[GPC] Seeking Java Dev help for ModSecurity Port

Jason Li jason.li at owasp.org
Thu Mar 31 15:24:20 EDT 2011


This is a very long thread between Ryan/Juan/Arshan/Jim and I apologize that
I haven't read through the whole thing - one reason why a project proposal
would be good so that these threads can be rolled up succinctly for OWASP
consumers :)

But from my very quick skim, it sounds like you guys want to create a Java
WAF based on ModSecurity?

For the record, I for one do *not* think that the project should be placed
under the OWASP Java project. The OWASP Java project (to me) is about
getting a knowledge base of proper application security principles for
developers using Java as their programming language. The proposed project is
just a tool/code project that happens to be written in Java. Therefore, I
think they need to be separate projects.

-Jason

On Thu, Mar 31, 2011 at 3:15 PM, Jim Manico <jim.manico at owasp.org> wrote:

> I just got off the phone with Arshan - and he said "guys, run with it"
>
> So I still think we need to put Arshan's name on the project - he is our
> "Java WAF Founding Father" - but it is now our baby to do as we wish
> with it.
>
> Rock on Juan Carlos + Ryan!
>
> Never in my wildest AppSec dreams did I ever expect to be mixed up in
> WAF development. Forgive me if I get overly defensive about it at times.
>
> *insert rim shot here*
>
> - Jim
>
>
> > Speaking selfishly, I would love for this to be hosted under the
> ModSecurity
> > Project link as I want to bill this as a "port" of ModSecurity to Java.
> :)
> >
> > I will defer to Juan Carlos and Jim however as they are the leads.
> >
> > -Ryan
> >
> > From:  Paulo Coimbra <paulo.coimbra at owasp.org>
> > Date:  Thu, 31 Mar 2011 18:46:12 +0100
> > To:  'Jim Manico' <jim.manico at owasp.org>, "'Calderon, Juan Carlos (GE,
> > Corporate, consultant)'" <juan.calderon at ge.com>
> > Cc:  Ryan Barnett <ryan.barnett at owasp.org>, 'Global Projects Committee'
> > <global-projects-committee at lists.owasp.org>
> > Subject:  RE: Seeking Java Dev help for ModSecurity Port
> >
> >> Jim, Juan & Ryan,
> >>
> >> It¹s always a pleasure setting up a project for any of you distinguished
> OWASP
> >> contributors and leaders. I propose though you firstly send us off a
> couple of
> >> lines defining the project¹s purpose and a roadmap. If you agree with
> doing so
> >> it will allow the GPC acting in accordance with its mission i.e. ³(...)
> the
> >> GPC shall provide support and direction for new projects. (...)².
> Additionally
> >> from what I¹ve understood from the thread below, I was unsure whether or
> not
> >> this new project could be placed under a broaden Java Project hat or if
> it
> >> could be hosted in a common root link also shared by the ModSecurity
> Core Rule
> >> Set Project ­ does my interrogation make any sense?
> >>
> >> http://www.owasp.org/index.php/OWASP_Java_Project
> >>
> >>
> http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Projec
> >> t
> >>
> >> Please note that my above path proposal doesn¹t intend at all to impose
> any
> >> kind of constraint to OWASP contributors¹ initiative and therefore if
> you
> >> think is best that I set the templates right now before further input
> being
> >> put available, as long as GPC also agrees, it will be done. Truly I am
> just
> >> looking for an approach to allow us a shared effort to create as much
> value
> >> and synergies as possible.
> >>
