Folini Extended Introduction to ModSecurity and CRS3

•

2 gefällt mir•543 views

This document provides an introduction to ModSecurity and the OWASP Core Rule Set (CRS) presented by Christian Folini. The presentation covers what a web application firewall (WAF) and ModSecurity are, an overview of the CRS including rule groups and paranoia levels, how to install and configure ModSecurity with the CRS, and handling false positives. The goal of ModSecurity and CRS is to provide a first line of defense against web application attacks and block around 80% of attacks with minimal false positives in the default installation.

Technologie

@ChrFolini Introduction to ModSecurity and CRS – BCS 2019-11-27
An Introduction to
ModSecurity and the OWASP
Core Rule Set
(BCS DevSecOps SG)
Christian Folini / @ChrFolini

Baseline / 1st
Line of Defense
Safety Belts

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Boring Bio
●
Christian Folini / ChrFolini
●
Security Engineer at netnea
in Switzerland
●
Author, teacher and speaker
●
OWASP CRS project Co-Lead

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Plan for Today
●
What is a WAF?
●
What is ModSecurity?
●
What is Core Rule Set?
●
Demo
●
Key concepts
●
Rules
●
False Positives

Web Application Firewalls
Complex • Overwhelming • Rarely Functional

ModSecurity
Embedded • Rule oriented • Granular Control

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Include in server config (depending on path):
Include /path-to-owasp-crs/crs-setup.conf
Include /path-to-owasp-crs/rules/*.conf
Clone the repository (or download latest release):
$> git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
Copy the example config:
$> cp crs-setup.conf.example crs-setup.conf
Demo Time (Installation)

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Research based on
4.5M Burp requests.
CRS3
Default Install
Redir.:
RFI:
LFI:
XSS:
SQLi:
0%
0%
-100%
-82%
-100%

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Paranoia Level 1: Minimal number of false positives
Baseline protection
Paranoia Level 2: More rules, some false positives
Real data in the service
Paranoia Level 3: Specialized rules, more FPs
Online banking level security
Paranoia Level 4: Crazy rules, many FPs
Nuclear power plant level security
Paranoia Levels

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Important Groups of Rules
Request Rules
REQUEST-910-IP-REPUTATION.conf
REQUEST-911-METHOD-ENFORCEMENT.conf
REQUEST-912-DOS-PROTECTION.conf
REQUEST-913-SCANNER-DETECTION.conf
REQUEST-920-PROTOCOL-ENFORCEMENT.conf
REQUEST-921-PROTOCOL-ATTACK.conf
REQUEST-930-APPLICATION-ATTACK-LFI.conf
REQUEST-931-APPLICATION-ATTACK-RFI.conf
REQUEST-932-APPLICATION-ATTACK-RCE.conf
REQUEST-933-APPLICATION-ATTACK-PHP.conf
REQUEST-941-APPLICATION-ATTACK-XSS.conf
REQUEST-942-APPLICATION-ATTACK-SQLI.conf
REQUEST-943-APPLICATION-ATTACK-SESS-FIX.conf
REQUEST-944-APPLICATION-ATTACK-JAVA.conf
REQUEST-949-BLOCKING-EVALUATION.conf

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Important Groups of Rules
Response Rules
RESPONSE-950-DATA-LEAKAGES.conf
RESPONSE-951-DATA-LEAKAGES-SQL.conf
RESPONSE-952-DATA-LEAKAGES-JAVA.conf
RESPONSE-953-DATA-LEAKAGES-PHP.conf
RESPONSE-954-DATA-LEAKAGES-IIS.conf
RESPONSE-959-BLOCKING-EVALUATION.conf

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Paranoia Level
Example: Protocol Enforcement Rules
Paranoia Level 1: 31 Rules
Paranoia Level 2: 7 Rules
Paranoia Level 3: 1 Rules
Paranoia Level 4: 4 Rules

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Stricter Siblings
Example: Byte Range Enforcement
Paranoia Level 1:
Rule 920270: Full ASCII range without null character
Paranoia Level 2:
Rule 920271: Full visible ASCII range, tab, newline
Paranoia Level 3:
Rule 920272: Visible lower ASCII range without %
Paranoia Level 4:
Rule 920273: A-Z a-z 0-9 = - _ . , : &

