[GPC] Seeking Java Dev help for ModSecurity Port

Jim Manico jim.manico at owasp.org
Thu Mar 31 14:43:35 EDT 2011


I'm ok with this. Juan Carlos? Arshan?

- Jim

> Speaking selfishly, I would love for this to be hosted under the ModSecurity
> Project link as I want to bill this as a "port" of ModSecurity to Java. :)
> 
> I will defer to Juan Carlos and Jim however as they are the leads.
> 
> -Ryan
> 
> From:  Paulo Coimbra <paulo.coimbra at owasp.org>
> Date:  Thu, 31 Mar 2011 18:46:12 +0100
> To:  'Jim Manico' <jim.manico at owasp.org>, "'Calderon, Juan Carlos (GE,
> Corporate, consultant)'" <juan.calderon at ge.com>
> Cc:  Ryan Barnett <ryan.barnett at owasp.org>, 'Global Projects Committee'
> <global-projects-committee at lists.owasp.org>
> Subject:  RE: Seeking Java Dev help for ModSecurity Port
> 
>> Jim, Juan & Ryan,
>>  
>> It¹s always a pleasure setting up a project for any of you distinguished OWASP
>> contributors and leaders. I propose though you firstly send us off a couple of
>> lines defining the project¹s purpose and a roadmap. If you agree with doing so
>> it will allow the GPC acting in accordance with its mission i.e. ³(...) the
>> GPC shall provide support and direction for new projects. (...)². Additionally
>> from what I¹ve understood from the thread below, I was unsure whether or not
>> this new project could be placed under a broaden Java Project hat or if it
>> could be hosted in a common root link also shared by the ModSecurity Core Rule
>> Set Project ­ does my interrogation make any sense?
>>  
>> http://www.owasp.org/index.php/OWASP_Java_Project
>>  
>> http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Projec
>> t 
>>  
>> Please note that my above path proposal doesn¹t intend at all to impose any
>> kind of constraint to OWASP contributors¹ initiative and therefore if you
>> think is best that I set the templates right now before further input being
>> put available, as long as GPC also agrees, it will be done. Truly I am just
>> looking for an approach to allow us a shared effort to create as much value
>> and synergies as possible.
>>  
>> PS. Pablo is fine and, happy for being in people¹s minds, sends regards J
>>
>>  
>> Thanks,
>> - Paulo
>>  
>>  
>> Paulo Coimbra,
>> OWASP Project Manager <http://www.owasp.org/index.php/User:Paulo_Coimbra>
>>  
>>
>> From: Jim Manico [mailto:jim.manico at owasp.org]
>> Sent: quarta-feira, 30 de Março de 2011 21:31
>> To: Calderon, Juan Carlos (GE, Corporate, consultant)
>> Cc: Ryan Barnett; Paulo Coimbra
>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>  
>> Paulo,
>>  
>> We would like to start a new project -
>>  
>> "The OWASP Java Web Application Firewall"
>>  
>> Could you send us a project template please? And could you tell Pablo hello
>> for us? (joking ;)
>>  
>> Thanks all.
>> - Jim
>>  
>> PS: Juan Carlos - I'm so very grateful someone of your skill is jumping in to
>> help us!!!
>>  
>>>> Not yet, there is not even a project page so far, as this is very new.
>>>>
>>>> We should let Pablo know about this "new" project. Would you do it Jim
>>>> or should I do it?
>>>>
>>>> Regards,
>>>> Juan C Calderon
>>>> Softtek GDC Aguascalientes
>>>>
>>>> -----Original Message-----
>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>> Sent: Wednesday, March 30, 2011 1:20 PM
>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico
>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>
>>>> Should I CC Arshan on this topic?  Or is there an owasp-java-waf
>>>> mail-list?
>>>>
>>>> -Ryan
>>>>
>>>> On 3/30/11 12:00 PM, "Calderon, Juan Carlos (GE, Corporate, consultant)"
>>>> <juan.calderon at ge.com> wrote:
>>>>
>>>>>> It's OK for me, the more visibility I get on the OWASP WAF the
>>>>>> better, I expect some people get interested and test it on real world.
>>>>>>
