[GPC] Seeking Java Dev help for ModSecurity Port

Jim Manico jim.manico at owasp.org
Thu Mar 31 15:27:42 EDT 2011


Jason,

First steps - we are stating our intention and placed the code in a
formal repot at Google code. We also got permission from Arshan (the
original coder) to run with it.

Next step - formal project proposal. One of us will get to it soon.

We do not want this under the "java project". As Ryan stated, we want
this under the ModSecurity core ruleset project.

Aloha,
Jim



> This is a very long thread between Ryan/Juan/Arshan/Jim and I apologize that
> I haven't read through the whole thing - one reason why a project proposal
> would be good so that these threads can be rolled up succinctly for OWASP
> consumers :)
> 
> But from my very quick skim, it sounds like you guys want to create a Java
> WAF based on ModSecurity?
> 
> For the record, I for one do *not* think that the project should be placed
> under the OWASP Java project. The OWASP Java project (to me) is about
> getting a knowledge base of proper application security principles for
> developers using Java as their programming language. The proposed project is
> just a tool/code project that happens to be written in Java. Therefore, I
> think they need to be separate projects.
> 
> -Jason
> 
> On Thu, Mar 31, 2011 at 3:15 PM, Jim Manico <jim.manico at owasp.org> wrote:
> 
>> I just got off the phone with Arshan - and he said "guys, run with it"
>>
>> So I still think we need to put Arshan's name on the project - he is our
>> "Java WAF Founding Father" - but it is now our baby to do as we wish
>> with it.
>>
>> Rock on Juan Carlos + Ryan!
>>
>> Never in my wildest AppSec dreams did I ever expect to be mixed up in
>> WAF development. Forgive me if I get overly defensive about it at times.
>>
>> *insert rim shot here*
>>
>> - Jim
>>
>>
>>> Speaking selfishly, I would love for this to be hosted under the
>> ModSecurity
>>> Project link as I want to bill this as a "port" of ModSecurity to Java.
>> :)
>>>
>>> I will defer to Juan Carlos and Jim however as they are the leads.
>>>
>>> -Ryan
>>>
>>> From:  Paulo Coimbra <paulo.coimbra at owasp.org>
>>> Date:  Thu, 31 Mar 2011 18:46:12 +0100
>>> To:  'Jim Manico' <jim.manico at owasp.org>, "'Calderon, Juan Carlos (GE,
>>> Corporate, consultant)'" <juan.calderon at ge.com>
>>> Cc:  Ryan Barnett <ryan.barnett at owasp.org>, 'Global Projects Committee'
>>> <global-projects-committee at lists.owasp.org>
>>> Subject:  RE: Seeking Java Dev help for ModSecurity Port
>>>
>>>> Jim, Juan & Ryan,
>>>>
>>>> It¹s always a pleasure setting up a project for any of you distinguished
>> OWASP
>>>> contributors and leaders. I propose though you firstly send us off a
>> couple of
>>>> lines defining the project¹s purpose and a roadmap. If you agree with
>> doing so
>>>> it will allow the GPC acting in accordance with its mission i.e. ³(...)
>> the
>>>> GPC shall provide support and direction for new projects. (...)².
>> Additionally
>>>> from what I¹ve understood from the thread below, I was unsure whether or
>> not
>>>> this new project could be placed under a broaden Java Project hat or if
>> it
>>>> could be hosted in a common root link also shared by the ModSecurity
>> Core Rule
>>>> Set Project ­ does my interrogation make any sense?
>>>>
>>>> http://www.owasp.org/index.php/OWASP_Java_Project
>>>>
>>>>
>> http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Projec
>>>> t
>>>>
>>>> Please note that my above path proposal doesn¹t intend at all to impose
>> any
>>>> kind of constraint to OWASP contributors¹ initiative and therefore if
>> you
>>>> think is best that I set the templates right now before further input
>> being
>>>> put available, as long as GPC also agrees, it will be done. Truly I am
>> just
>>>> looking for an approach to allow us a shared effort to create as much
>> value
>>>> and synergies as possible.
>>>>
>>>> PS. Pablo is fine and, happy for being in people¹s minds, sends regards
>> J
>>>>
>>>>
>>>> Thanks,
>>>> - Paulo
>>>>
>>>>
>>>> Paulo Coimbra,
>>>> OWASP Project Manager <
>> http://www.owasp.org/index.php/User:Paulo_Coimbra>
>>>>
>>>>
>>>> From: Jim Manico [mailto:jim.manico at owasp.org]
>>>> Sent: quarta-feira, 30 de Março de 2011 21:31
>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant)
>>>> Cc: Ryan Barnett; Paulo Coimbra
>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>
>>>> Paulo,
>>>>
>>>> We would like to start a new project -
>>>>
>>>> "The OWASP Java Web Application Firewall"
>>>>
>>>> Could you send us a project template please? And could you tell Pablo
>> hello
>>>> for us? (joking ;)
>>>>
>>>> Thanks all.
>>>> - Jim
>>>>
>>>> PS: Juan Carlos - I'm so very grateful someone of your skill is jumping
>> in to
>>>> help us!!!
>>>>
>>>>>> Not yet, there is not even a project page so far, as this is very new.
>>>>>>
>>>>>> We should let Pablo know about this "new" project. Would you do it Jim
>>>>>> or should I do it?
>>>>>>
>>>>>> Regards,
>>>>>> Juan C Calderon
>>>>>> Softtek GDC Aguascalientes
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>>>> Sent: Wednesday, March 30, 2011 1:20 PM
>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico
>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>>>
>>>>>> Should I CC Arshan on this topic?  Or is there an owasp-java-waf
>>>>>> mail-list?
>>>>>>
>>>>>> -Ryan
>>>>>>
>>>>>> On 3/30/11 12:00 PM, "Calderon, Juan Carlos (GE, Corporate,
>> consultant)"
>>>>>> <juan.calderon at ge.com> wrote:
>>>>>>
>>>>>>>> It's OK for me, the more visibility I get on the OWASP WAF the
>>>>>>>> better, I expect some people get interested and test it on real
>> world.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Juan C Calderon
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>>>>>> Sent: Wednesday, March 30, 2011 9:51 AM
>>>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico
>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>>>>>
>>>>>>>> Awesome news Juan Carlos!  We are putting together a minimum spec
>> for
>>>>>>>> porting/supporting the rules language.  I will let you know as soon
>>>>>>>> as we have it.  You are right though that it will be a a subset of
>>>>>>>> variables and operators.
>>>>>>>>
>>>>>>>> Is it OK with you both if I announce this to the leaders list?
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Ryan
>>>>>>>>
>>>>>>>> On 3/30/11 11:03 AM, "Calderon, Juan Carlos (GE, Corporate,
>>>>>> consultant)"
>>>>>>>> <juan.calderon at ge.com> wrote:
>>>>>>>>
>>>>>>>>>> I make sense to me and I agree, adding support for a basic set of
>>>>>>>>>> ModSecurity rules will also make it easier to maintain that
>>>>>>>>>> compatibility.
>>>>>>>>>>
>>>>>>>>>> Ok I will plan to add support in the next release for SecRule with
>> a
>>>>>>>>>> limited number of variables and operators (to begin with), and
>> maybe
>>>>>>>>>> include the rule updater as well.
>>>>>>>>>>
>>>>>>>>>> Do you have any BNF of Rules grammar? I could use that to create a
>>>>>>>>>> rule
>>>>>>>>
>>>>>>>>>> parser.
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Juan C Calderon
>>>>>>>>>>
>>>>>>>>>> -----Original Message-----
>>>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>>>>>>>> Sent: Wednesday, March 30, 2011 8:45 AM
>>>>>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico
>>>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>>>>>>>
>>>>>>>>>> I agree with you that creating similar OWASP WAF policies to match
>>>>>>>>>> what
>>>>>>>>
>>>>>>>>>> is in the OWASP ModSec CRS would be faster, however that is not my
>>>>>>>>>> goal
>>>>>>>>>> :)  I am looking for "ports" of ModSecurity to different
>> platforms.
>>>>>>>>>> They way it stands today, if someone is running a Java server
>>>>>>>>>> (Tomcat,
>>>>>>>>>> etc...) and they want to use ModSecurity, they have to setup a
>> local
>>>>>>>>>> Apache reverse proxy with ModSec on it and then setup Tomcat on a
>>>>>>>>>> different port and proxy to it.  This is kludgy...  While I agree
>>>>>>>>>> that
>>>>>>
>>>>>>>>>> you could get similar coverage by expanding the OWASP WAF policies
>>>>>>>>>> to detect similar attacks, the key to an actual "port" is using
>> the
>>>>>>>>>> ModSecurity rule language.  This would allow Java app server users
>>>>>>>>>> to use the OWASP ModSec CRS rules.
>>>>>>>>>>
>>>>>>>>>> One thing to keep in mind - you don't have to implement all ModSec
>>>>>>>>>> functionality for a v1 port.  We are working on documenting a
>> "Core"
>>>>>>>>>> spec that outlines what base capabilities you would need.  The
>> main
>>>>>>>>>> ones are use of SecRule -
>>>>>>>>>>
>> https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=
>>>>>>>>>> Re
>>>>>>>>>> f
>>>>>>>>>> e
>>>>>>>>>> ren
>>>>>>>>>> ce_Manual#SecRule
>>>>>>>>>>
>>>>>>>>>> Does this make sense?
>>>>>>>>>>
>>>>>>>>>> -Ryan
>>>>>>>>>>
>>>>>>>>>> On 3/29/11 8:35 PM, "Calderon, Juan Carlos (GE, Corporate,
>>>>>> consultant)"
>>>>>>>>>> <juan.calderon at ge.com> wrote:
>>>>>>>>>>
>>>>>>>>>>>> Ok I just checked the documentation, I think the best approach
>> to
>>>>>>>>>>>> get
>>>>>>
>>>>>>>>>>>> the faster resultis to create a ModSecurity WAF policy
>> containing
>>>>>>>>>>>> equivalent OWASP WAF rules. Creating a parser for ModSecurity
>> Rules
>>>>>>>>>>>> will be much harder.
>>>>>>>>>>>>
>>>>>>>>>>>> What do you think?
>>>>>>>>>>>>
>>>>>>>>>>>> Regards,
>>>>>>>>>>>> Juan C Calderon