> >> PS. Pablo is fine and, happy for being in people¹s minds, sends regards
> J
> >>
> >>
> >> Thanks,
> >> - Paulo
> >>
> >>
> >> Paulo Coimbra,
> >> OWASP Project Manager <
> http://www.owasp.org/index.php/User:Paulo_Coimbra>
> >>
> >>
> >> From: Jim Manico [mailto:jim.manico at owasp.org]
> >> Sent: quarta-feira, 30 de Março de 2011 21:31
> >> To: Calderon, Juan Carlos (GE, Corporate, consultant)
> >> Cc: Ryan Barnett; Paulo Coimbra
> >> Subject: Re: Seeking Java Dev help for ModSecurity Port
> >>
> >> Paulo,
> >>
> >> We would like to start a new project -
> >>
> >> "The OWASP Java Web Application Firewall"
> >>
> >> Could you send us a project template please? And could you tell Pablo
> hello
> >> for us? (joking ;)
> >>
> >> Thanks all.
> >> - Jim
> >>
> >> PS: Juan Carlos - I'm so very grateful someone of your skill is jumping
> in to
> >> help us!!!
> >>
> >>>> Not yet, there is not even a project page so far, as this is very new.
> >>>>
> >>>> We should let Pablo know about this "new" project. Would you do it Jim
> >>>> or should I do it?
> >>>>
> >>>> Regards,
> >>>> Juan C Calderon
> >>>> Softtek GDC Aguascalientes
> >>>>
> >>>> -----Original Message-----
> >>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
> >>>> Sent: Wednesday, March 30, 2011 1:20 PM
> >>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico
> >>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
> >>>>
> >>>> Should I CC Arshan on this topic?  Or is there an owasp-java-waf
> >>>> mail-list?
> >>>>
> >>>> -Ryan
> >>>>
> >>>> On 3/30/11 12:00 PM, "Calderon, Juan Carlos (GE, Corporate,
> consultant)"
> >>>> <juan.calderon at ge.com> wrote:
> >>>>
> >>>>>> It's OK for me, the more visibility I get on the OWASP WAF the
> >>>>>> better, I expect some people get interested and test it on real
> world.
> >>>>>>
> >>>>>> Regards,
> >>>>>> Juan C Calderon
> >>>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
> >>>>>> Sent: Wednesday, March 30, 2011 9:51 AM
> >>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico
> >>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
> >>>>>>
> >>>>>> Awesome news Juan Carlos!  We are putting together a minimum spec
> for
> >>>>>> porting/supporting the rules language.  I will let you know as soon
> >>>>>> as we have it.  You are right though that it will be a a subset of
> >>>>>> variables and operators.
> >>>>>>
> >>>>>> Is it OK with you both if I announce this to the leaders list?
> >>>>>>
> >>>>>> Cheers,
> >>>>>> Ryan
> >>>>>>
> >>>>>> On 3/30/11 11:03 AM, "Calderon, Juan Carlos (GE, Corporate,
> >>>> consultant)"
> >>>>>> <juan.calderon at ge.com> wrote:
> >>>>>>
> >>>>>>>> I make sense to me and I agree, adding support for a basic set of
> >>>>>>>> ModSecurity rules will also make it easier to maintain that
> >>>>>>>> compatibility.
> >>>>>>>>
> >>>>>>>> Ok I will plan to add support in the next release for SecRule with
> a
> >>>>>>>> limited number of variables and operators (to begin with), and
> maybe
> >>>>>>>> include the rule updater as well.
> >>>>>>>>
> >>>>>>>> Do you have any BNF of Rules grammar? I could use that to create a
> >>>>>>>> rule
> >>>>>>
> >>>>>>>> parser.
> >>>>>>>>
> >>>>>>>> Regards,
> >>>>>>>> Juan C Calderon
> >>>>>>>>
> >>>>>>>> -----Original Message-----
> >>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
> >>>>>>>> Sent: Wednesday, March 30, 2011 8:45 AM
> >>>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico
