[Owasp-board] ModSecurity Core Rule Set Project Status

Paulo Coimbra paulo.coimbra at owasp.org
Thu Aug 26 14:49:55 UTC 2010


Ryan,

 

I thank your update and congratulate you on the historic progress! I am
currently updating the ‘Project Details’ page so as to set its newest
version up. If you agree, after having it done I will come back to you to
see whether or not my changes deserve your agreement and to answer you
relatively to the project’s promotion question. I am counting on contacting
you again still today.

 

Thanks,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: Ryan Barnett [mailto:ryan.barnett at owasp.org] 
Sent: quinta-feira, 26 de Agosto de 2010 15:43
To: Paulo Coimbra
Cc: mtesauro at gmail.com
Subject: FW: ModSecurity Core Rule Set Project Status

 

Paulo,
Now that we have completed the project review, what are the next steps for
promoting the project to release quality?

http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Proj
ect_-_ModSecurity_2.0.6_-_Assessment

Thanks,
Ryan


------ Forwarded Message

From: Leonardo Cavallari Militelli <leonardocavallari at gmail.com>
Date: Wed, 25 Aug 2010 06:36:21 -0500
To: Ryan Barnett <RBarnett at trustwave.com>
Cc: "mtesauro at gmail.com" <mtesauro at gmail.com>, Paulo Coimbra
<paulo.coimbra at owasp.org>
Subject: Re: ModSecurity Core Rule Set Project Status

 

Hey,

One of them was an exchange contract application, complex though. The other
one was a CMS application, simple but it cause lots of false-positives and
make it unusable.
If I have time to investigate them further, I'll let you know any progress
or doubts.

Regards,
Leo



On Tue, Aug 24, 2010 at 9:06 PM, Ryan Barnett <RBarnett at trustwave.com>
wrote:

Outstanding!  Thanks for completing this Leo.  For my own reference, what
were the two applications where ModSecurity had issues?

Paulo/Matt – what do I need to do now to promote the CRS to a release
quality project?

-Ryan


On 8/24/10 8:00 PM, "Leonardo Cavallari Militelli"
<leonardocavallari at gmail.com> wrote:

Hello Ryan,

Finally, my review has finished. I tested it under 5 real world
applications, but unfortunately couldn't make Mod Security to coexist in 2
of them.
To say, CRS is okay, but Mod Security stucked many times during my review.
As the CRS project can't exist without it, I would recommend to have free
references to Mod Security, installation and configuration guidelines,
FAQ's, a knowledge base of common problems and fixes.

Sorry for any inconvenience,
Leo Cavallari



On Fri, Aug 20, 2010 at 5:10 PM, Ryan Barnett <RBarnett at trustwave.com>
wrote:
Hey Leo,
Any update on completing the CRS project review?  If you don’t have the time
I understand.  Just let me know and I will try and find someone else.

Thanks,
Ryan


On 8/4/10 9:52 AM, "Leonardo Cavallari Militelli"
<leonardocavallari at gmail.com> wrote:

Hi Ryan,

I start filling in my review weeks ago, but it still needs to be completed.
In short, I missed some documentation regarding install procedures of
mod_security, a premisse to use CRS. I do had some problems on installing it
on some distros. I should sent it to you :) Master of Mod_security!

Yeah, I heard about Breach acquirement. TW is getting stronger every day,
couple of friends work for it (Rodrigo Montoro Sp0oker, Bruno Gonçalves (my
company's former employee) and Ronaldo Vasconcelos.
Curiously, I applied to a position early this year, made 2 interviews but
was never contacted again... I was looking for something more solid than
this unstable life of consultant. But things are getting good now for my
company now.
Good luck for your new position!

Well, you are tired of hearing fake promises...  I got some time this week
and I´ll finish it. In this "trust wave", trust me :)

Regards,
Leo


On Tue, Aug 3, 2010 at 12:32 PM, Ryan Barnett <rbarnett at trustwave.com>
wrote:
Hey Leo,
Just checking in on the status of the project review.  Congrats on the birth
of your new child and I am sympathetic with your lack of extra time.  I have
a four year old daughter and I remember those early times...