Anomaly Scoring
Adjustable Limit • Blocking Mode • Iterative Tuning

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Sampling Mode
Easing into CRS adoption / limit the impact
• Define a sampling rate of n
• Only n% of the requests are being funneled into CRS3
• 100% - n% of requests bypass CRS3
• Monitor performance and fix problems
• Slowly raise n in an iterative way until it reaches 100%

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
False Positives
False Positives are expected from PL2
• FPs are fought with rule exclusions
• Tutorials at https://www.netnea.com
• Get cheatsheet from Netnea
• Please report FPs at PL1 (github)

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Apache / ModSecurity / CRS Tutorials
https://www.netnea.com/cms/apache-tutorials/

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Summary ModSecurity & CRS3
• 1st
Line of Defense against web application attacks
• Generic set of blacklisting rules for WAFs
• Blocks 80% of web application attacks in the default
installation (with a minimal number of FPs)
• Granular control over the behaviour down to the
parameter level
More information at https://coreruleset.org

@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
Questions and Answers, Contact
Contact: christian.folini@netnea.com
@ChrFolini

Weitere ähnliche Inhalte

Ähnlich wie Folini Extended Introduction to ModSecurity and CRS3

As our applications transform to cloud-native-first architectures, policy replaces configuration files to define infrastructure at all layers; networking, compute, storage, and of course application. Developers now have almost unlimited choices in how to solve their architecture, agility and scale challenges using the software defined infrastructure that powers our cloud-native world. Prescriptive topologies for networks are too rigid to support the needed agile iterations of today’s application. The software development lifecycle (SDLC) evolved to support multiple iterations for innovation and has some lessons for all of us. This session describes SDLC evolutions to help network and infrastructure experts as they strive to connect business value to applications to infrastructure while constructing the networks of the future.

What network architects need to know about the evolving software lifecycle (S...

Marco Coulter

Amazon CloudFront Best Practices and Anti-patterns

Abhishek Tiwari

Brksec 2048-demystifying aci-security

Cisco

Network security specialist Catherine Paquetl fills you in on advanced threat protection that integrates real-time contextual awareness, intelligent security automation and superior performance with industry-leading network intrusion prevention, Sourcefire. ABOUT THE PRESENTER Catherine Paquet, CCSI, CCNP Security, CCNP Routing and Switching, is a network security specialist. She began her internetworking career as a LAN manager, then MAN manager, and eventually became a nationwide WAN manager with the Department of National Defence. Paquet lectures around the world on security topics, including firewalls, VPNs, intrusion prevention, identity systems, email and Web security, and router and switch security. During her spare time, she authors Cisco Press books, and she volunteers as a network security analyst to nonprofit organizations. Paquet attended the Royal Military College Saint-Jean (Canada) and holds an MBA in Management Information Systems (MIS) from York University.

Building Up Network Security: Intrusion Prevention and Sourcefire

Global Knowledge Training

BRKSEC-2494.pdf

JacksonGonzalez14

The evolving complexity of the data center is placing increased demand on the network and security teams to come up with inventive methods for enforcing security policies in these ever-changing environments. The goal of this session is to provide participants with an understanding of features and design recommendations for integrating security into the data center environment. This session will focus on recommendations for securing next-generation data center architectures. Areas of focus include security services integration, leveraging device virtualization, and considerations and recommendations for server virtualization. The target audience are security and data center administrators.

Security and Virtualization in the Data Center

Cisco Canada

Securing Micro Services in Cloud Foundry

PLUMgrid

Brkcld 2215

JuanCarlosMuruchi

he Hosted Security as a Service session provides in depth discussion on cloud based security services leveraging Cisco security solutions. This session is appropriate for service providers who are interested in delivering managed security services to their customer from their cloud infrastructure. We will provide detailed designs and guidance on: - cloud security services including FW, VPN, web and email services - architecture layers through influence of NfV and SDN - KVM and VMware based solutions - orchestration flexibility and options - Day 0 and Day 1 provisioning - Day 2 monitoring and reporting.

Hosted Security as a Service - Solution Architecture Design

Cisco Canada

Containers are the next evolutionary step in how applications are managed and consumed. Allowing application teams to control and optimize their application deployment process. Along with the advantages provided to application teams, it's also a dynamic shift for data center design. Allowing for better resource utilization, and management resulting in both cost savings and faster IT. This session will explain how Cisco IT has delivered this new paradigm in Cloud Technology by using Cisco ACI, Cisco UCS and open-source solutions like Kubernetes.

