Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 17 Aug 2016 15:28:05 -0400
From: Chaim Sanders <chaim@...imsanders.com>
To: oss-security@...ts.openwall.com
Subject: ModSecurity's OWASP CRS v3.0.0-rc1 Released.

The OWASP Core Rule Set team is proud to announce the first of two
planned release candidates for the upcoming OWASP ModSecurity Core
Rule Set v3.0.0.

This new release represents a huge step forward in terms of both
capabilities and protections including:

- A 95% reduction in false positives for a typical CRS deployment
using the default configuration.
- Extended effectiveness and detection capabilities in numerous areas;
namely Remote Command Execution and PHP injections (Walter Hop).
- A simple to use, adjustable paranoia level that allows users to
tailor their ruleset experience.
- The capability to allow existing sites to try out the Core Rules by
enabling the rules for only limited percentage of requests (Christian
Folini).

Please see the CHANGES document for a detailed list of new features
and improvements.
(https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/CHANGES)

Our desire is to see the Core Rules project used as part of a defense
in depth strategy to help effectively fight web application weaknesses
with few side effects. As such we attempt to cut down on false
positives as much as possible in the default install. This RC1
therefore offers an opportunity for individuals to provide feedback
and to report any other issues they may face. This is no longer aimed
at ModSecurity experts. This is the Core Rules for the rest of us.

Please use the CRS GitHub
(https://github.com/SpiderLabs/owasp-modsecurity-crs/releases/tag/v3.0.0-rc1)
or the Core Rules mailing list to tell us about your experiences,
including false positives or other issues with this release candidate.
Our current timeline is to seek public feedback on RC1 for the next
month, followed by an RC2 and subsequently a release.

 For more information, please see the following blog post accompanying
this release:

https://www.trustwave.com/Resources/SpiderLabs-Blog/OWASP-ModSecurity-CRS-Version-3-0-RC1-Released/


Sincerely Chaim Sanders, on behalf of the Core Rules Set development team.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.