With regards to Darryl, no, he doesn't work with us anymore.  I can't
remember who he is with now.  You may have heard as well that Breach
Security was recently acquired by Trustwave.  I now work on the SpiderLabs
Research Team.

Just let me know if you need anything from me with regards to the CRS
review.

Cheers,
Ryan
________________________________
From: Leonardo Cavallari Militelli [leonardocavallari at gmail.com]
Sent: Tuesday, May 25, 2010 9:19 AM
To: Ryan Barnett

Subject: Re: ModSecurity Core Rule Set Project Status

Hello Ryan,

I'm in debt with your project but I'll finish my review this week, no
excuses. :)
The point is my first kid was born within this period and my time had shrink
a little bit more.

I'm testing CRS under Debian 5.04 and Ubuntu 9.04. I had implemented some
WAF before (eg: Imperva), but never worked with ModSecurity before. Have to
tell you that its impressive!!

BTW, does Darryl Gordon still works at Breach?

Best,
Leo


On Mon, May 24, 2010 at 12:25 PM, Ryan Barnett <ryan.barnett at breach.com>
wrote:
Hey Leo,
Just checking in on the status.  Any updates?

Thanks.
Ryan

On Wednesday 31 March 2010 11:04:38 you wrote:
> Hello Ryan,
>
> I'll let you know as soon as I finish it.
> Regards,
> Leo
>
> On Wed, Mar 31, 2010 at 11:43 AM, Ryan Barnett
> <ryan.barnett at breach.com<mailto:ryan.barnett at breach.com>> wrote: FYI -
> Ivan has completed his review of the Project -
>
http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Pro
> ject_- _ModSecurity_2.0.4_-_Assessment#tab=First_Reviewer
>
> Leonardo - Please let me know if you have any questions/comments as you
> complete your review.
>
> Thanks.
>
> --Ryan
>
> On Wednesday 25 November 2009 14:46:17 Paulo Coimbra wrote:
> > Ivan,
> >
> > I thank you for keeping us updated. We will be waiting for your notes.
> >
> > Regards,
> >
> > Paulo Coimbra,
> > OWASP Project Manager
> >
> > > >-----Original Message-----
> > > >From: Ivan Ristic
> > > >[mailto:ivanr at webkreator.com
<mailto:ivanr at webkreator.com%3cmailto:ivanr at webkreator.com%3e>
<mailto:ivanr at webkreator.com>] Sent:
> > > >quarta-feira, 25 de Novembro de 2009 19:42
> > > >To: paulo.coimbra at owasp.org<mailto:paulo.coimbra at owasp.org>
> > > >Cc: 'Ryan Barnett'; 'Global Projects Committee'; 'Leonardo Cavallari
> > > >Militelli'; ivan.ristic at breach.com<mailto:ivan.ristic at breach.com>
> > > >Subject: Re: ModSecurity Core Rule Set Project Status
> > > >
> > > >Just FYI, I have finished my review, but I will only be able to
> > > >compile
> > > >my notes next week.
> > > >
> > > >BTW, I no longer receive email sent to
> > > >ivan.ristic at breach.com<mailto:ivan.ristic at breach.com>.
> > > >
> > > >Ivan
> > > >
> > > >Paulo Coimbra wrote:
> > > >> Hello Ryan,
> > > >>
> > > >>
> > > >>
> > > >> I thank your swift answer.
> > > >>
> > > >>
> > > >>
> > > >> I’ve added the reviewers’ names at the assessment page
> > > >
> > >
>http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Se
> > > >t_Project_-_ModSecurity_2.0.3_-_Assessment.
> > > >
> > > >> Please do not hesitate and get back to me if you think I can be of
> > > >
> > > >any help.
> > > >
> > > >> Best regards,
> > > >>
> > > >>
> > > >>
> > > >> Paulo Coimbra,
> > > >>
> > > >> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
> > > >>
> > > >>
> > > >>
> > > >> *From:* Ryan Barnett
