news Juan Carlos!  We are putting together a minimum spec for
>>> >> porting/supporting the rules language.  I will let you know as soon
>>> >> as we have it.  You are right though that it will be a a subset of
>>> >> variables and operators.
>>> >> 
>>> >> Is it OK with you both if I announce this to the leaders list?
>>> >> 
>>> >> Cheers,
>>> >> Ryan
>>> >> 
>>> >> On 3/30/11 11:03 AM, "Calderon, Juan Carlos (GE, Corporate,
>> > consultant)"
>>> >> <juan.calderon at ge.com> wrote:
>>> >> 
>>>> >>> I make sense to me and I agree, adding support for a basic set of
>>>> >>> ModSecurity rules will also make it easier to maintain that
>>>> >>> compatibility.
>>>> >>> 
>>>> >>> Ok I will plan to add support in the next release for SecRule with a
>>>> >>> limited number of variables and operators (to begin with), and maybe
>>>> >>> include the rule updater as well.
>>>> >>> 
>>>> >>> Do you have any BNF of Rules grammar? I could use that to create a
>>>> >>> rule
>>> >> 
>>>> >>> parser.
>>>> >>> 
>>>> >>> Regards,
>>>> >>> Juan C Calderon
>>>> >>> 
>>>> >>> -----Original Message-----
>>>> >>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>> >>> Sent: Wednesday, March 30, 2011 8:45 AM
>>>> >>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico
>>>> >>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>> >>> 
>>>> >>> I agree with you that creating similar OWASP WAF policies to match
>>>> >>> what
>>> >> 
>>>> >>> is in the OWASP ModSec CRS would be faster, however that is not my
>>>> >>> goal
>>>> >>> :)  I am looking for "ports" of ModSecurity to different platforms.
>>>> >>> They way it stands today, if someone is running a Java server
>>>> >>> (Tomcat,
>>>> >>> etc...) and they want to use ModSecurity, they have to setup a local
>>>> >>> Apache reverse proxy with ModSec on it and then setup Tomcat on a
>>>> >>> different port and proxy to it.  This is kludgy...  While I agree
>>>> >>> that
>> > 
>>>> >>> you could get similar coverage by expanding the OWASP WAF policies
>>>> >>> to detect similar attacks, the key to an actual "port" is using the
>>>> >>> ModSecurity rule language.  This would allow Java app server users
>>>> >>> to use the OWASP ModSec CRS rules.
>>>> >>> 
>>>> >>> One thing to keep in mind - you don't have to implement all ModSec
>>>> >>> functionality for a v1 port.  We are working on documenting a "Core"
>>>> >>> spec that outlines what base capabilities you would need.  The main
>>>> >>> ones are use of SecRule -
>>>> >>> https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=
>>>> >>> Re
>>>> >>> f
>>>> >>> e
>>>> >>> ren
>>>> >>> ce_Manual#SecRule
>>>> >>> 
>>>> >>> Does this make sense?
>>>> >>> 
>>>> >>> -Ryan
>>>> >>> 
>>>> >>> On 3/29/11 8:35 PM, "Calderon, Juan Carlos (GE, Corporate,
>> > consultant)"
>>>> >>> <juan.calderon at ge.com> wrote:
>>>> >>> 
>>>>> >>>> Ok I just checked the documentation, I think the best approach to
>>>>> >>>> get
>> > 
>>>>> >>>> the faster resultis to create a ModSecurity WAF policy containing
>>>>> >>>> equivalent OWASP WAF rules. Creating a parser for ModSecurity Rules
>>>>> >>>> will be much harder.
>>>>> >>>> 
>>>>> >>>> What do you think?
>>>>> >>>> 
>>>>> >>>> Regards,
>>>>> >>>> Juan C Calderon
>>>>> >>>> 
>>>>> >>>> -----Original Message-----
>>>>> >>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>>> >>>> Sent: Tuesday, March 29, 2011 11:16 AM
>>>>> >>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico
>>>>> >>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>> >>>> 
>>>>> >>>> Outstanding!  Thanks Juan Carlos.
>>>>> >>>> 
>>>>> >>>> FYI - check out the "Ports" section of our Projects page to see
>>>>> >>>> what other ports are in progress/on the roadmap -
>>>>> >>>> http://www.modsecurity.org/projects/
>>>>> >>>> 
>>>>> >>>> We have a really old Java Servlet Filter version of ModSecurity
>>>>> >>>> that may be of some help.  I think that updating the current
>>>>> >>>> owasp-java-waf
>>> >> 
>>>>> >>>> code would probably be better though as the version we had uses the
>>>>> >>>> old
>>>> >>> 
>>>>> >>>> ModSecurity v.1 rules language syntax.
