Never Walk Alone - Inspirations from a Growing OWASP Project

•

0 gostou•11 visualizações

The OWASP ModSecurity Core Rule Set (CRS) was a dormant project, when a group of three developers picked it up in 2016. Today, this open source web application firewall project counts 14 active developers, annual sponsoring of over 40K USD and the rules run on over 100Tbit/s. This presentation explains how the new management took over the project and developed it in three key areas: (1) the code, (2) the developers and (3) the users and partners. The growth of OWASP CRS serves as an example how you can grow and mature your project too.

Tecnologia

Inspirations from a Growing OWASP Project
Never Walk Alone
By @ChrFolini, OWASP CRS Co-Lead

Complementary WAF Rule Set • Business Need
Origins of CRS

Experiment • Promising • Essential
The New Idea

Usability • Documentation • Power
Vision

Corporate Ties • Freedom • Alternative
Disentanglement

Developers • Choice • Competition
Market

Backgrounds • Resilience • European
Diversity

Experience • Pain • Satisfaction
Knowledge

Round Table • Innovation • Online Chats
Formalize – But Don’t Formalize

Refactoring • Polishing • Aesthetics
Luxury of Perfection

Moderating Role • Generosity • Perfectionism
Leadership

Serious Money • Partnership • Plannable
Sponsors

Wandering off • Knowledge • Personal Ties
Retention

Review • Remove • Researchers
Quality Assurance

Open • Accessible • Attractive
Transparency

Equality • Discussion • Patience
Consensus

Sources of Photos
● https://unsplash.com/photos/HIKcSp6F3gg
● https://unsplash.com/photos/yxwBJjtgtUs
● https://www.flickr.com/photos/modesrodriguez/51331707503/
● https://unsplash.com/photos/ypyLtW8W1NI
● https://www.flickr.com/photos/realcoolchris/23812863983/
● https://www.flickr.com/photos/saint_george/30015352438/
● https://www.flickr.com/photos/arnaldomedeiros/30490179915
● https://unsplash.com/photos/yUJVHiYZCGQ
https://unsplash.com/photos/BEEyeib-am8
●
● https://www.flickr.com/photos/skosoris/9418117579/
● https://www.flickr.com/photos/omnious100/37166661306/
● https://unsplash.com/photos/kSSC6i5Bnxw
● https://unsplash.com/photos/DAWnMmUSMdU
● https://unsplash.com/photos/UmV2wr-Vbq8
● https://unsplash.com/photos/E4bn9ScilAA
● https://unsplash.com/photos/X45VKpWV7hw

Mais conteúdo relacionado

Mais de Christian Folini

Introduction to ModSecurity and the OWASP Core Rule Set

Christian Folini

Folini Extended Introduction to ModSecurity and CRS3

Christian Folini

Gedanken zur elektronischen Stimmabgabe für Datenschützer

Christian Folini

We have been building castles and fortifications for thousands of years. Many of them were never breached. IT security, on the other hand, is a very young discipline where defense mechanisms have not really stood the test of time and breaches are happening every day. Looking at historical defense techniques and fortress architectures can therefore serve as an inspiration for strong IT security architectures. This presentation looks at agile and flexible defenses, layered security and whitelisting. None of these concepts are entirely new to the IT security industry. But implementations usually stop with the buzzword or at the network level. This talk brings evidence for the effectiveness of the concepts across the centuries and hopes to help them achieve a breakthrough on all levels. Furthermore, the talk educates the audience about medieval castles and how the metaphor can be put to use when explaining complicated IT security concepts to non-technical audiences. Again, the metaphor is not new, but people are usually only scratching the surface when they talk of medieval castles and modern servers.

Medieval Castles and Modern Servers

Christian Folini

E-Voting, die Sicherheit und die Rolle der Experten

Christian Folini

Black alps 2018-folini-d-dos

Christian Folini

Slides for an O'Reilly Media Webcast on Januar 9, 2018. In this webcast, we introduce the open source ModSecurity Web Application Firewall. ModSecurity allows you to thwart web attacks by inspecting the incoming HTTP requests a selection of granular rules. The standard ruleset accompanying ModSecurity, the OWASP ModSecurity Core Rule Set, will be presented by one of its authors. You will learn how to set it all up with NGINX open source and NGINX Plus, how to begin addressing common security threats, and where to find additional information.

Optimizing ModSecurity on NGINX and NGINX Plus

Christian Folini

A General Look at the State of Security - AFCEA 2017

Christian Folini

The CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls that saw a new major release in November 2016 (3.0 -> CRS3). CRS is the 1st line of defense against web application attacks like those summarized in the OWASP Top Ten and all with a minimum of false alerts. This talk demonstrates the installation of the rule set and introduces the most important groups of rules. It covers key concepts like anomaly scoring and thresholds, paranoia levels, stricter siblings and the sampling mode. The important handling of false positives is also covered as well as pre-defined lists of rule exclusions for popular web applications helping to avoid false positives. This presentation was delivered at AppSecEU 2017 in Belfast.

