First development release of ModSecurity 2.x

It's that time of year again, when I get to work on new features (instead of supporting the old ...

Read More

Small but important improvements in ModSecurity 1.9.3

I have just released ModSecurity for Apache 1.9.3-rc1, a release candidate, as I always do when ...

Read More

ModSecurity Elevator Pitch at EUSecWest

I spent some time this week at the EUSecWest conference here in London. EUSecWest is a ...

Read More

Web application firewalls primer

(IN)SECURE Magazine Issue 1.5 has just been published. I wrote the cover story, titled "Web ...

Read More

ModSecurity Rules subproject added

If you are a ModSecurity user you may have noticed that I am distributing ModSecurity without any ...

Read More

Massive performance improvements for Apache 1.x users in ModSecurity 1.9.2-rc2

Some ModSecurity users like to run really large rule sets, where the number of rules runs into ...

Read More

ModSecurity 1.9 article on O'Reilly Network

My article ("What's New in ModSecurity"), which describes the most important improvements in 1.9, ...

Read More

Positive security model in ModSecurity

One of the major improvements in the next release of ModSecurity (v2.0) will be the support for a ...

Read More

ModSecurity for Apache 1.9 has been released!

Finally. I already wrote about many new features available in this release. Relieved from the ...

Read More

Draft from the Web Application Firewall Evaluation Criteria project

The web application firewall (WAF) market is a bit confusing at the moment since it is not clear ...

Read More

A few more features made it into ModSecurity 1.9

A small number of new features made it into 1.9 at the very last minute. Initially I intended to ...

Read More

Apache 2.1.7 beta released

A new beta version of the Apache web server has been released. This release is important because it ...

Read More

What's new in ModSecurity 1.9

You may have noticed it's been a while since ModSecurity has had a major release. This does not ...

Read More

Portable Web Application Firewall Rule Format News

As some of you may know, I've been working on the portable web application firewall (WAF) rule ...

Read More

Major updates to ModSecurity in 1.9dev3

This version implements the final batch of major improvements to the 1.9.x series. These include a ...

Read More

Improvements to the Servlet specification

A while ago Greg Murray (the Servlet specification lead) asked for ideas for Servlet improvements. ...

Read More

Web Security Improvement Ideas

I have been keeping a list of web security improvement ideas for some time now. It's a list that ...

Read More

PHP chapter from Apache Security available for download

I have made the PHP chapter from Apache Security available for free download. When we made the ...

Read More

More on impedance mismatch

Recently there has been increased interest in the impedance mismatch problem, which occurs between ...

Read More

The future of web application firewalls

It always pays off to visit Richard Bejtlich's blog once in a while. (Or, even better, subscribe to ...

Read More

External Web Application Protection: Impedance Mismatch

Web application firewalls have a difficult job trying to make sense of data that passes by, without ...

Read More

Mod_security 1.8.7RC2 available

Second release candidate for mod_security 1.8.7 is available for download. I performed a detailed ...

Read More

ModSecurity for Java Milestone 3 now available

I have just released an updated version of ModSecurity for Java. This version implements the core ...

Read More

mod_security and the PHPBB worm (Santy.A)

I have been asked to design a mod_security rule to protect sites from the recent PHPBB worm. Now, I ...

Read More

Portable web firewall rule format

For some time now I've been working on a portable web firewall rule format as part of the OASIS WAS ...

Read More

WASC releases Threat Classification

They've been very quiet for a number of months and now you know what they have been doing - working ...

Read More

AVDL becomes a standard

Application Vulnerability Description Language (AVDL) has been approved as an OASIS standard last ...

Read More

Network Security Hack #93: mod_security

O'Reilly have a new book out: Network Security Hacks. It is a really good book (I read it on Safari ...

Read More