Monthly Chat Agenda November (2019-11-04)

[fzipi]

This is the Agenda for the Monthly CRS Chat.

The chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, November 4, at 20:30 CET.

Items on the Agenda:

PRs

• Revert #578 #1616 Revert Add urlDecodeUni() operation to ARG/ARGS_NAMES #578
• New Rule 921190: HTTP Splitting #1610 New Rule 921190: HTTP Splitting
• New rule 920500: block backup extensions #1591 New rule 920500: block backup extensions

Issues

• Make ModSecurity CRS repositories easier to manage #1600 Make ModSecurity CRS repositories easier to manage
• Integrating rule check into Travis CI #1599 Integrating rule check into Travis CI
• Consistent support for the "ver" action #650 Consistent support for the "ver" action
• Review severity levels of CRS to make sure all rules have severity levels #610 Review severity levels of CRS to make sure all rules have severity levels

Other items

• Reporting from call with new ModSecurity project coordinator at Trustwave (and dev Felipe)
• Discussion of securely.ai : https://git.securely.ai/securely/common/securely-app-oss
• Update on the status of the CRS / ModSecurity Meetup in Bern (after 3 editions)
• Propose to formally use semantic versioning (MAJOR.MINOR.PATCH) (https://semver.org)
• On creating SECURITY.md (Create SECURITY.md #1590) , the question about what should be reported by email remains to be answered.

Slack invite: https://join.slack.com/t/owasp/shared_invite/enQtNjExMTc3MTg0MzU4LWQ2Nzg3NGJiZGQ2MjRmNzkzN2Q4YzU1MWYyZTdjYjA2ZTA5M2RkNzE2ZjdkNzI5ZThhOWY5MjljYWZmYmY4ZjM

[dune73]

Decisions

PRs

• Revert #578 #1616 is going to be merged after updates to commit message (better explanations on what the matter is)
• New Rule 921190: HTTP Splitting #1610 is very welcome. Yet a few open questions remain like the relationship with rule 921140 or the Splitting talk by James Kettle at AppSecEU in Amsterdam (video is published),the number of FPs (and thus PL), etc. The PR is being assigned to @lifeforms to guide it to merging.
• New rule 920500: block backup extensions #1591: will be merged

Issues

• Make ModSecurity CRS repositories easier to manage #1600: Item (1) is dropped. Item (3) is aopted. Item (2) is not quite sorted out. The folder versioning is not yet convincing everybody on the team. The conversation will be continued in the issue.
• Integrating rule check into Travis CI #1599: @fgs is supporting @airween to solve the open question and guide it into a PR
• Consistent support for the "ver" action #650: @airween with make sure this issue is solved together with Anna.
• Review severity levels of CRS to make sure all rules have severity levels #610: @airween with make sure this issue is solved together with Anna.

Other

• @lifeforms reports from a call of the project leads with TW; namely the new manager of the ModSec project. TW is committed to solve the open issues with ModSec and bring it into a state where it passes our test suite. Performance will also be addressed, as will be the apache connector. They welcome our comments on github. This means we are invited to point out which issues / PRs we think deserve priority.
  On request of @airween, the following ModSec PRs have the highest priority. We have prioritized them together in this order:
  • Aligned Cookie parsing method to ModSecurity2 style owasp-modsecurity/ModSecurity#2023
  • V3/collection re fix owasp-modsecurity/ModSecurity#2107
  • V3/reqbodyproc owasp-modsecurity/ModSecurity#2045
• Ruben van Vreeland presents securely.ai and gets a lot of applause
• The CRS / ModSec meetup in Bern has attracted more than a dozen people on 2 of the 3 editions so far. The idea is now to continue in 2020 with 5 meetings. 4 different companies will host at least 1 of the meetups. Participants also stated they are open to do workshops where CRS issues are being handled.
• We postpone the discussion on the semantic versioning (it's getting late)
• Create SECURITY.md #1590 / security.md: We found a formula for the question what we consider a bug in CRS (a payload leading to unexpected behaviour of the WAF plus false negatives at PL4)