Breach Security has announced a new release of its ModSecurity plug-in and the open sourcing of its associated Core Rules Set (CRS). ModSecurity is an Apache web server plug-in with extensive logging and auditing capabilities that lets you track all inbound and outbound traffic for your web application. Logging, and its associated amount of detail, can be turned on or off at runtime as needed, and can be triggered by certain conditions (such as suspected attacks) according to rules you create. When breaches are detected, request blocking can be turned on automatically to prevent further attack. ModSecurity lets you define these conditions. The output of the web site traffic auditing is designed to help you refine existing rule sets, or build new ones, to make your application more secure.
I recently spoke with Ryan Barnett, Director of Application Security Research at Breach Security, who told me more about ModSecurity. The rules that power ModSecurity are written in an event-based scripting language that's easy to extend and enhance. Barnett said that Breach Security believes that better security audit data leads to better attack detection and blocking. With this in mind, Breach Security has released the Core Rule Set as open-source under the GPL V2 license as part of the OWASP ModSecurity Core Rule Set Project. The goal is to leverage the community to improve and extend the CRS more quickly, benefiting the community as a whole.
OWASP, short for the "Open Web Application Secruity Project is a worldwide community of professionals focused on software security. More information on CRS at OWASP.org is available here. The available free CRS scripts, written in a language similar to SNORT, are estimated to be about 80% of what most organizations need to be secure. The remaining 20% comes from modifying the existing scripts and developing new ones specific to the application you're securing. Along with the CRS, Breach Security has added detailed documentation on how each rule works, and how to change them.