[UPDATE: There is a separate tutorial about the Handling of False Positives (This article here is mostly about statistical data of the CRS2 rule set. Meanwhile CRS3 has been released).] ModSecurity – or any WAF for that matter – produces false positives. If it does not produce false positives, then it’s probably dead. A strict […]
It has been a while since we have seen big development in the OWASP ModSecurity Core Rules. This is due to the fact, that the development took place in a separate branch named 3.0.0-dev which adopts many of the newer features and operators included in ModSecurity since 2.7; notably @detectSQLi and @detectXSS. When you take […]
November 2, 2015, saw this years edition of the conference Cyber-Risks Switzerland organised by MELANI. While the last year’s edition presented a lot of interesting and promising ideas, this year brought concepts in draft stage, first reports from the frontline, lessons learnt at law enforcement and a batch of reports in finalised state. It’s all […]
Domenico Salvati and Adrian Leuenberger of DefCon Switzerland ran a workshop on corporate risk management in Zurich. This one-day event addressed two goals: To present a model of risk “compatible” with upper management in order to allow techies to talk with high-ranked business representatives. To talk about a second model which measures and calculates probabilities […]
This is a brief report from the convention Cyber Risks Switzerland 2014 (Tagung Cyber Risiken Schweiz), Berne November 20, 2014. The conference, organised by ISB/MELANI, was meant to give some insight into the implementation of the various tasks formulated in the National Cyber Strategy (NCS). Meeting and networking between all sorts of players in the […]
