News Stay informed about the latest enterprise technology news and product updates.

Positive changes coming to ModSecurity

Black Hat: The popular open source Web application firewall is getting a new tool that observes and analyzes application traffic and helps establish accepted behavior.

This is a research effort to help establish a good deployment practice for Web applications. Bad guys collaborate very well. Good guys don't do as good of a job.
Ivan Ristic
VP, security researchBreach Security Inc.
LAS VEGAS -- ModSecurity is getting an attitude adjustment, thanks to a complementary new tool that brings a positive security model to the popular open source Web application firewall.

Ivan Ristic, recognized for his work in building not only the ModSecurity tool, but also its community, today at the Black Hat briefings introduced ModProfiler. ModProfiler, he said, observes and analyzes application traffic and builds an application profile of accepted behavior. That intelligence is then fed to ModSecurity and written into its rules.

"The positive security model is safer because you don't need to know everything about attacks. You only have to understand your application," Ristic said. "We've felt some pressure from the community to solve this problem. Learning is the only [thing] ModSecurity doesn't do. By adding this one missing piece, we're completing the features of ModSecurity."

Web application firewalls (WAFs) are getting more attention than ever from businesses, especially those bound to comply with the Payment Card Industry Data Security Standard. PCI DSS Requirement 6.6 became mandatory on June 30, and it requires companies that accept and process credit card data and transactions to secure their Web applications, either with the installation of a Web application firewall or via a manual or automated source code review.

Web application firewalls are, in most cases, a quicker and cheaper road to a compliance checkmark, experts say. Deployments are challenging, however, and Ristic, vice president of security research at Breach Security Inc., said he's received plenty of questions about what Web application firewalls do, where they should sit and who should manage them.

"People focus ultimately on blocking, but people need to view WAFs as operational tools that provide situational awareness," Ristic said. "The most important thing WAFs do is provide visibility into what's happening. Only after you have visibility can you decide whether you want to block or just log traffic."

More from Black Hat 2008

Exclusive photos of Black Hat 2008.

Windows Vista security 'rendered useless' by researchers

Black Hat: Two researchers Thursday will demonstrate how to use Java, ActiveX controls and .NET objects to essentially bypass all the key security safeguards in Windows Vista.

Researchers develop lightweight Cisco IOS rootkit
Black Hat: Building on previous research against IOS, Core Security researchers have theoretically shown the plausibility of an IOS rootkit attack.    

Bluetooth 2.1 is easy to crack Black Hat: A cryptographer for Aladdin Knowledge Systems says Bluetooth version 2.1, designed to be more secure than previous versions, is actually extremely vulnerable to attackers.

One feature unique to ModProfiler is the ability to write what Ristic calls a virtual patch. If ModProfiler detects behavior out of the ordinary, users can write a simple rule that only detects that one attack against one resource in one location. Virtual patches can mitigate an issue until developers have an opportunity to patch and quality assure (QA) the application for its next release. At that time, Ristic said, the virtual patch is no longer necessary.

Ristic, meanwhile, hopes ModProfiler's collaborative nature will resonate with users, especially those who don't understand the nuances of a Web application firewall or don't have the resources to invest in the tool.

"This is a research effort to help establish a good deployment practice for Web applications," Ristic said. "Bad guys collaborate very well. Good guys don't do as good of a job."

Ristic hopes the project will beef up ModSecurity's benefits, change the way Web applications are deployed, and secure them against zero-day attacks, for example, from Day 1.

"What we've found is that Web applications are deployed and written in a bad way where everything is allowed by default. The problem with that is that every day, there are new Web application attacks and attack types," Ristic said. "If you're writing an application today, you don't know tomorrow's attack type. We realized there's a great advantage to changing the way Web applications are deployed: deny by default and allow only what's safe. If you want an application to perform five functions, allow only those five.

"The end benefit," Ristic added, "is that you don't have to write the rules; just record traffic, have it write to ModProfiler and have a hosted ruleset to protect applications."

ModProfiler is expected to be released shortly after this week's Black Hat briefings.

Dig Deeper on Open source security tools and software

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.