> > > >> [mailto:ryan.barnett at breach.com
<mailto:ryan.barnett at breach.com%3cmailto:ryan.barnett at breach.com%3e>
<mailto:ryan.barnett at breach.com>]
> > > >> *Sent:* terça-feira, 24 de Novembro de 2009 18:36
> > > >> *To:* paulo.coimbra at owasp.org<mailto:paulo.coimbra at owasp.org>
> > > >> *Cc:* 'Global Projects Committee'; 'Leonardo Cavallari Militelli'
> > > >> *Subject:* Re: ModSecurity Core Rule Set Project Status
> > > >>
> > > >>
> > > >>
> > > >> Thanks for getting back to me and thank you Leonardo for offering
to
> > > >> help. I did get confirmation from Ivan Ristic that he would be teh
> > > >
> > > >1st
> > > >
> > > >> reviewer however he won't be able to start for a few more weeks.
> > > >>
> > > >> I will get some more stuff updated and after I work with Ivan, I
> > > >
> > > >will
> > > >
> > > >> notify Leonardo to begin his review.
> > > >>
> > > >> Thanks again.
> > > >>
> > > >> Ryan Barnett
> > > >>
> > > >> Director of Application Security Research
> > > >>
> > > >> Phone: (703) 794-2248
> > > >>
> > > >> Cell: (703) 269-8998
> > > >>
> > > >> Breach Security, Inc.
> > > >>
> > > >> 2141 Palomar Airport Road, Suite 200
> > > >>
> > > >> Carlsbad, CA 92011
> > > >>
> > > >> www.breach.com <http://www.breach.com>  <http://www.breach.com>
<http://www.breach.com> <http://www.breach.com> <http://www.breach.com/>
> > > >>
> > > >> On Tuesday 24 November 2009 01:22:52 pm Paulo Coimbra wrote:
> > > >>> Hello Ryan,
> > > >>>
> > > >>>
> > > >>>
> > > >>> The GPC has allocated one of its members to act as ModSecurity’s
> > > >
> > > >reviewer.
> > > >
> > > >>> Leonardo Cavallari Militelli
> > > >>>
> > > >>> http://www.owasp.org/index.php/User:Leocavallari is the GPC member
> > > >
> > > >that
> > > >
> > > >>> has volunteered to assume the task.
> > > >>>
> > > >>>
> > > >>>
> > > >>> Have you already decided about the first reviewer? Are still
> > > >
> > > >thinking in
> > > >
> > > >>> inviting either Ivan Ristic or Ofer Shezaf? Have you also seen the
> > > >
> > > >email
> > > >
> > > >>> in which Marc Chisinevski showed is willingness to assume the
task?
> > > >>>
> > > >>>
> > > >>>
> > > >>> Please drop me a line and let me know how you want to proceed.
> > > >>>
> > > >>>
> > > >>>
> > > >>> Many thanks, best regards,
> > > >>>
> > > >>>
> > > >>>
> > > >>> Paulo Coimbra,
> > > >>>
> > > >>> OWASP Project Manager<https://www.owasp.org/index.php/Main_Page>
> > > >>>
> > > >>>
> > > >>>
> > > >>> From: Paulo Coimbra
> > > >>> [mailto:paulo.coimbra at owasp.org
<mailto:paulo.coimbra at owasp.org%3cmailto:paulo.coimbra at owasp.org%3e>
<mailto:paulo.coimbra at owasp.org>]
> > > >>>
> > > >>> Sent: quinta-feira, 12 de Novembro de 2009 18:20
> > > >>>
> > > >>> To: 'Ryan Barnett'
> > > >>>
> > > >>> Cc: 'Global Projects Committee'
> > > >>>
> > > >>> Subject: RE: ModSecurity Core Rule Set Project Status
> > > >>>
> > > >>>
> > > >>>
> > > >>> Hello Ryan,
> > > >>>
> > > >>>
> > > >>>
> > > >>> The missing release wiki page has already been set up
> > > >
> > >
>http://www.owasp.org/index.php/OWASP_ModSecurity_Core_Rule_Set_Project
> > > >_-_M
> > > >
> > > >>> odSecurity_2.0.3. Please check it out and feel free to change it
as
> > > >
> > > >you
> > > >
> > > >>> find best.
> > > >>>
> > > >>>
> > > >>>
> > > >>> In my perspective, right now, before the beginning of the