>>>>>> Regards,
>>>>>> Juan C Calderon
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>>>> Sent: Wednesday, March 30, 2011 9:51 AM
>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico
>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>>>
>>>>>> Awesome news Juan Carlos!  We are putting together a minimum spec for
>>>>>> porting/supporting the rules language.  I will let you know as soon
>>>>>> as we have it.  You are right though that it will be a a subset of
>>>>>> variables and operators.
>>>>>>
>>>>>> Is it OK with you both if I announce this to the leaders list?
>>>>>>
>>>>>> Cheers,
>>>>>> Ryan
>>>>>>
>>>>>> On 3/30/11 11:03 AM, "Calderon, Juan Carlos (GE, Corporate,
>>>> consultant)"
>>>>>> <juan.calderon at ge.com> wrote:
>>>>>>
>>>>>>>> I make sense to me and I agree, adding support for a basic set of
>>>>>>>> ModSecurity rules will also make it easier to maintain that
>>>>>>>> compatibility.
>>>>>>>>
>>>>>>>> Ok I will plan to add support in the next release for SecRule with a
>>>>>>>> limited number of variables and operators (to begin with), and maybe
>>>>>>>> include the rule updater as well.
>>>>>>>>
>>>>>>>> Do you have any BNF of Rules grammar? I could use that to create a
>>>>>>>> rule
>>>>>>
>>>>>>>> parser.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Juan C Calderon
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>>>>>> Sent: Wednesday, March 30, 2011 8:45 AM
>>>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico
>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>>>>>
>>>>>>>> I agree with you that creating similar OWASP WAF policies to match
>>>>>>>> what
>>>>>>
>>>>>>>> is in the OWASP ModSec CRS would be faster, however that is not my
>>>>>>>> goal
>>>>>>>> :)  I am looking for "ports" of ModSecurity to different platforms.
>>>>>>>> They way it stands today, if someone is running a Java server
>>>>>>>> (Tomcat,
>>>>>>>> etc...) and they want to use ModSecurity, they have to setup a local
>>>>>>>> Apache reverse proxy with ModSec on it and then setup Tomcat on a
>>>>>>>> different port and proxy to it.  This is kludgy...  While I agree
>>>>>>>> that
>>>>
>>>>>>>> you could get similar coverage by expanding the OWASP WAF policies
>>>>>>>> to detect similar attacks, the key to an actual "port" is using the
>>>>>>>> ModSecurity rule language.  This would allow Java app server users
>>>>>>>> to use the OWASP ModSec CRS rules.
>>>>>>>>
>>>>>>>> One thing to keep in mind - you don't have to implement all ModSec
>>>>>>>> functionality for a v1 port.  We are working on documenting a "Core"
>>>>>>>> spec that outlines what base capabilities you would need.  The main
>>>>>>>> ones are use of SecRule -
>>>>>>>> https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=
>>>>>>>> Re
>>>>>>>> f
>>>>>>>> e
>>>>>>>> ren
>>>>>>>> ce_Manual#SecRule
>>>>>>>>
>>>>>>>> Does this make sense?
>>>>>>>>
>>>>>>>> -Ryan
>>>>>>>>
>>>>>>>> On 3/29/11 8:35 PM, "Calderon, Juan Carlos (GE, Corporate,
>>>> consultant)"
>>>>>>>> <juan.calderon at ge.com> wrote:
>>>>>>>>
>>>>>>>>>> Ok I just checked the documentation, I think the best approach to
>>>>>>>>>> get
>>>>
>>>>>>>>>> the faster resultis to create a ModSecurity WAF policy containing
>>>>>>>>>> equivalent OWASP WAF rules. Creating a parser for ModSecurity Rules
>>>>>>>>>> will be much harder.
>>>>>>>>>>
>>>>>>>>>> What do you think?
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Juan C Calderon
>>>>>>>>>>
>>>>>>>>>> -----Original Message-----
>>>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>>>>>>>> Sent: Tuesday, March 29, 2011 11:16 AM
>>>>>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico
>>>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>>>>>>>
>>>>>>>>>> Outstanding!  Thanks Juan Carlos.
>>>>>>>>>>
>>>>>>>>>> FYI - check out the "Ports" section of our Projects page to see
