Core Rule Set for the Masses

Presented at AppSec USA 2017, Sept. 22, 2017, 11:30 a.m. (45 minutes)

Everyone who has used, or attempted to use, OWASP ModSecurity Web Application Firewall knows something about fine-tuning rules. ModSecurity Core Rule Set (CRS) was designed to catch more, show more and let you decide what to do with security alerts. It is a time consuming -- and often frustrating -- exercise to analyze alerts, separating the wheat from the chaff, and determine which are candidates for blocking.   With thousands of servers at more than 100 locations, Verizon Edgecast CDN is one of the world's largest deployment of OWASP Core Rule Set. We will share our experience in fine-tuning the CRS for a large number of customers, adjusting to their taste in risk and attitude toward false positives. We will discuss lesser used features of ModSecurity to cut down noise levels in alerts, sometimes as much as 90%. We will also discuss our experience in moving from CRS 2.2.9 to 3.0 which was released in late 2016.   We hope that the audience will walk away with understanding benefits of using the venerable web application firewall with the latest enhancements and issues to consider to get the most out of it. Ultimately, we hope that our experience will make your task of fine-tuning the CRS a little easier.

Presenters:

• Robert Whitley - Security Solutions Architect - Verizon Digital Media Services
  Robert Whitley started out his career as a customer facing SOC analyst that allowed him to explore the breadth of the information security field. After working closely on incident response and threat intel, Robert now spends his day to day on consulting users on WAF and rate limiting modules and their configs.
• Tin Zaw - Volunteer - OWASP
  Tin Zaw currently co-leads the OWASP project on Automated Threats to Web Applications, along with Colin Watson. At his day job, he leads a global practice to help Verizon customers secure web properties at Verizon Digital Media.  He started his career programming network protocols at QUALCOMM, participated in early days of the web infrastructure at Inktomi, made security products for 100+ million users at Symantec, and led web and product security teams at AT&T and Intuit, until settling in at Verizon.  He holds an MS degree in computer science and an MBA from University of Southern California, as well as an undergraduate degree in computer science from Pittsburg State University, Kansas. A long-time volunteer of OWASP, he is a former president of its Los Angeles chapter.

Links:

• https://appsecusa2017.sched.com/event/BN29/core-rule-set-for-the-masses
• https://infocon.org/cons/OWASP/AppSecUSA 2017/Core Rule Set for the Masses.mp4
• https://www.youtube.com/watch?v=nyEuyF64vb8

Similar Presentations:

• Black Hat USA 2012 / ModSecurity as Universal Cross-platform Web Protection Tool
• AppSec USA 2017 / WAFs FTW! A modern devops approach to security testing your WAF
• AppSec USA 2013 / Big Data Intelligence (Harnessing Petabytes of WAF statistics to Analyze & Improve Web Protection in the Cloud)