[Owasp-board] Proposal for a new OWASP Project - ModSecurity Core Rule Set

Paulo Coimbra paulo.coimbra at owasp.org
Fri Feb 6 15:08:08 UTC 2009


Hello Ryan,

 

I have set up the OWASP ModSecurity Core Rule Set's project
<https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Pr
oject>  page. Please feel free to change it as you find best. 

 

I've also created a mailing list and, by now, the admin password must have
been sent automatically to you. 

 

If I may, I suggest contacting the OWASP project leaders to publicize the
project and seek out for ideas and/or contributors. 

 

Should you have any further questions, please do not hesitate and get back
to me.

 

I wish you good work.

 

Many thanks, best regards,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

 

From: Ryan Barnett [mailto:Ryan.Barnett at breach.com] 
Sent: quinta-feira, 5 de Fevereiro de 2009 21:08
To: paulo.coimbra at owasp.org
Subject: RE: Proposal for a new OWASP Project - ModSecurity Core Rule Set

 

Data inline below.

 

From: paulo coimbra [mailto:pcoimbra at owasp.org] On Behalf Of Paulo Coimbra
Sent: Thursday, February 05, 2009 11:14 AM
To: Ryan Barnett
Cc: 'OWASP Foundation Board List';
global_tools_and_project_committee at lists.owasp.org
Subject: RE: Proposal for a new OWASP Project - ModSecurity Core Rule Set

 

Dear Ryan,

 

I am very glad to hear about your proposal, which we undoubtedly welcome.
Thank you for continuously supporting OWASP Foundation. 

 

Regarding your question, I am carbon copying both the OWASP Board and the
OWASP Project's Committee to find out whether they have suggestions or
recommendations for you.

 

Meanwhile, for your reference, please read the OWASP
<https://www.owasp.org/index.php/Category:OWASP_Project_Assessment>
Assessment Criteria and take a look at an example of an OWASP
<https://www.owasp.org/index.php/Project_Information:template_Code_Review_Pr
oject>  Project skeleton/main frame.

 

In addition, as I am sure none opposition to your proposed project will
arise, so as to set up the project page, I ask you to be kind enough to send
me off the following information.

 

1.       Project Name

[Ryan Barnett] ModSecurity Core Rule Set

2.       Short Project Description

[Ryan Barnett] The purpose of this project is the documentation and
development of the ModSecurity Core Rule Set.  Unlike intrusion detection
and prevention systems, which rely on signature specific to known
vulnerabilities, the Core Rules are based on generic rules in order to
provide protection from zero day and unknown vulnerabilities often found in
web applications, which are in most cases custom coded.

 

3.       Main link(s) - if any

[Ryan Barnett] Will complete this soon.

4.       Detailed roadmap for future developments,

[Ryan Barnett] Will complete this soon.

5.       License - see here <http://www.owasp.org/index.php/OWASP_Licenses> 

[Ryan Barnett] GNU GENERAL PUBLIC LICENSE

6.       Sponsor(s) - if any

[Ryan Barnett] Breach Security Labs
(http://www.breach.com/resources/breach-security-labs/index.html)

7.       Project Leader

[Ryan Barnett] Ryan Barnett (wiki account username - rcbarnett)

8.       Project Contributors* - if any

[Ryan Barnett] Brian Rectanus

9.       First Reviewer - 

[Ryan Barnett] Ofer Shezaf (contacted - waiting confirmation)

10.   Second Reviewer

[Ryan Barnett] Ivan Ristic (contacted - waiting confirmation)

 

Please have into account that, in result of what is established in the OWASP
Assessment Criteria, if possible, the project's lead should suggest two
Project Reviewers. One of them should be an OWASP Project or Chapter Leader.
However, if you find impossible to track them down, please let me know and I
will try and help.

 

* For Project Leader, Contributors and Reviewers please create a wiki
account <https://www.owasp.org/index.php/Special:Userlogin>  and send me off
the link. See here <https://www.owasp.org/index.php/Tutorial>  how to do it
and here
<https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verific
ation_Standard_Project>  and here
<https://www.owasp.org/index.php/User:Mike.boberski>  an example of how it
will be used.

 

Should you have any further questions, please do not hesitate and get back
to me.

 

Please give my best to Ivan Ristic.

 

Many thanks, best regards,

 

Paulo Coimbra,

OWASP Project Manager <https://www.owasp.org/index.php/Main_Page> 

 

From: Ryan Barnett [mailto:Ryan.Barnett at Breach.com] 
Sent: segunda-feira, 2 de Fevereiro de 2009 15:20
To: paulo.coimbra at owasp.org
Subject: Proposal for a new OWASP Project - ModSecurity Core Rule Set

 

Hello Paulo,

As you may know, Breach Security has been the driving force behind the open
source ModSecurity application and its Core Rule Set (CRS) -
http://www.modsecurity.org/projects/rules/index.html.  While the CRS is an
extremely valuable resource for the community, its growth has been hampered
by the fact that it is not truly a "community" project.  The ModSecurity
site is a static site and thus does not allow for community collaboration
(wiki, etc.).  People can only download the rules and then use the
ModSecurity Users Mail-list to discuss issues.  We would like to propose
that the CRS become an OWASP Project so that the community may provide
updates (such as new rules, documentation, false positive fixes).  

 

Please let me know the proper process for getting this up and running.

 

Cheers.

Ryan Barnett
Director of Application Security Research
Phone: (703) 794-2248
Cell:     (703) 269-8998  
Breach Security, Inc. 
2141 Palomar Airport Road, Suite 200
Carlsbad, CA 92011
 <http://www.breach.com/> www.breach.com
BreachSecurityLabs

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20090206/2e516bd9/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2133 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20090206/2e516bd9/attachment.jpg>


More information about the Owasp-board mailing list