OWASP is again participating in the Google Summer of Code (GSoC) Program for 2014 by acting as a Mentoring Organization. This is an outstanding opportunity for college students to get a chance to contribute to open source projects, gain experience and make some money over the summer. Here is a quick graphic that shows how GSoC works:
There are many OWASP Project Ideas for students to choose from.
GSoC Ideas for ModSecurity
We had great success last year when Mihai Pitu created a port of ModSecurity to the Java platform by using JNI interface to hook in the standalone ModSecurity code. This year, we have even more ideas for students to choose from! Time is running out for submissions so you better hurry.
Brief explanation: Adding the capability of rapid prototyping to ModSecurity functionalities trough scripts will open the possibility for easy rules production and customization, It also opens the possibility for a large community such as Ruby developers to create their own customization on the top of ModSecurity and so customize their own rules, analog of today's Lua support.
Expected results: An implementation able to handle Ruby scripts which will interact to ModSecurity as Lua does.
References: Embedding Ruby into C++ (ModSecurity is C, using C++ as reference): http://aeditor.rubyforge.org/ruby_cplusplus/index.html ModSecurity Reference Manual, Lua: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecRuleScript
Knowledge Prerequisite: C and Ruby programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/. Mentor: Felipe Zimmerle Costa and Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader
Brief explanation: Adding the capability of rapid prototyping to ModSecurity functionalities trough scripts will open the possibility for easy rules production and customization, It also opens the possibility for a large community such as Python developers to create their own customization on the top of ModSecurity and so customize their own rules, analog of today's Lua support.
Expected results: An implementation able to handle Python scripts which will interact to ModSecurity as Lua does.
References: Embedding Python into C/C++: http://docs.python.org/3.3/extending/embedding.html ModSecurity Reference Manual, Lua: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecRuleScript
Knowledge Prerequisite: C and Python programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/. Mentor: Felipe Zimmerle Costa and Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader
Brief explanation:
The ModSecurity code includes a "standalone" version that wraps a light weight Apache/APR around the ModSecurity code. This is used as the basis for the ports to the IIS/Nginx web server platforms. The goal for this project task is to extend this standalone version so that it can accept a data feed of network traffic (e.g. libpcap) data as input and apply the ModSecurity CRS rules. Possible solutions could be:
- Create a ModSecurity "plugin" for the Snort IDS.
- Create a ModSecurity "plugin" for the Suricata IDS.
- Add libpcap sniffer wrapper to standalone ModSecurity code to directly pull data off the wire.
Expected results:
This new sniffer mode would allow organizations to run ModSecurity/OWASP ModSecurity CRS in an out of line mode as they do IDS systems.
Knowledge Prerequisite:
C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.
Mentor: Felipe Zimmerle Costa and Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader
Brief explanation:https://github.com/SpiderLabs/ModSecurity/issues/416
Implement a request velocity learning engine to identify dynamic DoS thresholds for both the site and for the particular URL.
Expected results:
The new C code in ModSecurity will allow us to add new DoS Protection methods to the OWASP ModSecurity CRS.
Knowledge Prerequisite:
C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.
Mentor: Felipe Zimmerle Costa and Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader
Brief explanation: See this academic/research paper for ideas of the type of learning we are looking for - http://www.cs.ucsb.edu/~vigna/publications/2003_kruegel_vigna_ccs03.pdf
ModSecurity needs a profiling engine that implements the various AppSensor Detection Points - http://blog.spiderlabs.com/2011/08/implementing-appsensor-detection-points-in-modsecurity.html.
Expected results:
The new engine will implement more detection points to detect abnormal request attributes.
Knowledge Prerequisite:
C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.
Mentor: Felipe Zimmerle Costa and Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader
Brief explanation:
Need an engine that can track normal application flow paths (click-flows) for business logic transactions - such as transferring money from accounts. After profiling normal application path flows, we want to then be able to alert to anomalies. This type of logic can help to prevent Banking Trojan attacks.
Example - let's say an application has a multi-step checkout process to purchase an item. This new engine would be able to profile/learn which URLs are accessed in what order and identify if clients skip steps or jump directly to other URLs in the flow.
Expected results:
The engine will be able to alert on anomalous application flows.
Knowledge Prerequisite:
C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.
Mentor: Felipe Zimmerle Costa and Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader
