ModSecurity, sometimes called Modsec, is an

open-source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use and view the source code, design documents, or content of the product. The open source model is a decentrali ...

web application firewall A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks exploiting a web application's known vulne ...

(WAF). Originally designed as a module for the

Apache HTTP Server The Apache HTTP Server ( ) is a free and open-source software, free and open-source cross-platform web server, released under the terms of Apache License, Apache License 2.0. It is developed and maintained by a community of developers under the ...

, it has evolved to provide an array of

Hypertext Transfer Protocol HTTP (Hypertext Transfer Protocol) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, wher ...

request and response filtering capabilities along with other security features across a number of different platforms including

Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...

IIS and

Nginx (pronounced "engine x" , stylized as NGINX or nginx) is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Russian developer Igor Sysoev and publicly released in 20 ...

. It is

free software Free software, libre software, libreware sometimes known as freedom-respecting software is computer software distributed open-source license, under terms that allow users to run the software for any purpose as well as to study, change, distribut ...

released under the

Apache license The Apache License is a permissive free software license written by the Apache Software Foundation (ASF). It allows users to use the software for any purpose, to distribute it, to modify it, and to distribute modified versions of the software ...

2.0. The platform provides a rule configuration language known as 'SecRules' for real-time monitoring, logging, and filtering of

communications based on user-defined rules. Although not its only configuration, ModSecurity is most commonly deployed to provide protections against generic classes of vulnerabilities using the OWASP ModSecurity Core Rule Set (CRS). This is an

set of rules written in ModSecurity's SecRules language. The project is part of

OWASP The Open Worldwide Application Security Project (formerly Open Web Application Security Project) (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of Io ...

, the Open Web Application Security Project. Several other rule sets are also available. To detect threats, the ModSecurity engine is deployed embedded within the webserver or as a proxy server in front of a web application. This allows the engine to scan incoming and outgoing

HTTP HTTP (Hypertext Transfer Protocol) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, wher ...

communications to the endpoint. Dependent on the rule configuration the engine will decide how communications should be handled which includes the capability to pass, drop, redirect, return a given status code, execute a script, and more.

History

ModSecurity was first developed by Ivan Ristić, who wrote the module with the end goal of monitoring application traffic on the

. The first version was released in November 2002 which supported

1.3.x. Starting in 2004 Ivan created Thinking Stone to continue work on the project full-time. While working on the version 2.0 rewrite Thinking Stone was bought by Breach Security, an American-Israeli security company, in September 2006. Ivan stayed on continuing the development of version 2.0 which was subsequently released in October 2006 at the OWASP AppSec conference in Seattle. Ristić and Breach Security released another major rewrite, version 2.5, with major syntactic changes in February 2008. In December 2008 Ivan left Breach to found SSL Labs. Shortly after Ivan's departure from Breach Security, Trustwave Holdings acquired Breach in June 2010 and relicensed ModSecurity under the Apache license. Development continued and the new license allowed easier integration of ModSecurity into other products. As a result of this there was steady adoption of ModSecurity by various commercial products. The license change also precipitated easier porting of the software. Hence,

contributed an IIS port in August 2012 and the port for

was released at

Black Hat Briefings Black Hat Briefings (commonly referred to as Black Hat) is a computer security conference that provides security consulting, training, and briefings to hackers, corporations, and government agencies around the world. Black Hat brings together ...

in 2012. 2017 saw the second edition of the handbook released, written by Christian Folini and Ivan Ristić. It covers ModSecurity up to version 2.9.2. Being originally an Apache module, porting ModSecurity to other platforms was time-consuming and had high maintenance costs. As a result of this, a complete rewrite was started in December 2015. This new iteration, libmodsecurity, changes the underlying architecture, separating ModSecurity into a standalone engine that communicates with the web server via an API. This modular architecture-based WAF, which was announced for public use in January 2018, became libmodsecurity (ModSecurity version 3.0) and has supported connectors for Nginx and Apache. In 2021, Trustwave Holdings, announce the End-of-Sale (EOS) of Trustwave support for ModSecurity effective August 1, 2021 and the End-of-Life (EOL) of support effective July 1, 2024. The maintenance of the ModSecurity code is given to the open-source community.

References

External links

*
Official ModSecurity documentationHow To Set Up mod_security with Apache on Debian/UbuntuLinux ModSecurity Introduction and Install guide
{{Webarchive, url=https://web.archive.org/web/20110812162537/http://blog.supportpro.com/2009/08/mod_security-intro/ , date=2011-08-12
Searchsecurity.techtarget.comOfficial github repository
Free web server software Firewall software Lua (programming language)-scriptable software Apache httpd modules