2A02:8070:A89:3C20:38F1:84E6:C169:E3D9: transfer to OWASP

2024-04-10T09:59:23Z

transfer to OWASP

New page

{{Short description|Web application firewall (WAF) software}}
{{More citations needed|date=January 2018}}
{{Infobox software
| name = ModSecurity
| screenshot =
| logo =
| caption =
| author = Ivan Ristić
| developer = [[OWASP]], formerly [[Trustwave]] SpiderLabs
| released = {{Start date and age|2002|11|df=yes}}
| latest release version = {{wikidata|property|edit|reference|P348}}
| latest release date = {{start date and age|{{wikidata|qualifier|P348|P577}}}}
| latest preview version =
| latest preview date =
| programming language = [[C++]] (3.x), [[C (programming language)|C]] (2.x)
| operating system =
| platform =
| genre =
| license = [[Apache License]] 2.0
| website = https://owasp.org/www-project-modsecurity/
| language = [[English language|English]]
}}
{{Portal|Free and open-source software}}
'''ModSecurity''', sometimes called '''Modsec''', is an [[open-source software|open-source]] [[web application firewall]] (WAF). Originally designed as a module for the [[Apache HTTP Server]], it has evolved to provide an array of [[Hypertext Transfer Protocol]] request and response filtering capabilities along with other security features across a number of different platforms including [[Apache HTTP Server]],<ref>{{cite web |url=https://www.techrepublic.com/article/how-to-secure-your-apache-2-server-in-four-steps/ |title=How to secure your Apache 2 server in four steps |website=Techrepublic.com |date=18 November 2016 |accessdate=7 January 2018}}</ref><ref>{{cite web |url=http://www.onlamp.com/pub/a/onlamp/2005/06/09/wss_security.html |title=Securing Web Services with mod_security - O'Reilly Media |first=Shreeraj |last=Shah |website=Onlamp.com |accessdate=7 January 2018 |archive-date=7 January 2018 |archive-url=https://web.archive.org/web/20180107233015/http://www.onlamp.com/pub/a/onlamp/2005/06/09/wss_security.html |url-status=dead }}</ref> [[Microsoft]] [[Internet Information Services|IIS]] and [[Nginx]].<ref>{{cite web |url=https://techcrunch.com/2016/08/23/nginx-pluss-latest-release-puts-the-focus-on-security/ |title=NGINX Plus's latest release puts the focus on security |first=Frederic |last=Lardinois |website=Techcrunch.com |date=23 August 2016 |accessdate=7 January 2018}}</ref> It is [[free software]] released under the [[Apache license]] 2.0.

The platform provides a rule configuration language known as 'SecRules' for real-time monitoring, logging, and filtering of [[Hypertext Transfer Protocol]] communications based on user-defined rules.

Although not its only configuration, ModSecurity is most commonly deployed to provide protections against generic classes of vulnerabilities using the OWASP ModSecurity Core Rule Set (CRS).<ref name="coreruleset.org">{{cite web |url=https://coreruleset.org |title=OWASP ModSecurity Core Rule Set – The 1st Line of Defense Against Web Application Attacks |website=Coreruleset.org |accessdate=7 January 2018}}</ref> This is an [[open-source software|open-source]] set of rules written in ModSecurity's SecRules language. The project is part of [[OWASP]], the Open Web Application Security Project. Several other rule sets are also available.

To detect threats, the ModSecurity engine is deployed embedded within the webserver or as a proxy server in front of a web application. This allows the engine to scan incoming and outgoing [[HTTP]] communications to the endpoint. Dependent on the rule configuration the engine will decide how communications should be handled which includes the capability to pass, drop, redirect, return a given status code, execute a script, and more.

== History ==
ModSecurity was first developed by [[Ivan Ristić (Security Expert)|Ivan Ristić]], who wrote the module with the end goal of monitoring application traffic on the [[Apache HTTP Server]]. The first version was released in November 2002 which supported [[Apache HTTP Server]] 1.3.x. Starting in 2004 Ivan created Thinking Stone to continue work on the project full-time. While working on the version 2.0 rewrite Thinking Stone was bought by Breach Security, an American-Israeli security company, in September 2006. Ivan stayed on continuing the development of version 2.0 which was subsequently released in October 2006 at the OWASP AppSec conference in Seattle.

Ristić and Breach Security released another major rewrite, version 2.5, with major syntactic changes in February 2008. In December 2008 Ivan left Breach to found SSL Labs. Shortly after Ivan's departure from Breach Security, [[Trustwave Holdings]] acquired Breach in June 2010 and relicensed ModSecurity under the Apache license. Development continued and the new license allowed easier integration of ModSecurity into other products. As a result of this there was steady adoption of ModSecurity by various commercial products. The license change also precipitated easier porting of the software. Hence, [[Microsoft]] contributed an [[Internet Information Services|IIS]] port in August 2012 and the port for [[Nginx]] was released at [[Black Hat Briefings]] in 2012.

2017 saw the second edition of the handbook released,<ref>{{cite book |title=ModSecurity Handbook |url=https://www.feistyduck.com/books/modsecurity-handbook/ |website=Feistyduck.com |accessdate=7 January 2018}}</ref> written by [[Christian Folini]] and Ivan Ristić. It covers ModSecurity up to version 2.9.2.

Being originally an Apache module, porting ModSecurity to other platforms was time-consuming and had high maintenance costs. As a result of this, a complete rewrite was started in December 2015. This new iteration, libmodsecurity, changes the underlying architecture, separating ModSecurity into a standalone engine that communicates with the web server via an API. This modular architecture-based WAF, which was announced for public use in January 2018,<ref>{{cite web |url=https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-version-30-announcement/ |title=ModSecurity Version 3.0 Announcement |website=www.trustwave.com |accessdate=12 September 2019}}</ref> became libmodsecurity (ModSecurity version 3.0) and has supported connectors for Nginx and Apache.

In 2021, [[Trustwave Holdings]], announce the End-of-Sale (EOS) of Trustwave support for ModSecurity effective August 1, 2021 and the End-of-Life (EOL) of support effective July 1, 2024. The maintenance of the ModSecurity code is given to the open-source community.<ref>{{cite web |url=https://www.trustwave.com/en-us/resources/security-resources/software-updates/end-of-sale-and-trustwave-support-for-modsecurity-web-application-firewall/ |title=End of Sale and Trustwave Support for ModSecurity Web Application Firewall |website=trustwave.com |accessdate=14 October 2021}}</ref>

==References==
{{Reflist}}

== External links ==
* {{Official website|https://www.modsecurity.org/}}
*[https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual Official ModSecurity documentation]
*[https://www.digitalocean.com/community/tutorials/how-to-set-up-mod_security-with-apache-on-debian-ubuntu How To Set Up mod_security with Apache on Debian/Ubuntu]
*[http://blog.supportpro.com/2009/08/mod_security-intro/ Linux ModSecurity Introduction and Install guide] {{Webarchive|url=https://web.archive.org/web/20110812162537/http://blog.supportpro.com/2009/08/mod_security-intro/ |date=2011-08-12 }}
*[http://searchsecurity.techtarget.com/feature/Comparing-the-best-Web-application-firewalls-in-the-industry Searchsecurity.techtarget.com]
*[https://github.com/owasp-modsecurity/ModSecurity/ Official github repository]

[[Category:Free web server software]]
[[Category:Firewall software]]
[[Category:Lua (programming language)-scriptable software]]
[[Category:Apache httpd modules]]

ModSecurity - Revision history

2A02:8070:A89:3C20:38F1:84E6:C169:E3D9: transfer to OWASP