> >>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
> >>>>>>>>
> >>>>>>>> I agree with you that creating similar OWASP WAF policies to match
> >>>>>>>> what
> >>>>>>
> >>>>>>>> is in the OWASP ModSec CRS would be faster, however that is not my
> >>>>>>>> goal
> >>>>>>>> :)  I am looking for "ports" of ModSecurity to different
> platforms.
> >>>>>>>> They way it stands today, if someone is running a Java server
> >>>>>>>> (Tomcat,
> >>>>>>>> etc...) and they want to use ModSecurity, they have to setup a
> local
> >>>>>>>> Apache reverse proxy with ModSec on it and then setup Tomcat on a
> >>>>>>>> different port and proxy to it.  This is kludgy...  While I agree
> >>>>>>>> that
> >>>>
> >>>>>>>> you could get similar coverage by expanding the OWASP WAF policies
> >>>>>>>> to detect similar attacks, the key to an actual "port" is using
> the
> >>>>>>>> ModSecurity rule language.  This would allow Java app server users
> >>>>>>>> to use the OWASP ModSec CRS rules.
> >>>>>>>>
> >>>>>>>> One thing to keep in mind - you don't have to implement all ModSec
> >>>>>>>> functionality for a v1 port.  We are working on documenting a
> "Core"
> >>>>>>>> spec that outlines what base capabilities you would need.  The
> main
> >>>>>>>> ones are use of SecRule -
> >>>>>>>>
> https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=
> >>>>>>>> Re
> >>>>>>>> f
> >>>>>>>> e
> >>>>>>>> ren
> >>>>>>>> ce_Manual#SecRule
> >>>>>>>>
> >>>>>>>> Does this make sense?
> >>>>>>>>
> >>>>>>>> -Ryan
> >>>>>>>>
> >>>>>>>> On 3/29/11 8:35 PM, "Calderon, Juan Carlos (GE, Corporate,
> >>>> consultant)"
> >>>>>>>> <juan.calderon at ge.com> wrote:
> >>>>>>>>
> >>>>>>>>>> Ok I just checked the documentation, I think the best approach
> to
> >>>>>>>>>> get
> >>>>
> >>>>>>>>>> the faster resultis to create a ModSecurity WAF policy
> containing
> >>>>>>>>>> equivalent OWASP WAF rules. Creating a parser for ModSecurity
> Rules
> >>>>>>>>>> will be much harder.
> >>>>>>>>>>
> >>>>>>>>>> What do you think?
> >>>>>>>>>>
> >>>>>>>>>> Regards,
> >>>>>>>>>> Juan C Calderon
> >>>>>>>>>>
> >>>>>>>>>> -----Original Message-----
> >>>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
> >>>>>>>>>> Sent: Tuesday, March 29, 2011 11:16 AM
> >>>>>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim
> Manico
> >>>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
> >>>>>>>>>>
> >>>>>>>>>> Outstanding!  Thanks Juan Carlos.
> >>>>>>>>>>
> >>>>>>>>>> FYI - check out the "Ports" section of our Projects page to see
> >>>>>>>>>> what other ports are in progress/on the roadmap -
> >>>>>>>>>> http://www.modsecurity.org/projects/
> >>>>>>>>>>
> >>>>>>>>>> We have a really old Java Servlet Filter version of ModSecurity
> >>>>>>>>>> that may be of some help.  I think that updating the current
> >>>>>>>>>> owasp-java-waf
> >>>>>>
> >>>>>>>>>> code would probably be better though as the version we had uses
> the
> >>>>>>>>>> old
> >>>>>>>>
> >>>>>>>>>> ModSecurity v.1 rules language syntax.
> >>>>>>>>>>
> >>>>>>>>>> If you look at the link for "Sun Java Web Server Version 7.0
> Update
> >>>>>>>>>> 2
> >>>>
> >>>>>>>>>> link
> >>>>>>>>>> -
> http://blogs.sun.com/meena/entry/intrusion_detection_in_sun_java
> >>>>>>>>>> - you can see the ModSecurity rules language components they
> have
> >>>>>>>>>> implemented thus far.
> >>>>>>>>>>
> >>>>>>>>>> Let me know if you need any help!
> >>>>>>>>>>
> >>>>>>>>>> Thanks again,
> >>>>>>>>>> Ryan
> >>>>>>>>>>