Introducing the OWASP ModSecurity Core Rule Set

Christian Folini

Running ModSecurity with the OWASP ModSecurity Core Rules is hard. A huge wave of false positives drowns sysadmins and logfile servers alike. The upcoming 3.0.0 release of the Core Rules comes with a new paranoia mode. This feature organises the various rules in different paranoia levels. The higher the paranoia level, the more paranoid the rules and the more false positives you will get. However, the default installation gives you a decent security level without too many false positives. This allows for a straight forward ModSecurity setup which is not threatening an existing productive service. Instead you start with a limited set of rules and then you raise the paranoia level step by step to the number that suits the desired security level of your site. In this talk, we will look at the configuration of the paranoia mode. We will look at rules and we will look at ModSecurity defending against popular attack kits at various paranoia levels

OWASP ModSecurity Core Rules Paranoia Mode

Christian Folini

Mais de Christian Folini (10)

Introduction to ModSecurity and the OWASP Core Rule Set

Folini Extended Introduction to ModSecurity and CRS3

Gedanken zur elektronischen Stimmabgabe für Datenschützer

Medieval Castles and Modern Servers

E-Voting, die Sicherheit und die Rolle der Experten

Black alps 2018-folini-d-dos

Optimizing ModSecurity on NGINX and NGINX Plus

A General Look at the State of Security - AFCEA 2017

Introducing the OWASP ModSecurity Core Rule Set

OWASP ModSecurity Core Rules Paranoia Mode

Último

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

In this keynote, Asanka Abeysinghe, CTO,WSO2 will explore the shift towards platformless technology ecosystems and their importance in driving digital adaptability and innovation. We will discuss strategies for leveraging decentralized architectures and integrating diverse technologies, with a focus on building resilient, flexible, and future-ready IT infrastructures. We will also highlight WSO2's roadmap, emphasizing our commitment to supporting this transformative journey with our evolving product suite.

Platformless Horizons for Digital Adaptability

WSO2

Following the popularity of “Cloud Revolution: Exploring the New Wave of Serverless Spatial Data,” we’re thrilled to announce this much-anticipated encore webinar. In this sequel, we’ll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you’re building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Discover the innovative features and strategic vision that keep WSO2 an industry leader. Explore the exciting 2024 roadmap of WSO2 API management, showcasing innovations, unified APIM/APK control plane, natural language API interaction, and cloud native agility. Discover how open source solutions, microservices architecture, and cloud native technologies unlock seamless API management in today's dynamic landscapes. Leave with a clear blueprint to revolutionize your API journey and achieve industry success!

WSO2's API Vision: Unifying Control, Empowering Developers

WSO2

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

JohnPollard-hybrid-app-RailsConf2024.pptx

JohnPollard37

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)

Samir Dash

The presentation was made in “Web3 Fusion: Embracing AI and Beyond” is more than a conference; it's a journey into the heart of digital transformation. The conference a provided a platform where the future of technology meets practical application. This three-day hybrid event, set in the heart of innovation, served as a gateway to the latest trends and transformative discussions in AI, Blockchain, IoT, AR/VR, and their collective impact on the information space.

AI in Action: Real World Use Cases by Anitaraj

AnitaRaj43

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

DBX First Quarter 2024 Investor Presentation

Dropbox

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

MINDCTI Revenue Release Quarter One 2024

MIND CTI

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

[BuildWithAI] Introduction to Gemini.pdf

Sandro Moreira

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Architecting Cloud Native Applications

WSO2

Never Walk Alone - Inspirations from a Growing OWASP Project

1. Inspirations from a Growing OWASP Project Never Walk Alone By @ChrFolini, OWASP CRS Co-Lead

2. Source: XKCD #2347: Dependency

3. Complementary WAF Rule Set • Business Need Origins of CRS

4. Foundation • Strong Brand • Pain OWASP Umbrella

5. Experiment • Promising • Essential The New Idea

6. Usability • Documentation • Power Vision

7. Corporate Ties • Freedom • Alternative Disentanglement

9. Developers • Choice • Competition Market

10. Backgrounds • Resilience • European Diversity

11. Experience • Pain • Satisfaction Knowledge

12. Round Table • Innovation • Online Chats Formalize – But Don’t Formalize

13. Refactoring • Polishing • Aesthetics Luxury of Perfection

14. Moderating Role • Generosity • Perfectionism Leadership

15. Cheap • Distracting • Irrelevant Swag

16. Serious Money • Partnership • Plannable Sponsors

17. Wandering off • Knowledge • Personal Ties Retention

18. Review • Remove • Researchers Quality Assurance

19. Safe Space • Adventure • Friendship Fun

20. Open • Accessible • Attractive Transparency

21. Equality • Discussion • Patience Consensus

22. Developers • Code • Community Beauty

23. Sources of Photos ● https://unsplash.com/photos/HIKcSp6F3gg ● https://unsplash.com/photos/yxwBJjtgtUs ● https://www.flickr.com/photos/modesrodriguez/51331707503/ ● https://unsplash.com/photos/ypyLtW8W1NI ● https://www.flickr.com/photos/realcoolchris/23812863983/ ● https://www.flickr.com/photos/saint_george/30015352438/ ● https://www.flickr.com/photos/arnaldomedeiros/30490179915 ● https://unsplash.com/photos/yUJVHiYZCGQ https://unsplash.com/photos/BEEyeib-am8 ● ● https://www.flickr.com/photos/skosoris/9418117579/ ● https://www.flickr.com/photos/omnious100/37166661306/ ● https://unsplash.com/photos/kSSC6i5Bnxw ● https://unsplash.com/photos/DAWnMmUSMdU ● https://unsplash.com/photos/UmV2wr-Vbq8 ● https://unsplash.com/photos/E4bn9ScilAA ● https://unsplash.com/photos/X45VKpWV7hw

Never Walk Alone - Inspirations from a Growing OWASP Project

Recomendados

Recomendados

Mais conteúdo relacionado

Mais de Christian Folini

Mais de Christian Folini (10)

Último

Último (20)

Never Walk Alone - Inspirations from a Growing OWASP Project