February 2024 OWASP Chapter Netherlands Meetup

This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00.

See https://owasp.org/www-chapter-netherlands/upcomingevents for more information about the OWASP Netherlands chapter.

19:00 - 19:10 - Welcome and OWASP updates
19:10 - 19:55 - OWASP ModSecurity: A Few Plot Twists and What Feels Like a Happy End by Christian Folini
19:55 - 20:05 - Questions and Break
20:05 - 20:50 - OWASP Dependency-Track by Niklas Düster

OWASP ModSecurity: A Few Plot Twists and What Feels Like a Happy End
Abstract:
ModSecurity is an open-source, cross-platform web application firewall (WAF) engine. Originally written by Ivan Ristić, it was acquired by Trustwave and then developed for over 10 years by Trustwave’s SpiderLabs.

ModSecurity exists as a module for the Apache HTTP Server, Nginx, and IIS (v2) and it has also been released as standalone daemon for NGINX (v3), accessible via an API and a webserver specific connector module. It is able to inspect HTTP requests and HTTP responses and it configured via rules in a rather cumbersome config language called “SecLang”. OWASP CRS is the dominant rules project used by most ModSecurity users.

In 2021, Trustwave announced the end of support and the plan to hand over ModSecurity into the hands of the community by Summer 2024. OWASP tried to convince Trustwave to hand it over to the foundation several times, but only succeeded in November 2023. A plan was thus drawn and a new project was prepared from December 2023. The main repository was transferred on January 25 and OWASP ModSecurity was declared a “production level” OWASP project by the OWASP project committee.

The new project operates with a preliminary leader team, the first release is already out and the community is growing, all in line with the 3-6 month project plan drawn up in December 2023.

This talk gives an overview of this dynamics at play, how OWASP operates on projects like this and the perspectives are for ModSecurity and OWASP as a whole.

Bio:
Dr. Christian Folini is a Swiss security engineer and open source enthusiast. He brings 15 years of experience with ModSecurity configuration in high security environments, DDoS defense and threat modeling. Christian Folini is the author of the 2nd edition of the ModSecurity Handbook and the best known teacher on the subject. He co-leads the OWASP ModSecurity Core Rule Set project and serves as the program chair of the “Swiss Cyber Storm” conference.

OWASP Dependency-Track
Abstract:
Since its inception over a decade ago, OWASP Dependency-Track has pioneered many concepts in the realm of software supply chain security, and software bill of materials (SBOM).

With increasingly more governments, regulators and organizations asking for SBOMs, the project is more relevant than ever. On the other hand, a non-negligible portion of folks is still puzzled as to what to even do with SBOMs once they have them.

In this talk, we’ll explore what Dependency-Track is, how it can help organizations in identifying and reducing risk in their software supply chain, and give an outlook into what’s next!

Bio:
After years as Security Engineer for a large European payment service provider, Niklas currently works as Cloud Native Engineer for ControlPlane. He is passionate about AppSec, DevSecOps and Open Source. He co-leads the OWASP Dependency-Track project and is a contributor to the OWASP CycloneDX Bill of Materials standard, for which he maintains the official Go tooling.