Cisco Live: Containers on Enterprise Compute and Networks

Michael Duarte

Jan Harrie Security Analyst at ERNW GmbH OpenShift by Red Hat is one of the major Platform as a Service (PaaS) solutions on the market. It is used to automatically deploy Kubernetes clusters and provides useful extensions for cluster management mixed with some magic under the hood. Instantiating a Kubernetes cluster is often a crucial step in setting up a modern application stack. But be aware – a lot of configuration parameters are awaiting you. And here several misconfigurations may occur that can lead up to a compromise of the cluster. Privileged containers, tainting of masters and executing workloads on them, missing role-based access controls, and misconfigured Service Accounts are part of the problem. In this talk, I will explain which configuration parameters of an OpenShift environment are critical to ensure the overall security of the deployed Kubernetes clusters. Implications of misconfigurations will be demonstrated during live demos. Finally, recommendations for a secure configuration are provided.

DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...

DevSecCon

As microservices grow, traditional firewall rules based on network ACLs are no longer scalable and fall short of providing fine-grained enforcement. Group Based Policy (GBP) is a flexible policy language that allows users to specify policy enforcement based on intent, independent of network infrastructure and IP addressing. Using micro-segmented virtual domains, administrators can define policies at a centralized location and use IO Visor technology for distributed enforcement. This provides infrastructure independent rules, template-based policy definitions, and scale-out policy enforcement for a solution that secures and scales with microservices. This session will be presented by members of the IO Visor community and will cover how IO Visor technology can be used to define and enforce GBP. The discussion will also cover using GBP for cloud foundry application spaces where microservices are deployed and need scalable, efficient security policies.

Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...

IO Visor Project

Cisco Strategic Profile

sezzzwho

IBOSEC-3000-2.pdf

Andrew Benhase

OpenChain Monthly Meeting 2023-02-21 (North America and Asia)

Shane Coughlan

Cisco Connect Vancouver 2017 - Cisco's Digital Network Architecture - deeper ...

Cisco Canada

Building The Right Network

Cisco Canada

TFI2014 Session II - Requirements for SDN - Brian Field

Colorado Internet Society (CO ISOC)

Application Policy Enforcement Using APIC

Cisco Canada

Primend Praktiline Konverents - Rakenduse keskne IT infrastruktuur / Cisco Ap...

Primend

Ähnlich wie Folini Extended Introduction to ModSecurity and CRS3 (20)

What network architects need to know about the evolving software lifecycle (S...

Amazon CloudFront Best Practices and Anti-patterns

Brksec 2048-demystifying aci-security

Building Up Network Security: Intrusion Prevention and Sourcefire

BRKSEC-2494.pdf

Security and Virtualization in the Data Center

Securing Micro Services in Cloud Foundry

Brkcld 2215

Hosted Security as a Service - Solution Architecture Design

Cisco Live: Containers on Enterprise Compute and Networks

DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...

Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...

Cisco Strategic Profile

IBOSEC-3000-2.pdf

OpenChain Monthly Meeting 2023-02-21 (North America and Asia)

Cisco Connect Vancouver 2017 - Cisco's Digital Network Architecture - deeper ...

Building The Right Network

TFI2014 Session II - Requirements for SDN - Brian Field

Application Policy Enforcement Using APIC

Primend Praktiline Konverents - Rakenduse keskne IT infrastruktuur / Cisco Ap...

Mehr von Christian Folini

OWASP ModSecurity - A few plot twists and what feels like a happy end

Christian Folini

Everybody, Blueteam and Redteam players alike, are driven by incentives. Good incentives persuade us to do the right thing and patch our servers. Bad incentives make us eat unhealthy food and follow stupid security practices. There is a huge resource problem in the IT industry and especially in the security industry. So you would expect people to pay attention to the existing incentives and th incentives they create with their documentation, their awareness trainings, their security reports, etc. But reality paints a different picture: Bad incentives all around! We see insane security practices eating valuable time and online trainings annoying users, slowly teaching them to become a brainless zombie whenever they hear the keyword "security". But it's even worse. I've come across incentives that lure companies into creating bad products and I've seen companies create products that incentivize their customers to waste their time and money. Sometimes the mechanisms are too strong to fight. But sometimes it takes people like you and me to say NO and stand up for real security! Follow me on a journey and security will never look the same to you again!

