Dear all, This is the CRS newsletter covering the period from April until today.
What has happened during the last few weeks: - We held our 3rd community chat last Monday. We have been eight people and we had an extremely efficient meeting. We sorted out a strategy for the remaining 3.0dev issues and cleared the path for the 3.0.1 release. The next community chats will be held on the following dates: - Jun 5, 2017, 20:30 CEST (14:30 EST, 19:30 GMT) - Jul 3, 2017, 20:30 CEST - Aug 7, 2017, 20:30 CEST - Sep 4, 2017, 20:30 CEST - Oct 2, 2017, 20:30 CEST - Nov 6, 2017, 20:30 CET - Dec 4, 2017, 20:30 CET - There are three open pull requests and three issues keeping us from releasing 3.0.1. The idea is to clear this during the weekend and release 3.0.1 on Tuesday, May 9. - The release policy discussed last month has been described briefly at: https://github.com/SpiderLabs/owasp-modsecurity-crs/wiki/Release-Policy - After the release policy last month, we decided on a way to organise CRS developers. We settled on the following roles - Project lead - Core team - Project contributors with commit permission - Contributors without commit permission As you know, Chaim is project lead and he forms the core team with Walter Hop and me. We also promoted regular contributors Franziska Bühler and Christoph Hansen to project contributors with commit permission. There have been more people contributing to CRS 3.0.1 and we hope to work with them so they can eventually be promoted to a commit permission level. The idea with the core team is, that every PR needs to be reviewed by at least one core team member. This also applies to PRs by core team members: They have to be reviewed by at least one additional core team member. - There is general interest to publish more blog posts around CRS and also additional information. We are working on a useful platform here. - Once CRS 3.0.1 is out the door, testing will be formalized and automated, we will close the very old issues and then start with the development for 3.1; incorporating new features and new rules. - Hugo Costa is working on our new logo, but he is also working on various other tasks for AppSecEU. In the end AppSecEU won and we have to wait until after the conference. - The security scanner research project resulted in 13 new issues so far: false negatives. That is requests which should be blocked but were not - or at least not on a reasonably low paranoia level. See all these tickets here: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues?q=is%3Aissue+is%3Aopen+label%3Azhaw-research-project The most severe false negative seems to be this payload which goes undetected at Paranoia Level 3: userinput=textvalue95920'%3balert(1)%2f%2f153 Obviously, there is a transformation missing before the XSS rule in question is being executed. Other findings are not as dangerous, but also much harder to detect like out-of-band communication, where a request parameter is passed to nslookup to perform a DNS request. Upcoming stuff - CRS 3.0.1 release planned for Tuesday, May 9. - The CRS meetup at AppSecEU will be rather informal. We were probably to late to announce it and fairly few people from the community will be making it. Chaim and I will be at the conference from Tuesday / Wednesday though. Please get in touch if you are around. The idea is to hang out together Wednesday night. - My Core Rule Set 3.0 Intro talk at AppSecEU in Belfast has been scheduled for Thursday May 11, 4.15pm. Would be cool to see you. I will present the first part of the research (Burp vs. CRS3) at the SIGS Technology Conference in Zurich, May 18, 2017: www.sig-switzerland.ch/de/technology_conference/ - Next CRS chat: June 5, 2017, 20:30 CEST on Freenode IRC, channel #modsecurity (14:30 EST, 19:30 GMT) Ahoj, Christian -- https://www.feistyduck.com/training/modsecurity-training-course mailto:christian.fol...@netnea.com twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
