Date: Wed, 17 Aug 2016 15:28:05 -0400 From: Chaim Sanders <chaim@...imsanders.com> To: oss-security@...ts.openwall.com Subject: ModSecurity's OWASP CRS v3.0.0-rc1 Released. The OWASP Core Rule Set team is proud to announce the first of two planned release candidates for the upcoming OWASP ModSecurity Core Rule Set v3.0.0. This new release represents a huge step forward in terms of both capabilities and protections including: - A 95% reduction in false positives for a typical CRS deployment using the default configuration. - Extended effectiveness and detection capabilities in numerous areas; namely Remote Command Execution and PHP injections (Walter Hop). - A simple to use, adjustable paranoia level that allows users to tailor their ruleset experience. - The capability to allow existing sites to try out the Core Rules by enabling the rules for only limited percentage of requests (Christian Folini). Please see the CHANGES document for a detailed list of new features and improvements. (https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/CHANGES) Our desire is to see the Core Rules project used as part of a defense in depth strategy to help effectively fight web application weaknesses with few side effects. As such we attempt to cut down on false positives as much as possible in the default install. This RC1 therefore offers an opportunity for individuals to provide feedback and to report any other issues they may face. This is no longer aimed at ModSecurity experts. This is the Core Rules for the rest of us. Please use the CRS GitHub (https://github.com/SpiderLabs/owasp-modsecurity-crs/releases/tag/v3.0.0-rc1) or the Core Rules mailing list to tell us about your experiences, including false positives or other issues with this release candidate. Our current timeline is to seek public feedback on RC1 for the next month, followed by an RC2 and subsequently a release. For more information, please see the following blog post accompanying this release: https://www.trustwave.com/Resources/SpiderLabs-Blog/OWASP-ModSecurity-CRS-Version-3-0-RC1-Released/ Sincerely Chaim Sanders, on behalf of the Core Rules Set development team.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.