Christian, You bring up many valid points and I thank you for pushing on these. Here are some responses - First and foremost – both ModSecurity itself and the OWASP ModSecurity Core Rule Set (CRS) are open source projects. Trustwave does not own either of them. The only thing that Trustwave owns in the “ModSecurity” trademark name. The projects are Apache ASLv2 licensed. These project will live and (hopefullly not) die dependent upon the community support. The support that Trustwave gave to these projects over the years has been a double-edged sword in some respects. Yes, we were allocated commercial work time to invest in these projects as they have commercial ModSecurity offerings to support ModSecurity. This support, however, gave the appearance to the community that Trustwave would do all the work and that the community could basically just send emails or open issue tickets and wait for things to get fixed by SpiderLabs. This misconception, I feel, has truly limited ModSecurity from fully blossoming into a vibrant open source community. Speaking of me personally, as many of you know, I moved on from Trustwave Spiderlabs and joined the Akamai Threat Research Team where I now provide research for our cloud security products (including Kona WAF). Referring to my previous point – just because I switched jobs/companies does not preclude me from still working on these projects. I am still the OWASP ModSecurity CRS Project Leader. Not having Chaim listed on the OWASP Project page was an oversight and is now corrected (thanks for pointing that out). The issue we have had in releasing these updates has mainly been because we have all been swamped with work from our day-jobs. This is where having a real community driven project helps as there aren’t any bottle-necks to slow things down. Community members can fork the CRS repo, update and initiate PULL requests and we can all move on. To date, however, this workflow has not really blossomed. As for security researchers responsibly reporting issues – we have a number of places that list how to contact the team - http://www.modsecurity.org/help.html SecurityWe take security very seriously! If you need to report a security problem please write to security/modsecurity.org Hope this info helps.
Ryan From: <[email protected]> on behalf of Christian Folini Date: Thursday, September 17, 2015 at 4:35 AM To: Chaim Sanders Cc: "[email protected]" Subject: Re: [Owasp-modsecurity-core-rule-set] Some XSS evasions posted (and some thoughts why ModSec Core Rules users were hit on day 0) Chaim, Having read your report, I got in touch with the author of the said report, [email protected], myself. He replied immediately. I do not want to quote him, but his message boils down to Trustwave responding to him with the information that Ryan has left Trustwave and that his successor will work on the findings. We'll have to take this with a grain of salt, but honestly, transparency and responsibilities in ModSec and the Core Rules project is a bit lacking from my point of view. I have no doubt things are very clear for you guys working at Trustwave; and it is likely all the information is somewhere to be found. But what I would appreciate a more moderation and an easier way to find the things you need. Examples: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project seems to be the website of the Core Rules. At least it is the number one hit I get on google and duckduckgo. It lists: Project Leader: Ryan Barnett Contributors: Josh Zlatin Roberto Salgado Ashar Javed (@soaj1664ashar) But _you_ are not mentioned. Still you seem to handle things as this. Do you have any authority to speak on behalf of the project? Is Ryan still around in the project? Why was there no farewell message? What is dearly missing is an email address to report security issues with the Core Rules. I mean that would be the address I would be looking for if I were a responsible security researcher with an exploit in my hands. When you take the link to Github, you land on a repository with the last commit two years old. If you read the mailinglists you will find, the development is actually happening, but it's now in the 3.0.0 branch (where the last commit is 4 months old). Ryan forked the 3.0.0 branch in 2012, but it was first mentioned in the core rules mailinglist in July 2015. It's probably my fault I did not check if there were any interesting branches with the core rules in the meantime, but things would really be easier if things would be more transparent. I do not want to do fingerpointing. Even if it may seem so. I want to make clear how things look from the outside for users as me, let alone someone new to ModSec or the Core Rules. Both are great projects and they could be better still (and actually attract contributions) if they were more accessible and transparent. Best regards, Christian On Tue, Sep 15, 2015 at 01:23:18PM +0000, Chaim Sanders wrote: As far as I am aware we have not received anything. It certainly didn¹t go to this mailing list and I don¹t recall anything on [email protected]. I am be preparing a blog post where we analysis these attacks as we speak. Be on the lookout for it :) On 9/15/15, 12:03 AM, "[email protected] on behalf of Christian Folini" <[email protected] on behalf of [email protected]> wrote: >Good morning, > >What is funny about the paper is, that he lists contact with all >the other vendors and how they reacted to his responsible >disclosure, but this is missing for ModSec. > >Has there been no contact / no interest to patch in due time? > >Ahoj, > >Christian > > >-- >It's easier to ask forgiveness, than it is to get permission. >-- Radm Grace Hopper, aka Amazing Grace > >_______________________________________________ >Owasp-modsecurity-core-rule-set mailing list >[email protected] >http://scanmail.trustwave.com/?c=4062&d=vp331TYeSJtl4OUFeRwH_d8xwpzKptjDeB >Wj6-tsnQ&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fow >asp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. -- Christian Folini Ringstrasse 2 CH-3639 Kiesen +41 (0)31 301 60 71 (H) +41 (0)79 220 23 76 (M) mailto:[email protected] (Business) mailto:[email protected] (Private) http://www.christian-folini.ch _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
