Core Rule Set for the Masses

Explore the intricacies of fine-tuning the OWASP ModSecurity Web Application Firewall in this 37-minute conference talk from AppSecUSA 2017. Gain insights from Verizon Edgecast CDN's large-scale deployment of the OWASP Core Rule Set (CRS) across thousands of servers. Learn strategies for reducing alert noise levels by up to 90% using lesser-known ModSecurity features. Discover the challenges and benefits of upgrading from CRS 2.2.9 to 3.0. Understand how to balance risk management and false positives for diverse customer needs. Walk away with practical knowledge on optimizing CRS implementation, including anomaly scoring, safe exclusions, and leveraging paranoia mode in CRS 3.0. Benefit from the speakers' extensive experience in security analysis, incident response, and WAF consulting to enhance your own ModSecurity fine-tuning process.

Intro
Agenda
Verizon Edgecast Network
Web Application Firewalls
WAF Benefits
Mod Security - A brief history
Mod Security Architecture - Two Components
ModSecurity Principles
Mod Security Capabilities
Performance Considerations
Response Time Test
Limitations
WAFs Are Essential
Set Your Expectations
Know Yourself
Know Your Adversary
Know Your Environment
Let's NOT Abandon WAF
Core Rule Set (CRS)
The Holy Grail of Fine-tuning
Fine-tuning Your WAF
Anomaly Scoring in Mod Security
Anomaly Scoring Explained
Keeping the Wall Bulletproof
Safe Exclusions
Exclusion Example
Cookie Exclusions
Core Rule Set 3.0
Paranoia Mode