OWASP CRS retreat
A few weeks ago I was invited as a guest to the OWASP Core Ruleset retreat in the Swiss Alps. In this post I’m going to share my experiencia and how it will contribute to the development of Coraza WAF and out alliance with CRS.
OWASP Core Ruleset is the world’s most important WAF rule set for protecting against web attacks like, SQL Injection, Command Execution and many more. It’s currently being used by most ModSecurity user’s, this blog and many companies like Amazon and Microsoft.
It was a great opportunity to collaborate with the CRS projects, learn about their work, how they create and test rules, how they handle a huge open source project and get most of the team to try Coraza and provide interesting feedbacks.
The first thing I noticed was the great organization (thanks to Christian Folini), the train was there at the exact time and the activity schedule was like a Swiss watch, we managed to finish every project and workshop within time.
My most important contribution was the baseline for the CRS sandbox, I helped Andrea, Ervin and Cristoph to create the docker images and the code required to handle modsecurity logs in Lua.
There was a lot of work involved during the week, but there were also many fun activities, like Anna Goldi Museum, the Tolkien Museum, Fondue, a lot of chocolate, and so many fun evenings with the CRS guys.
Ok it sounds so cool but what were the results
- We got a PoC of the Coraza-Apache wrapper
- The CRS team validated Coraza
- I learnt a lot about the CRS testing and how can I replicate for Coraza
- I spent a lot of money, Switzerland is SO expensive
- I contributed a some PRs to CRS and the CRS Sandbox
- We exchanged feedback on how to address new vulnerabilities like HTTP request Smuggling
- I met a fantastic team willing to help to test Coraza
- Now I have a real filling that Coraza is going to replace ModSecurity in the near future
Finally I want to thank the CRS team for inviting me and treating me as part of your team, I will never forget this experience.