> > > >
> > > >assessment
> > > >
> > > >>> process, we only have a couple of issues to sort:
> > > >>>
> > > >>>
> > > >>>
> > > >>>
> > > >>>
> > > >>> 1. Project Pamphlet
> > > >>>
> > > >>> http://globalprojectscommittee.wordpress.com/2009/07/21/what-is-
> > > >
> > > >this-proje
> > > >
> > > >>> ct-flyerpamphlet-thing/,
> > > >>>
> > > >>>
> > > >>>
> > > >>> 2. Brian Rectanus’s wiki account
> > > >>>
> > > >>>
> > > >>>
> > > >>> 3. Project Roadmap
> > > >
> > >
>http://globalprojectscommittee.wordpress.com/2009/09/28/clarification-
> > > >of-r
> > > >
> > > >>> equirements-for-assessment-crirteria-v2/
> > > >>>
> > > >>>
> > > >>>
> > > >>> 4. First reviewer,
> > > >>>
> > > >>>
> > > >>>
> > > >>> 5. Second reviewer,
> > > >>>
> > > >>>
> > > >>>
> > > >>> 6. Release Flyer/Pamphlet,
> > > >>>
> > > >>>
> > > >>>
> > > >>> 7. Release Notes.
> > > >>>
> > > >>>
> > > >>>
> > > >>> Should you have any further questions please do not hesitate to
get
> > > >
> > > >back to
> > > >
> > > >>> me.
> > > >>>
> > > >>>
> > > >>>
> > > >>> Many thanks,
> > > >>>
> > > >>>
> > > >>>
> > > >>> Paulo Coimbra,
> > > >>>
> > > >>> OWASP Project Manager<https://www.owasp.org/index.php/Main_Page>
> > > >>>
> > > >>>
> > > >>>
> > > >>> From: Paulo Coimbra
> > > >>> [mailto:paulo.coimbra at owasp.org
<mailto:paulo.coimbra at owasp.org%3cmailto:paulo.coimbra at owasp.org%3e>
<mailto:paulo.coimbra at owasp.org>]
> > > >>>
> > > >>> Sent: quarta-feira, 11 de Novembro de 2009 18:41
> > > >>>
> > > >>> To: 'Ryan Barnett'
> > > >>>
> > > >>> Cc: 'Global Projects Committee'; 'OWASP Foundation Board List'
> > > >>>
> > > >>> Subject: RE: ModSecurity Core Rule Set Project Status
> > > >>>
> > > >>>
> > > >>>
> > > >>> Hello Ryan,
> > > >>>
> > > >>>
> > > >>>
> > > >>> I thank you for getting back to me and congratulate you on the
> > > >
> > > >progresses
> > > >
> > > >>> the ModSecurity has already made.
> > > >>>
> > > >>>
> > > >>>
> > > >>> Regarding the release assessment, in accordance with the
assessment
> > > >
> > > >2.0
> > > >
> > > >>> http://www.owasp.org/index.php/Assessing_Project_Releases, a
Stable
> > > >>>
> > > >>> Release requires 2 reviewers and it is recommended that an OWASP
> > > >
> > > >board
> > > >
> > > >>> member or Global Projects Committee (GPC) member be the second
> > > >
> > > >reviewer.
> > > >
> > > >>> Also, it says that ideally, reviewers should be an existing OWASP
> > > >
> > > >project
> > > >
> > > >>> leader or chapter leader.
> > > >>>
> > > >>>
> > > >>>
> > > >>> That being said, if you agree, I will contact both the GPC and the
> > > >
> > > >Board to
> > > >
> > > >>> find out if any of them can assume the review task.
> > > >>>
> > > >>>
> > > >>>
> > > >>> As for the second reviewer, given that the assessment
prerequisites
> > > >
> > > >use the
> > > >
> > > >>> word ‘ideally’, and having into account the relevant OWASP past
> > > >>>
> > > >>> contributions of both Ivan Ristic and Ofer Shezaf, I believe you
> > > >
> > > >could
> > > >
> > > >>> pick one of them without GPC (being carbon copied) opposition.
> > > >
> > > >Please let
> > > >
> > > >>> me know your thoughts on this.
> > > >>>
> > > >>>
> > > >>>
> > > >>> As for the operational process, I have already set up and filled
in
> > > >
> > > >the new
> > > >
> > > >>> project details page
> > > >
> > >