> >>>>>>>>>> On 3/29/11 1:10 PM, "Calderon, Juan Carlos (GE, Corporate,
> >>>>>> consultant)"
> >>>>>>>>>> <juan.calderon at ge.com> wrote:
> >>>>>>>>>>
> >>>>>>>>>>>> @Ryan, hello again villa-mate :)
> >>>>>>>>>>>>
> >>>>>>>>>>>> @Jim, Yes I do have interest in continuing with this effort at
> >>>>>>>>>>>> least
> >>>>
> >>>>>>>>>>>> to
> >>>>>>>>>>
> >>>>>>>>>>>> make the WAF reach release level.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Let me give the rules a look to see what would it take to
> >>>>>>>>>>>> implement them in the OWASP Java WAF.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Regards,
> >>>>>>>>>>>> Juan C Calderon
> >>>>>>>>>>>>
> >>>>>>>>>>>> -----Original Message-----
> >>>>>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
> >>>>>>>>>>>> Sent: Tuesday, March 29, 2011 11:02 AM
> >>>>>>>>>>>> To: Jim Manico; Calderon, Juan Carlos (GE, Corporate,
> consultant)
> >>>>>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
> >>>>>>>>>>>>
> >>>>>>>>>>>> Ha, Juan Carlos and I were Villa mates in Portugal! :)
> >>>>>>>>>>>>
> >>>>>>>>>>>> Juan Carlos - let me know what you think about the idea of
> >>>>>>>>>>>> updating the
> >>>>>>>>>>
> >>>>>>>>>>>> owasp-java-waf code to be able to use the ModSecurity Rules
> >>>>>>>>>>>> Language
> >>>>
> >>>>>>>>>>>> syntax (SecRules, etc...).
> >>>>>>>>>>>>
> >>>>>>>>>>>> Thanks,
> >>>>>>>>>>>> Ryan
> >>>>>>>>>>>>
> >>>>>>>>>>>> On 3/29/11 12:56 PM, "Jim Manico" <jim.manico at owasp.org>
> wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>>>> On 3/29/2011 9:46 AM, Ryan Barnett wrote:
> >>>>>>>>>>>>>>>> Yeah,
> >>>>>>>>>>>>>>>> Let's see if we can move forward with the idea of
> migrating
> >>>>>>>>>>>>>>>> ESAPI
> >>>>
> >>>>>>>>>>>>>>>> WAF
> >>>>>>>>>>>>
> >>>>>>>>>>>>>>>> to be a stand-alone project.  Then the Java lead (whoever
> that
> >>>>>>>>>>>>>>>> is)
> >>>>>>
> >>>>>>>>>>>>>>>> can implement the ModSecurity rules language and redub it
> >>>>>>>>>>>>>>>> "ModSecurity Java Servlet WAF".
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> The migration to a standalone project is already done, Ryan
> -
> >>>>>>>>>>>>>> meet Juan
> >>>>>>>>>>>>
> >>>>>>>>>>>>>> Carlos Calderon; he is "by default" the current owner of the
> >>>>>>>>>>>>>> owasp-java-waf project :)
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> http://code.google.com/p/owasp-java-waf/
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> As you can see, we have work to do :)
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Juan Carlos - meet Ryan Barnett. Ryan is one of the most
> >>>>>>>>>>>>>> respected WAF'ers on the planet. He is currently the leaders
> of
> >>>>>>>>>>>>>> the OWASP ModSecurity Core Ruleset.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Juan Carlos, do you have any interest in continuing to work
> on
> >>>>>>>>>>>>>> this
> >>>>
> >>>>>>>>>>>>>> project sir?
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Aloha!
> >>>>>>>>>>>>>> - Jim
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>>>
> >>>>
> >>>>
> >
> >
> >
>
> _______________________________________________
> Global-projects-committee mailing list
> Global-projects-committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global-projects-committee
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global-projects-committee/attachments/20110331/73f8c31e/attachment-0001.html 


More information about the Global-projects-committee mailing list