This is about the history and the future of OWASP ModSecurity. The venerable WAF engine was transferred for OWASP in January 2024. This presentation looks back and presents a project plan moving forward.
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
OWASP ModSecurity - A few plot twists and what feels like a happy end
1. OWASP ModSecurity
A Few Plot Twists and
What Feels Like a Happy End
By Christian Folini for OWASP NL, 2024-02-15
2. Hello OWASP NL
I am Christian Folini
Find me at @ChrFolini / christian.folini@owasp.org
Swiss Security Engineer
OWASP ModSecurity Co-Lead
Wearer of Many Helmets
6. ModSecurity
◎ Started in 2002 by Ivan Ristić
◎ Presented at the very first OWASP London Meeting
in February 2004
7. ModSecurity
◎ Started in 2002 by Ivan Ristić
◎ Presented at the very first OWASP London Meeting
in February 2004
◎ Came out on top of Forrester WAF review in 2006
8. ModSecurity
◎ Started in 2002 by Ivan Ristić
◎ Presented at the very first OWASP London Meeting
in February 2004
◎ Came out on top of Forrester WAF review in 2006
◎ Sold to Israeli Breach Inc. the same year
11. ModSecurity at Breach
◎ ModSecurity 2 released in late 2006
◎ Ryan Barnett joined Breach in late 2006 too
12. ModSecurity at Breach
◎ ModSecurity 2 released in late 2006
◎ Ryan Barnett joined Breach in late 2006 too
◎ CTO Ofer Shezaf launched Core Rule Set in 2007
13. ModSecurity at Breach
◎ ModSecurity 2 released in late 2006
◎ Ryan Barnett joined Breach in late 2006 too
◎ CTO Ofer Shezaf launched Core Rule Set in 2007
◎ Donation of Core Rule Set to OWASP in 2009
14. ModSecurity at Breach
◎ ModSecurity 2 released in late 2006
◎ Ryan Barnett joined Breach in late 2006 too
◎ CTO Ofer Shezaf launched Core Rule Set in 2007
◎ Donation of Core Rule Set to OWASP in 2009
◎ Ivan Ristić left Breach in 2009
15. ModSecurity at Breach
◎ ModSecurity 2 released in late 2006
◎ Ryan Barnett joined Breach in late 2006 too
◎ CTO Ofer Shezaf launched Core Rule Set in 2007
◎ Donation of Core Rule Set to OWASP in 2009
◎ Ivan Ristić left Breach in 2009
◎ Ryan Barnett succeeded Ivan as ModSecurity lead
16. ModSecurity at Breach
◎ ModSecurity 2 released in late 2006
◎ Ryan Barnett joined Breach in late 2006 too
◎ CTO Ofer Shezaf launched Core Rule Set in 2007
◎ Donation of Core Rule Set to OWASP in 2009
◎ Ivan Ristić left Breach in 2009
◎ Ryan Barnett succeeded Ivan as ModSecurity lead
◎ Trustwave acquired Breach in 2010
23. The split
◎ Ryan Barnett left Trustwave to join Akamai in 2015
◎ Chaim Sanders took his role and revived dormant CRS
24. The split
◎ Ryan Barnett left Trustwave to join Akamai in 2015
◎ Chaim Sanders took his role and revived dormant CRS
◎ CRS3 is released and Chaim Sanders quits Trustwave
25. The split
◎ Ryan Barnett left Trustwave to join Akamai in 2015
◎ Chaim Sanders took his role and revived dormant CRS
◎ CRS3 is released and Chaim Sanders quit
◎ Taking CRS with him (it was an OWASP project after all)
26. The split
◎ Ryan Barnett left Trustwave to join Akamai in 2015
◎ Chaim Sanders took his role and revived dormant CRS
◎ CRS3 is released and Chaim Sanders quit
◎ Taking CRS with him (it was an OWASP project after all)
◎ Meanwhile Felipe «Zimmerle» Costa rewrote ModSecurity
from scratch as a standalone ModSecurity3 in C++,
released in 2017
35. Kudos to
Trustwave
They could have let ModSecurity die.
But they gave it to a team that was not always friendly.
The transition came late, but while there was still life.
“