>>>>>>>>>>>>
>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>>>>>>>>>> Sent: Tuesday, March 29, 2011 11:16 AM
>>>>>>>>>>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim
>> Manico
>>>>>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>>>>>>>>>
>>>>>>>>>>>> Outstanding!  Thanks Juan Carlos.
>>>>>>>>>>>>
>>>>>>>>>>>> FYI - check out the "Ports" section of our Projects page to see
>>>>>>>>>>>> what other ports are in progress/on the roadmap -
>>>>>>>>>>>> http://www.modsecurity.org/projects/
>>>>>>>>>>>>
>>>>>>>>>>>> We have a really old Java Servlet Filter version of ModSecurity
>>>>>>>>>>>> that may be of some help.  I think that updating the current
>>>>>>>>>>>> owasp-java-waf
>>>>>>>>
>>>>>>>>>>>> code would probably be better though as the version we had uses
>> the
>>>>>>>>>>>> old
>>>>>>>>>>
>>>>>>>>>>>> ModSecurity v.1 rules language syntax.
>>>>>>>>>>>>
>>>>>>>>>>>> If you look at the link for "Sun Java Web Server Version 7.0
>> Update
>>>>>>>>>>>> 2
>>>>>>
>>>>>>>>>>>> link
>>>>>>>>>>>> -
>> http://blogs.sun.com/meena/entry/intrusion_detection_in_sun_java
>>>>>>>>>>>> - you can see the ModSecurity rules language components they
>> have
>>>>>>>>>>>> implemented thus far.
>>>>>>>>>>>>
>>>>>>>>>>>> Let me know if you need any help!
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks again,
>>>>>>>>>>>> Ryan
>>>>>>>>>>>>
>>>>>>>>>>>> On 3/29/11 1:10 PM, "Calderon, Juan Carlos (GE, Corporate,
>>>>>>>> consultant)"
>>>>>>>>>>>> <juan.calderon at ge.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>>> @Ryan, hello again villa-mate :)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> @Jim, Yes I do have interest in continuing with this effort at
>>>>>>>>>>>>>> least
>>>>>>
>>>>>>>>>>>>>> to
>>>>>>>>>>>>
>>>>>>>>>>>>>> make the WAF reach release level.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Let me give the rules a look to see what would it take to
>>>>>>>>>>>>>> implement them in the OWASP Java WAF.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>> Juan C Calderon
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>>>>>>>>>>>>> Sent: Tuesday, March 29, 2011 11:02 AM
>>>>>>>>>>>>>> To: Jim Manico; Calderon, Juan Carlos (GE, Corporate,
>> consultant)
>>>>>>>>>>>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Ha, Juan Carlos and I were Villa mates in Portugal! :)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Juan Carlos - let me know what you think about the idea of
>>>>>>>>>>>>>> updating the
>>>>>>>>>>>>
>>>>>>>>>>>>>> owasp-java-waf code to be able to use the ModSecurity Rules
>>>>>>>>>>>>>> Language
>>>>>>
>>>>>>>>>>>>>> syntax (SecRules, etc...).
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>> Ryan
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 3/29/11 12:56 PM, "Jim Manico" <jim.manico at owasp.org>
>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 3/29/2011 9:46 AM, Ryan Barnett wrote:
>>>>>>>>>>>>>>>>>> Yeah,
>>>>>>>>>>>>>>>>>> Let's see if we can move forward with the idea of
>> migrating
>>>>>>>>>>>>>>>>>> ESAPI
>>>>>>
>>>>>>>>>>>>>>>>>> WAF
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> to be a stand-alone project.  Then the Java lead (whoever
>> that
>>>>>>>>>>>>>>>>>> is)
>>>>>>>>
>>>>>>>>>>>>>>>>>> can implement the ModSecurity rules language and redub it
>>>>>>>>>>>>>>>>>> "ModSecurity Java Servlet WAF".
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> The migration to a standalone project is already done, Ryan
>> -
>>>>>>>>>>>>>>>> meet Juan
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Carlos Calderon; he is "by default" the current owner of the
>>>>>>>>>>>>>>>> owasp-java-waf project :)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> http://code.google.com/p/owasp-java-waf/
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> As you can see, we have work to do :)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Juan Carlos - meet Ryan Barnett. Ryan is one of the most
>>>>>>>>>>>>>>>> respected WAF'ers on the planet. He is currently the leaders
>> of
>>>>>>>>>>>>>>>> the OWASP ModSecurity Core Ruleset.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Juan Carlos, do you have any interest in continuing to work
>> on
>>>>>>>>>>>>>>>> this
>>>>>>
>>>>>>>>>>>>>>>> project sir?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Aloha!
>>>>>>>>>>>>>>>> - Jim
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>
>>>
>>>
>>
>> _______________________________________________
>> Global-projects-committee mailing list
>> Global-projects-committee at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/global-projects-committee
>>
> 



More information about the Global-projects-committee mailing list