[OWASP-Security101] ModSecurity vs Commercial Products

Tom Mackenzie tom.mackenzie at owasp.org
Tue Aug 21 07:32:58 UTC 2012


In answer to your questions:

1. There are a number of rule-sets that you can look in to all around the
internet but the two that come to mind are the Core Rule Set - which is
actually an OWASP project and can be found at the following URL:

Or you can look into the Commercial Rule Set that is created by the sponsor
of ModSecurity, Trustwave (The company I happen to work for):
http://www.modsecurity.org/projects/commercial/rules/. You can also pay for
support via Trustwave too. I think its something like $200 & $2000

Both rulesets are updated regularly.

2. The project has been around since 2002 so isn't actually that new.
According to Forrester Research is is the widest used WAF around (I am
taking this from an old presentation by Ivan Ristic, before
Trustwave acquired Breach, but to my knowledge this is still the case).

3. That kind of answers your question here too - although I can't give you
specific clients of mine that use it, I can tell you that
clients definitely do use it. Some without realising because they just use
the apache mod.

More questions just ask - I can get you in touch with the Mod Security team
at Trustwave and they can help you out and I am sure everyone on this list
will tell you exactly the same thing when I say it is a great WAF.


On Mon, Aug 20, 2012 at 11:13 AM, Campbell, Dominic <
dominic.campbell at logica.com> wrote:

> Hi All,
> I've been tasked with protecting XML content and am looking at 3 options:
> 1.       ModSecurity
> 2.       Vordel
> 3.       Layer7
> I want to choose ModSecurity as it ticks all the boxes in terms of the
> features I need (as do the others, but they cost a lot of money).
> However, I need to convince my customer (believe it or not), who is
> worried about:
> 1.       Supportability and long-term life (specifically of the
> supportability of rule-sets)
> 2.       It's "quite new" so not necessarily heavily used (i.e. no
> pedigree)
> 3.       Where is it used/who uses it (i.e. looking for some "big names")
> So, any help to bolster my case for ModSecurity over the others would be
> massively appreciated.
> If this isn't the right forum for such a question, then being pointed in
> the right direction would be helpful.
> Many Thanks,
> Dominic.
> Think green - keep it on the screen.
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be copied,
> disclosed to, retained or used by, any other party. If you are not an
> intended recipient then please promptly delete this e-mail and any
> attachment and all copies and inform the sender. Thank you.
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org

More information about the Security101 mailing list