>http://www.owasp.org/index.php/GPC_Project_Details/OWASP_ModSecurity_C
> > > >ore_
> > > >
> > > >>> Rule_Set_Project and linked it with your project page. Please let
> > > >
> > > >me know
> > > >
> > > >>> if you agree and, of course, feel free to change it as you find
> > > >
> > > >best.
> > > >
> > > >>> To conclude, I have to inform you that currently the GPC is
working
> > > >
> > > >to
> > > >
> > > >>> improve the template that supports the assessment process itself
> > > >
> > > >(once
> > > >
> > > >>> done it will be set up under the link ‘Release details: Main
links,
> > > >>>
> > > >>> release roadmap and
> > > >
> > >
>assessment<http://www.owasp.org/index.php/Category:OWASP_Best_Practice
> > > >s:_W
> > > >
> > > >>> eb_Application_Firewalls_-_Release_1.0.4>’). I believe this
process
> > > >
> > > >will be
> > > >
> > > >>> completed very soon and thereafter we can re-trigger the
evaluation
> > > >>>
> > > >>> process. I apologise for any inconvenience this may cause.
> > > >>>
> > > >>>
> > > >>>
> > > >>> Many thanks, best regards,
> > > >>>
> > > >>>
> > > >>>
> > > >>> Paulo Coimbra,
> > > >>>
> > > >>> OWASP Project Manager<https://www.owasp.org/index.php/Main_Page>
> > > >>>
> > > >>>
> > > >>>
> > > >>> From: Ryan Barnett
> > > >>> [mailto:Ryan.Barnett at breach.com
<mailto:Ryan.Barnett at breach.com%3cmailto:Ryan.Barnett at breach.com%3e>
<mailto:Ryan.Barnett at breach.com>]
> > > >>>
> > > >>> Sent: quarta-feira, 11 de Novembro de 2009 16:11
> > > >>>
> > > >>> To: paulo.coimbra at owasp.org<mailto:paulo.coimbra at owasp.org>
> > > >>>
> > > >>> Subject: ModSecurity Core Rule Set Project Status
> > > >>>
> > > >>>
> > > >>>
> > > >>> Hey Paulo,
> > > >>>
> > > >>> I just wanted to touch base with you to get some guidance on next
> > > >
> > > >steps for
> > > >
> > > >>> promoting the CRS project from Alpha onto Beta or Release Quality.
> > > >
> > >
>http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Se
> > > >t_Pro
> > > >
> > > >>> ject
> > > >>>
> > > >>>
> > > >>>
> > > >>> Our project already has stable releases and I have just uploaded
> > > >
> > > >the
> > > >
> > > >>> project overview PPT (same one I will be presenting tomorrow at
> > > >
> > > >AppSec DC)
> > > >
> > > >>> but I know that I need to get some Project Reviewers. I originally
> > > >
> > > >had
> > > >
> > > >>> both Ivan Ristic and Ofer Shezaf slated for these purposes but
they
> > > >
> > > >have
> > > >
> > > >>> both stepped down as OWASP Local Chapter Leaders...
> > > >>>
> > > >>>
> > > >>>
> > > >>> Should I put a call out tho the OWASP leaders list asking for
help?
> > > >>>
> > > >>>
> > > >>>
> > > >>> Thanks,
> > > >>>
> > > >>> Ryan








--
Ryan Barnett
Senior Security Researcher
Trustwave - SpiderLabs
Email: rbarnett at trustwave.com
Phone: (703) 794-2248
Cell: (571) 382-0476
www.trustwave.com <http://www.trustwave.com> 

This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any
reliance thereon) is STRICTLY PROHIBITED. If you received this transmission
in error, please immediately contact the sender and destroy the material in
its entirety, whether in electronic or hard copy format. Thank you.

 


------ End of Forwarded Message

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100826/7dacaa96/attachment-0002.html>


More information about the Owasp-board mailing list