Crazy incentives and how they drive security into no man's land

Christian Folini

The OWASP ModSecurity Core Rule Set (CRS) was a dormant project, when a group of three developers picked it up in 2016. Today, this open source web application firewall project counts 14 active developers, annual sponsoring of over 40K USD and the rules run on over 100Tbit/s. This presentation explains how the new management took over the project and developed it in three key areas: (1) the code, (2) the developers and (3) the users and partners. The growth of OWASP CRS serves as an example how you can grow and mature your project too.

Never Walk Alone - Inspirations from a Growing OWASP Project

Christian Folini

The Adventurous Tale of Online Voting in Switzerland

Christian Folini

EVoting in der Schweiz - Ein Fortsetzungsroman

Christian Folini

Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set

Christian Folini

The Swiss tale with online voting serves as a typical example of the iterative development of highly critical IT systems and the growing involvement of scientists as a necessary step for a government that is willing to learn from past mistakes. Switzerland has been experimenting with online voting for over 15 years. Several generations of electronic voting systems have been implemented and almost all of them died along the way because of their profound security problems or when the money ran out. In 2019, Swiss Post published the source code of its online voting system, the last system that was still in the race. Several highly critical findings were discovered in a matter of weeks and the system was stopped right before the national elections. In 2020, the government rebooted the process and invited two dozen international researchers into an intense dialogue that lasted several months. The resulting report is the base for the renewed regulation that will pave the way forward in 2021.

The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...

Christian Folini

Gedanken zur elektronischen Stimmabgabe für Datenschützer

Christian Folini

We have been building castles and fortifications for thousands of years. Many of them were never breached. IT security, on the other hand, is a very young discipline where defense mechanisms have not really stood the test of time and breaches are happening every day. Looking at historical defense techniques and fortress architectures can therefore serve as an inspiration for strong IT security architectures. This presentation looks at agile and flexible defenses, layered security and whitelisting. None of these concepts are entirely new to the IT security industry. But implementations usually stop with the buzzword or at the network level. This talk brings evidence for the effectiveness of the concepts across the centuries and hopes to help them achieve a breakthrough on all levels. Furthermore, the talk educates the audience about medieval castles and how the metaphor can be put to use when explaining complicated IT security concepts to non-technical audiences. Again, the metaphor is not new, but people are usually only scratching the surface when they talk of medieval castles and modern servers.

Medieval Castles and Modern Servers

Christian Folini

E-Voting, die Sicherheit und die Rolle der Experten

Christian Folini

Black alps 2018-folini-d-dos

Christian Folini

Slides for an O'Reilly Media Webcast on Januar 9, 2018. In this webcast, we introduce the open source ModSecurity Web Application Firewall. ModSecurity allows you to thwart web attacks by inspecting the incoming HTTP requests a selection of granular rules. The standard ruleset accompanying ModSecurity, the OWASP ModSecurity Core Rule Set, will be presented by one of its authors. You will learn how to set it all up with NGINX open source and NGINX Plus, how to begin addressing common security threats, and where to find additional information.

Optimizing ModSecurity on NGINX and NGINX Plus

Christian Folini

A General Look at the State of Security - AFCEA 2017

Christian Folini

The CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls that saw a new major release in November 2016 (3.0 -> CRS3). CRS is the 1st line of defense against web application attacks like those summarized in the OWASP Top Ten and all with a minimum of false alerts. This talk demonstrates the installation of the rule set and introduces the most important groups of rules. It covers key concepts like anomaly scoring and thresholds, paranoia levels, stricter siblings and the sampling mode. The important handling of false positives is also covered as well as pre-defined lists of rule exclusions for popular web applications helping to avoid false positives. This presentation was delivered at AppSecEU 2017 in Belfast.

