Re: [mod-security-users] Standard testing methodology for virtual patching
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Standard testing methodology for virtual patching
|
From: Christian F. <chr...@ne...> - 2021-07-02 09:11:21
|
Hey Kyle, This sounds like an intriguing project. A research project, I presume? There is a problem I see where you trust your security scanner to discover every vulnerability. You effective limit CRS to the depth of the security scanner. But that's probably not what you are interested in as feedback. I get the impression that security scanners have a small intersection with their findings beyond the most obvious ones. So when you discover something with scanner A, patch it virtually and then scanner B is no longer able to discover it, that can give you a false sense of security. You absolutely need to run scanner A again too. It might make sense to give scanner A the original vulnerability and have it try to fuzz more weaknesses in that area after your virtual patch. Other than that, I agree there is little conceptual work in this regard and it feels like you are stepping on new ground. Which can be exciting for a piece of research. :) Good luck! Christian On Thu, Jul 01, 2021 at 04:42:28PM +0000, Kyle Richard Orlando wrote: > Hi, > > Does anyone have any tips of recommendations for a standard way of testing/evaluating the effectiveness of a set of virtual patches? I've written a little python script that conditionally includes CRS rules for a given location and parameter(s) based on a vulnerability report generated by scanners like ZAP. Really, I can't think of much more beyond a before/after active scan with ZAP, and then a before/after scan with another tool that wasn't used in virtual patch creation. I know these virtual patches reduce the rate of false positives compared to just setting up CRS out-of-the-box, since they won't block requests for locations/parameters that aren't associated with some vulnerability. However, I can't think of a particularly useful way of showing this beyond picking a random vulnerable location and parameter and "attacking" it with words from a dictionary or book. > > I've been to a couple of OWASP pages on the topic of virtual patching, but the testing methodology seems to be fairly manual and ad-hoc. > > Thanks, > Kyle > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