>>>>>>>>>> what other ports are in progress/on the roadmap -
>>>>>>>>>> http://www.modsecurity.org/projects/
>>>>>>>>>>
>>>>>>>>>> We have a really old Java Servlet Filter version of ModSecurity
>>>>>>>>>> that may be of some help.  I think that updating the current
>>>>>>>>>> owasp-java-waf
>>>>>>
>>>>>>>>>> code would probably be better though as the version we had uses the
>>>>>>>>>> old
>>>>>>>>
>>>>>>>>>> ModSecurity v.1 rules language syntax.
>>>>>>>>>>
>>>>>>>>>> If you look at the link for "Sun Java Web Server Version 7.0 Update
>>>>>>>>>> 2
>>>>
>>>>>>>>>> link
>>>>>>>>>> - http://blogs.sun.com/meena/entry/intrusion_detection_in_sun_java
>>>>>>>>>> - you can see the ModSecurity rules language components they have
>>>>>>>>>> implemented thus far.
>>>>>>>>>>
>>>>>>>>>> Let me know if you need any help!
>>>>>>>>>>
>>>>>>>>>> Thanks again,
>>>>>>>>>> Ryan
>>>>>>>>>>
>>>>>>>>>> On 3/29/11 1:10 PM, "Calderon, Juan Carlos (GE, Corporate,
>>>>>> consultant)"
>>>>>>>>>> <juan.calderon at ge.com> wrote:
>>>>>>>>>>
>>>>>>>>>>>> @Ryan, hello again villa-mate :)
>>>>>>>>>>>>
>>>>>>>>>>>> @Jim, Yes I do have interest in continuing with this effort at
>>>>>>>>>>>> least
>>>>
>>>>>>>>>>>> to
>>>>>>>>>>
>>>>>>>>>>>> make the WAF reach release level.
>>>>>>>>>>>>
>>>>>>>>>>>> Let me give the rules a look to see what would it take to
>>>>>>>>>>>> implement them in the OWASP Java WAF.
>>>>>>>>>>>>
>>>>>>>>>>>> Regards,
>>>>>>>>>>>> Juan C Calderon
>>>>>>>>>>>>
>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>>>>>>>>>> Sent: Tuesday, March 29, 2011 11:02 AM
>>>>>>>>>>>> To: Jim Manico; Calderon, Juan Carlos (GE, Corporate, consultant)
>>>>>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>>>>>>>>>
>>>>>>>>>>>> Ha, Juan Carlos and I were Villa mates in Portugal! :)
>>>>>>>>>>>>
>>>>>>>>>>>> Juan Carlos - let me know what you think about the idea of
>>>>>>>>>>>> updating the
>>>>>>>>>>
>>>>>>>>>>>> owasp-java-waf code to be able to use the ModSecurity Rules
>>>>>>>>>>>> Language
>>>>
>>>>>>>>>>>> syntax (SecRules, etc...).
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks,
>>>>>>>>>>>> Ryan
>>>>>>>>>>>>
>>>>>>>>>>>> On 3/29/11 12:56 PM, "Jim Manico" <jim.manico at owasp.org> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>>> On 3/29/2011 9:46 AM, Ryan Barnett wrote:
>>>>>>>>>>>>>>>> Yeah,
>>>>>>>>>>>>>>>> Let's see if we can move forward with the idea of migrating
>>>>>>>>>>>>>>>> ESAPI
>>>>
>>>>>>>>>>>>>>>> WAF
>>>>>>>>>>>>
>>>>>>>>>>>>>>>> to be a stand-alone project.  Then the Java lead (whoever that
>>>>>>>>>>>>>>>> is)
>>>>>>
>>>>>>>>>>>>>>>> can implement the ModSecurity rules language and redub it
>>>>>>>>>>>>>>>> "ModSecurity Java Servlet WAF".
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The migration to a standalone project is already done, Ryan -
>>>>>>>>>>>>>> meet Juan
>>>>>>>>>>>>
>>>>>>>>>>>>>> Carlos Calderon; he is "by default" the current owner of the
>>>>>>>>>>>>>> owasp-java-waf project :)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> http://code.google.com/p/owasp-java-waf/
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> As you can see, we have work to do :)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Juan Carlos - meet Ryan Barnett. Ryan is one of the most
>>>>>>>>>>>>>> respected WAF'ers on the planet. He is currently the leaders of
>>>>>>>>>>>>>> the OWASP ModSecurity Core Ruleset.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Juan Carlos, do you have any interest in continuing to work on
>>>>>>>>>>>>>> this
>>>>
>>>>>>>>>>>>>> project sir?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Aloha!
>>>>>>>>>>>>>> - Jim
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
> 
> 
> 



More information about the Global-projects-committee mailing list