Google Summer of Code (GSoC) + OWASP + ModSecurity = Awesome

image from 3.bp.blogspot.comOWASP is again participating in the Google Summer of Code (GSoC) Program for 2014 by acting as a Mentoring Organization. This is an outstanding opportunity for college students to get a chance to contribute to open source projects, gain experience and make some money over the summer. Here is a quick graphic that shows how GSoC works:

Screen Shot 2014-03-20 at 8.54.04 AM

There are many OWASP Project Ideas for students to choose from.

GSoC Ideas for ModSecurity

We had great success last year when Mihai Pitu created a port of ModSecurity to the Java platform by using JNI interface to hook in the standalone ModSecurity code. This year, we have even more ideas for students to choose from! Time is running out for submissions so you better hurry.

OWASP ModSecurity Core Rule Set (CRS) - ModSecurity Ruby API

Brief explanation: Adding the capability of rapid prototyping to ModSecurity functionalities trough scripts will open the possibility for easy rules production and customization, It also opens the possibility for a large community such as Ruby developers to create their own customization on the top of ModSecurity and so customize their own rules, analog of today's Lua support.

Expected results: An implementation able to handle Ruby scripts which will interact to ModSecurity as Lua does.

References: Embedding Ruby into C++ (ModSecurity is C, using C++ as reference): http://aeditor.rubyforge.org/ruby_cplusplus/index.html ModSecurity Reference Manual, Lua: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecRuleScript

Knowledge Prerequisite: C and Ruby programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/. Mentor: Felipe Zimmerle Costa and Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader

OWASP ModSecurity Core Rule Set (CRS) - ModSecurity Python API

Brief explanation: Adding the capability of rapid prototyping to ModSecurity functionalities trough scripts will open the possibility for easy rules production and customization, It also opens the possibility for a large community such as Python developers to create their own customization on the top of ModSecurity and so customize their own rules, analog of today's Lua support.

Expected results: An implementation able to handle Python scripts which will interact to ModSecurity as Lua does.

References: Embedding Python into C/C++: http://docs.python.org/3.3/extending/embedding.html ModSecurity Reference Manual, Lua: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecRuleScript

Knowledge Prerequisite: C and Python programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/. Mentor: Felipe Zimmerle Costa and Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader

OWASP ModSecurity Core Rule Set (CRS) - Create "Sniffer-Mode"

Brief explanation:

The ModSecurity code includes a "standalone" version that wraps a light weight Apache/APR around the ModSecurity code. This is used as the basis for the ports to the IIS/Nginx web server platforms. The goal for this project task is to extend this standalone version so that it can accept a data feed of network traffic (e.g. libpcap) data as input and apply the ModSecurity CRS rules. Possible solutions could be:

  • Create a ModSecurity "plugin" for the Snort IDS.
  • Create a ModSecurity "plugin" for the Suricata IDS.
  • Add libpcap sniffer wrapper to standalone ModSecurity code to directly pull data off the wire.

Expected results:

This new sniffer mode would allow organizations to run ModSecurity/OWASP ModSecurity CRS in an out of line mode as they do IDS systems.

Knowledge Prerequisite:

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

Mentor: Felipe Zimmerle Costa and Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader

OWASP ModSecurity Core Rule Set (CRS) - Implement DoS Prevention Code

Brief explanation:https://github.com/SpiderLabs/ModSecurity/issues/416

Implement a request velocity learning engine to identify dynamic DoS thresholds for both the site and for the particular URL.

Expected results:

The new C code in ModSecurity will allow us to add new DoS Protection methods to the OWASP ModSecurity CRS.

Knowledge Prerequisite:

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

Mentor: Felipe Zimmerle Costa and Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader

OWASP ModSecurity Core Rule Set (CRS) - Create a Positive Learning/Profile Engine

Brief explanation: See this academic/research paper for ideas of the type of learning we are looking for - http://www.cs.ucsb.edu/~vigna/publications/2003_kruegel_vigna_ccs03.pdf

ModSecurity needs a profiling engine that implements the various AppSensor Detection Points - http://blog.spiderlabs.com/2011/08/implementing-appsensor-detection-points-in-modsecurity.html.

Expected results:

The new engine will implement more detection points to detect abnormal request attributes.

Knowledge Prerequisite:

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

Mentor: Felipe Zimmerle Costa and Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader

OWASP ModSecurity Core Rule Set (CRS) - Create an Engine to Detect Application Flow Anomalies

Brief explanation:

Need an engine that can track normal application flow paths (click-flows) for business logic transactions - such as transferring money from accounts. After profiling normal application path flows, we want to then be able to alert to anomalies. This type of logic can help to prevent Banking Trojan attacks.

Example - let's say an application has a multi-step checkout process to purchase an item. This new engine would be able to profile/learn which URLs are accessed in what order and identify if clients skip steps or jump directly to other URLs in the flow.

Expected results:

The engine will be able to alert on anomalous application flows.

Knowledge Prerequisite:

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

Mentor: Felipe Zimmerle Costa and Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.