Introducing the OWASP ModSecurity Core Rule Set

Christian Folini

Running ModSecurity with the OWASP ModSecurity Core Rules is hard. A huge wave of false positives drowns sysadmins and logfile servers alike. The upcoming 3.0.0 release of the Core Rules comes with a new paranoia mode. This feature organises the various rules in different paranoia levels. The higher the paranoia level, the more paranoid the rules and the more false positives you will get. However, the default installation gives you a decent security level without too many false positives. This allows for a straight forward ModSecurity setup which is not threatening an existing productive service. Instead you start with a limited set of rules and then you raise the paranoia level step by step to the number that suits the desired security level of your site. In this talk, we will look at the configuration of the paranoia mode. We will look at rules and we will look at ModSecurity defending against popular attack kits at various paranoia levels

OWASP ModSecurity Core Rules Paranoia Mode

Christian Folini

Mehr von Christian Folini (15)

OWASP ModSecurity - A few plot twists and what feels like a happy end

Crazy incentives and how they drive security into no man's land

Never Walk Alone - Inspirations from a Growing OWASP Project

The Adventurous Tale of Online Voting in Switzerland

EVoting in der Schweiz - Ein Fortsetzungsroman

Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set

The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...

Gedanken zur elektronischen Stimmabgabe für Datenschützer

Medieval Castles and Modern Servers

E-Voting, die Sicherheit und die Rolle der Experten

Black alps 2018-folini-d-dos

Optimizing ModSecurity on NGINX and NGINX Plus

A General Look at the State of Security - AFCEA 2017

Introducing the OWASP ModSecurity Core Rule Set

OWASP ModSecurity Core Rules Paranoia Mode

Kürzlich hochgeladen

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

Vector Search -An Introduction in Oracle Database 23ai.pptx

Remote DBA Services

Exploring Multimodal Embeddings with Milvus

Zilliz

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

MINDCTI Revenue Release Quarter One 2024

MIND CTI

Elevate Developer Efficiency & build GenAI Application with Amazon Q

Bhuvaneswari Subramani

[BuildWithAI] Introduction to Gemini.pdf

Sandro Moreira

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

Whatsapp Number Escorts Call girls 8617370543 Available 24x7 Mcleodganj Call Girls Service Offer Genuine VIP Model Escorts Call Girls in Your Budget. Mcleodganj Call Girls Service Provide Real Call Girls Number. Make Your Sexual Pleasure Memorable with Our Mcleodganj Call Girls at Affordable Price. Top VIP Escorts Call Girls, High Profile Independent Escorts Call Girls, Housewife Women Escorts Call Girl, College Girls Escorts Call Girls, Russian Escorts Call girls Service in Your Budget.

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Deepika Singh

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

Tracing the root cause of a performance issue requires a lot of patience, experience, and focus. It’s so hard that we sometimes attempt to guess by trying out tentative fixes, but that usually results in frustration, messy code, and a considerable waste of time and money. This talk explains how to correctly zoom in on a performance bottleneck using three levels of profiling: distributed tracing, metrics, and method profiling. After we learn to read the JVM profiler output as a flame graph, we explore a series of bottlenecks typical for backend systems, like connection/thread pool starvation, invisible aspects, blocking code, hot CPU methods, lock contention, and Virtual Thread pinning, and we learn to trace them even if they occur in library code you are not familiar with. Attend this talk and prepare for the performance issues that will eventually hit any successful system. About authorWith two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Victor Rentea

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

Kürzlich hochgeladen (20)

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

Vector Search -An Introduction in Oracle Database 23ai.pptx

Exploring Multimodal Embeddings with Milvus

FWD Group - Insurer Innovation Award 2024

MINDCTI Revenue Release Quarter One 2024

Elevate Developer Efficiency & build GenAI Application with Amazon Q

[BuildWithAI] Introduction to Gemini.pdf

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model

MS Copilot expands with MS Graph connectors

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

CNIC Information System with Pakdata Cf In Pakistan

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Folini Extended Introduction to ModSecurity and CRS3

1. @ChrFolini Introduction to ModSecurity and CRS – BCS 2019-11-27 An Introduction to ModSecurity and the OWASP Core Rule Set (BCS DevSecOps SG) Christian Folini / @ChrFolini

2. Baseline / 1st Line of Defense Safety Belts

3. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Boring Bio ● Christian Folini / ChrFolini ● Security Engineer at netnea in Switzerland ● Author, teacher and speaker ● OWASP CRS project Co-Lead

4. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Plan for Today ● What is a WAF? ● What is ModSecurity? ● What is Core Rule Set? ● Demo ● Key concepts ● Rules ● False Positives