>>>>> >>>> 
>>>>> >>>> If you look at the link for "Sun Java Web Server Version 7.0 Update
>>>>> >>>> 2
>> > 
>>>>> >>>> link
>>>>> >>>> - http://blogs.sun.com/meena/entry/intrusion_detection_in_sun_java
>>>>> >>>> - you can see the ModSecurity rules language components they have
>>>>> >>>> implemented thus far.
>>>>> >>>> 
>>>>> >>>> Let me know if you need any help!
>>>>> >>>> 
>>>>> >>>> Thanks again,
>>>>> >>>> Ryan
>>>>> >>>> 
>>>>> >>>> On 3/29/11 1:10 PM, "Calderon, Juan Carlos (GE, Corporate,
>>> >> consultant)"
>>>>> >>>> <juan.calderon at ge.com> wrote:
>>>>> >>>> 
>>>>>> >>>>> @Ryan, hello again villa-mate :)
>>>>>> >>>>> 
>>>>>> >>>>> @Jim, Yes I do have interest in continuing with this effort at
>>>>>> >>>>> least
>> > 
>>>>>> >>>>> to
>>>>> >>>> 
>>>>>> >>>>> make the WAF reach release level.
>>>>>> >>>>> 
>>>>>> >>>>> Let me give the rules a look to see what would it take to
>>>>>> >>>>> implement them in the OWASP Java WAF.
>>>>>> >>>>> 
>>>>>> >>>>> Regards,
>>>>>> >>>>> Juan C Calderon
>>>>>> >>>>> 
>>>>>> >>>>> -----Original Message-----
>>>>>> >>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>>>> >>>>> Sent: Tuesday, March 29, 2011 11:02 AM
>>>>>> >>>>> To: Jim Manico; Calderon, Juan Carlos (GE, Corporate, consultant)
>>>>>> >>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>>> >>>>> 
>>>>>> >>>>> Ha, Juan Carlos and I were Villa mates in Portugal! :)
>>>>>> >>>>> 
>>>>>> >>>>> Juan Carlos - let me know what you think about the idea of
>>>>>> >>>>> updating the
>>>>> >>>> 
>>>>>> >>>>> owasp-java-waf code to be able to use the ModSecurity Rules
>>>>>> >>>>> Language
>> > 
>>>>>> >>>>> syntax (SecRules, etc...).
>>>>>> >>>>> 
>>>>>> >>>>> Thanks,
>>>>>> >>>>> Ryan
>>>>>> >>>>> 
>>>>>> >>>>> On 3/29/11 12:56 PM, "Jim Manico" <jim.manico at owasp.org> wrote:
>>>>>> >>>>> 
>>>>>>> >>>>>> On 3/29/2011 9:46 AM, Ryan Barnett wrote:
>>>>>>>> >>>>>>> Yeah,
>>>>>>>> >>>>>>> Let's see if we can move forward with the idea of migrating
>>>>>>>> >>>>>>> ESAPI
>> > 
>>>>>>>> >>>>>>> WAF
>>>>>> >>>>> 
>>>>>>>> >>>>>>> to be a stand-alone project.  Then the Java lead (whoever that
>>>>>>>> >>>>>>> is)
>>> >> 
>>>>>>>> >>>>>>> can implement the ModSecurity rules language and redub it
>>>>>>>> >>>>>>> "ModSecurity Java Servlet WAF".
>>>>>>> >>>>>> 
>>>>>>> >>>>>> 
>>>>>>> >>>>>> The migration to a standalone project is already done, Ryan -
>>>>>>> >>>>>> meet Juan
>>>>>> >>>>> 
>>>>>>> >>>>>> Carlos Calderon; he is "by default" the current owner of the
>>>>>>> >>>>>> owasp-java-waf project :)
>>>>>>> >>>>>> 
>>>>>>> >>>>>> http://code.google.com/p/owasp-java-waf/
>>>>>>> >>>>>> 
>>>>>>> >>>>>> As you can see, we have work to do :)
>>>>>>> >>>>>> 
>>>>>>> >>>>>> Juan Carlos - meet Ryan Barnett. Ryan is one of the most
>>>>>>> >>>>>> respected WAF'ers on the planet. He is currently the leaders of
>>>>>>> >>>>>> the OWASP ModSecurity Core Ruleset.
>>>>>>> >>>>>> 
>>>>>>> >>>>>> Juan Carlos, do you have any interest in continuing to work on
>>>>>>> >>>>>> this
>> > 
>>>>>>> >>>>>> project sir?
>>>>>>> >>>>>> 
>>>>>>> >>>>>> Aloha!
>>>>>>> >>>>>> - Jim
>>>>>> >>>>> 
>>>>>> >>>>> 
>>>>> >>>> 
>>>>> >>>> 
>>>> >>> 
>>>> >>> 
>>> >> 
>>> >> 
>> > 
>> > 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global-projects-committee/attachments/20110331/e96b7aa9/attachment-0001.html 


More information about the Global-projects-committee mailing list