This is about the history and the future of OWASP ModSecurity. The venerable WAF engine was transferred for OWASP in January 2024. This presentation looks back and presents a project plan moving forward.

1. OWASP ModSecurity
A Few Plot Twists and
What Feels Like a Happy End
By Christian Folini for OWASP NL, 2024-02-15

2. Hello OWASP NL
I am Christian Folini
Find me at @ChrFolini / christian.folini@owasp.org
Swiss Security Engineer
OWASP ModSecurity Co-Lead
Wearer of Many Helmets

3. 1.
Backstory
This is the slow starts where
we lay our scene

4. ModSecurity

5. ModSecurity
◎ Started in 2002 by Ivan Ristić

6. ModSecurity
◎ Started in 2002 by Ivan Ristić
◎ Presented at the very first OWASP London Meeting
in February 2004

7. ModSecurity
◎ Started in 2002 by Ivan Ristić
◎ Presented at the very first OWASP London Meeting
in February 2004
◎ Came out on top of Forrester WAF review in 2006

8. ModSecurity
◎ Started in 2002 by Ivan Ristić
◎ Presented at the very first OWASP London Meeting
in February 2004
◎ Came out on top of Forrester WAF review in 2006
◎ Sold to Israeli Breach Inc. the same year

9. ModSecurity at Breach

10. ModSecurity at Breach
◎ ModSecurity 2 released in late 2006

11. ModSecurity at Breach
◎ ModSecurity 2 released in late 2006
◎ Ryan Barnett joined Breach in late 2006 too

12. ModSecurity at Breach
◎ ModSecurity 2 released in late 2006
◎ Ryan Barnett joined Breach in late 2006 too
◎ CTO Ofer Shezaf launched Core Rule Set in 2007

13. ModSecurity at Breach
◎ ModSecurity 2 released in late 2006
◎ Ryan Barnett joined Breach in late 2006 too
◎ CTO Ofer Shezaf launched Core Rule Set in 2007
◎ Donation of Core Rule Set to OWASP in 2009

14. ModSecurity at Breach
◎ ModSecurity 2 released in late 2006
◎ Ryan Barnett joined Breach in late 2006 too
◎ CTO Ofer Shezaf launched Core Rule Set in 2007
◎ Donation of Core Rule Set to OWASP in 2009
◎ Ivan Ristić left Breach in 2009

15. ModSecurity at Breach
◎ ModSecurity 2 released in late 2006
◎ Ryan Barnett joined Breach in late 2006 too
◎ CTO Ofer Shezaf launched Core Rule Set in 2007
◎ Donation of Core Rule Set to OWASP in 2009
◎ Ivan Ristić left Breach in 2009
◎ Ryan Barnett succeeded Ivan as ModSecurity lead

16. ModSecurity at Breach
◎ ModSecurity 2 released in late 2006
◎ Ryan Barnett joined Breach in late 2006 too
◎ CTO Ofer Shezaf launched Core Rule Set in 2007
◎ Donation of Core Rule Set to OWASP in 2009
◎ Ivan Ristić left Breach in 2009
◎ Ryan Barnett succeeded Ivan as ModSecurity lead
◎ Trustwave acquired Breach in 2010

17. Ryan
Barnett

18. Ryan
Barnett
Managed to donate CRS to OWASP

19. Ryan
Barnett
Managed to donate CRS to OWASP
Introduced the CRS Scoring
Mechanism

20. Ryan
Barnett
Managed to donate CRS to OWASP
Introduced the CRS Scoring
Mechanism
Set the roadmap to develop
standalone ModSecurity3

21. The split

22. The split
◎ Ryan Barnett left Trustwave to join Akamai in 2015

23. The split
◎ Ryan Barnett left Trustwave to join Akamai in 2015
◎ Chaim Sanders took his role and revived dormant CRS

24. The split
◎ Ryan Barnett left Trustwave to join Akamai in 2015
◎ Chaim Sanders took his role and revived dormant CRS
◎ CRS3 is released and Chaim Sanders quits Trustwave

25. The split
◎ Ryan Barnett left Trustwave to join Akamai in 2015
◎ Chaim Sanders took his role and revived dormant CRS
◎ CRS3 is released and Chaim Sanders quit
◎ Taking CRS with him (it was an OWASP project after all)

26. The split
◎ Ryan Barnett left Trustwave to join Akamai in 2015
◎ Chaim Sanders took his role and revived dormant CRS
◎ CRS3 is released and Chaim Sanders quit
◎ Taking CRS with him (it was an OWASP project after all)
◎ Meanwhile Felipe «Zimmerle» Costa rewrote ModSecurity
from scratch as a standalone ModSecurity3 in C++,
released in 2017

27. Decisions with
a long shadow ?

28. Decisions with
a long shadow
Rewrite in C++
?

29. Decisions with
a long shadow
Rewrite in C++
Failure to cut away the fat
?

30. Decisions with
a long shadow
Rewrite in C++
Failure to cut away the fat
Limited investment in product(s)
?

31. Decisions with
a long shadow
Rewrite in C++
Failure to cut away the fat
Limited investment in product(s)
Failure to create a developer community
?

32. «Zimmerle» quits in Autumn 2021

33. «Zimmerle» quits in Autumn 2021
and Trustwave revamps their website
33

34. 2.
The Transition
The mess, the panic and the drama

35. Kudos to
Trustwave
They could have let ModSecurity die.
But they gave it to a team that was not always friendly.
The transition came late, but while there was still life.
“

36. “

37. CVE-2024-1019
Illustration by Andrea «theMiddle» Menin
Published at https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/

38. Preliminary owasp.org website
https://owasp.org/www-project-modsecurity/#endorsements

39. An OWASP «Production Level» project

40. ModSecurity 3.0.12

41. 3.
The Project Plan
Adding sense and reason

42. “
Communication Administration Development

43. Project Plan: Communication

44. Project Plan: Administration

45. Project Plan: Development

46. 4.
The OWASP Perspective
A dominant position in the industry

47. The OWASP Perspective

48. Thanks!
Any questions?
You can find me at:
@ChrFolini & christian.folini@owasp.org
and of course on the
OWASP Slack #project-modsecurity
48