5. Web Application Firewalls Complex • Overwhelming • Rarely Functional

6. ModSecurity Embedded • Rule oriented • Granular Control

9. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Include in server config (depending on path): Include /path-to-owasp-crs/crs-setup.conf Include /path-to-owasp-crs/rules/*.conf Clone the repository (or download latest release): $> git clone https://github.com/SpiderLabs/owasp-modsecurity-crs Copy the example config: $> cp crs-setup.conf.example crs-setup.conf Demo Time (Installation)

10. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Research based on 4.5M Burp requests. CRS3 Default Install Redir.: RFI: LFI: XSS: SQLi: 0% 0% -100% -82% -100%

11. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Paranoia Level 1: Minimal number of false positives Baseline protection Paranoia Level 2: More rules, some false positives Real data in the service Paranoia Level 3: Specialized rules, more FPs Online banking level security Paranoia Level 4: Crazy rules, many FPs Nuclear power plant level security Paranoia Levels

12. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Important Groups of Rules Request Rules REQUEST-910-IP-REPUTATION.conf REQUEST-911-METHOD-ENFORCEMENT.conf REQUEST-912-DOS-PROTECTION.conf REQUEST-913-SCANNER-DETECTION.conf REQUEST-920-PROTOCOL-ENFORCEMENT.conf REQUEST-921-PROTOCOL-ATTACK.conf REQUEST-930-APPLICATION-ATTACK-LFI.conf REQUEST-931-APPLICATION-ATTACK-RFI.conf REQUEST-932-APPLICATION-ATTACK-RCE.conf REQUEST-933-APPLICATION-ATTACK-PHP.conf REQUEST-941-APPLICATION-ATTACK-XSS.conf REQUEST-942-APPLICATION-ATTACK-SQLI.conf REQUEST-943-APPLICATION-ATTACK-SESS-FIX.conf REQUEST-944-APPLICATION-ATTACK-JAVA.conf REQUEST-949-BLOCKING-EVALUATION.conf

13. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Important Groups of Rules Response Rules RESPONSE-950-DATA-LEAKAGES.conf RESPONSE-951-DATA-LEAKAGES-SQL.conf RESPONSE-952-DATA-LEAKAGES-JAVA.conf RESPONSE-953-DATA-LEAKAGES-PHP.conf RESPONSE-954-DATA-LEAKAGES-IIS.conf RESPONSE-959-BLOCKING-EVALUATION.conf

14. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Paranoia Level Example: Protocol Enforcement Rules Paranoia Level 1: 31 Rules Paranoia Level 2: 7 Rules Paranoia Level 3: 1 Rules Paranoia Level 4: 4 Rules

15. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Stricter Siblings Example: Byte Range Enforcement Paranoia Level 1: Rule 920270: Full ASCII range without null character Paranoia Level 2: Rule 920271: Full visible ASCII range, tab, newline Paranoia Level 3: Rule 920272: Visible lower ASCII range without % Paranoia Level 4: Rule 920273: A-Z a-z 0-9 = - _ . , : &

16. Anomaly Scoring Adjustable Limit • Blocking Mode • Iterative Tuning

17. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Sampling Mode Easing into CRS adoption / limit the impact • Define a sampling rate of n • Only n% of the requests are being funneled into CRS3 • 100% - n% of requests bypass CRS3 • Monitor performance and fix problems • Slowly raise n in an iterative way until it reaches 100%

18. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27

19. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27

20. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27

21. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27

22. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27

23. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27

24. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 False Positives False Positives are expected from PL2 • FPs are fought with rule exclusions • Tutorials at https://www.netnea.com • Get cheatsheet from Netnea • Please report FPs at PL1 (github)

25. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Apache / ModSecurity / CRS Tutorials https://www.netnea.com/cms/apache-tutorials/

26. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Summary ModSecurity & CRS3 • 1st Line of Defense against web application attacks • Generic set of blacklisting rules for WAFs • Blocks 80% of web application attacks in the default installation (with a minimal number of FPs) • Granular control over the behaviour down to the parameter level More information at https://coreruleset.org

27. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Questions and Answers, Contact Contact: christian.folini@netnea.com @ChrFolini

Folini Extended Introduction to ModSecurity and CRS3

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Folini Extended Introduction to ModSecurity and CRS3

Ähnlich wie Folini Extended Introduction to ModSecurity and CRS3 (20)

Mehr von Christian Folini

Mehr von Christian Folini (15)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Folini Extended Introduction to ModSecurity and CRS3