�ݺ�ߣshows by User: ChristianFolini

�ݺ�ߣshows by User: ChristianFolini / http://www.slideshare.net/images/logo.gif �ݺ�ߣshows by User: ChristianFolini / Fri, 15 Nov 2024 14:52:37 GMT �ݺ�ߣShare feed for �ݺ�ߣshows by User: ChristianFolini Using a WAF to Make the Life of Bug Bounty Hunters Miserable /slideshow/using-a-waf-to-make-the-life-of-bug-bounty-hunters-miserable/273337644 gohack-presentation-christian-folini-241115145237-353ee2ce
This is a primer on WAFs in general and OWASP CRS in particular. The presentation then continues to introduce the "Chaos Fortress" CRS plugin that delays attackers and thwarts their feedback loop by creative behavior changes on the WAF.]]>
This is a primer on WAFs in general and OWASP CRS in particular. The presentation then continues to introduce the "Chaos Fortress" CRS plugin that delays attackers and thwarts their feedback loop by creative behavior changes on the WAF.]]> Fri, 15 Nov 2024 14:52:37 GMT /slideshow/using-a-waf-to-make-the-life-of-bug-bounty-hunters-miserable/273337644 ChristianFolini@slideshare.net(ChristianFolini) Using a WAF to Make the Life of Bug Bounty Hunters Miserable ChristianFolini This is a primer on WAFs in general and OWASP CRS in particular. The presentation then continues to introduce the "Chaos Fortress" CRS plugin that delays attackers and thwarts their feedback loop by creative behavior changes on the WAF. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/gohack-presentation-christian-folini-241115145237-353ee2ce-thumbnail.jpg?width=120&height=120&fit=bounds" /> This is a primer on WAFs in general and OWASP CRS in particular. The presentation then continues to introduce the "Chaos Fortress" CRS plugin that delays attackers and thwarts their feedback loop by creative behavior changes on the WAF.

Using a WAF to Make the Life of Bug Bounty Hunters Miserable from Christian Folini

]]> 154 0 https://cdn.slidesharecdn.com/ss_thumbnails/gohack-presentation-christian-folini-241115145237-353ee2ce-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 OWASP ModSecurity - A few plot twists and what feels like a happy end /slideshow/owasp-modsecurity-a-few-plot-twists-and-what-feels-like-a-happy-end/266867001 owasp-modsecurity-240319131123-7f42f6f7
This is about the history and the future of OWASP ModSecurity. The venerable WAF engine was transferred for OWASP in January 2024. This presentation looks back and presents a project plan moving forward.]]>
This is about the history and the future of OWASP ModSecurity. The venerable WAF engine was transferred for OWASP in January 2024. This presentation looks back and presents a project plan moving forward.]]> Tue, 19 Mar 2024 13:11:23 GMT /slideshow/owasp-modsecurity-a-few-plot-twists-and-what-feels-like-a-happy-end/266867001 ChristianFolini@slideshare.net(ChristianFolini) OWASP ModSecurity - A few plot twists and what feels like a happy end ChristianFolini This is about the history and the future of OWASP ModSecurity. The venerable WAF engine was transferred for OWASP in January 2024. This presentation looks back and presents a project plan moving forward. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/owasp-modsecurity-240319131123-7f42f6f7-thumbnail.jpg?width=120&height=120&fit=bounds" /> This is about the history and the future of OWASP ModSecurity. The venerable WAF engine was transferred for OWASP in January 2024. This presentation looks back and presents a project plan moving forward.

OWASP ModSecurity - A few plot twists and what feels like a happy end from Christian Folini

]]> 39 0 https://cdn.slidesharecdn.com/ss_thumbnails/owasp-modsecurity-240319131123-7f42f6f7-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Crazy incentives and how they drive security into no man's land /slideshow/crazy-incentives-and-how-they-drive-security-into-no-mans-land/256797120 upload-version-230323173751-faadeea4
Everybody, Blueteam and Redteam players alike, are driven by incentives. Good incentives persuade us to do the right thing and patch our servers. Bad incentives make us eat unhealthy food and follow stupid security practices. There is a huge resource problem in the IT industry and especially in the security industry. So you would expect people to pay attention to the existing incentives and th incentives they create with their documentation, their awareness trainings, their security reports, etc. But reality paints a different picture: Bad incentives all around! We see insane security practices eating valuable time and online trainings annoying users, slowly teaching them to become a brainless zombie whenever they hear the keyword "security". But it's even worse. I've come across incentives that lure companies into creating bad products and I've seen companies create products that incentivize their customers to waste their time and money. Sometimes the mechanisms are too strong to fight. But sometimes it takes people like you and me to say NO and stand up for real security! Follow me on a journey and security will never look the same to you again!]]>
Everybody, Blueteam and Redteam players alike, are driven by incentives. Good incentives persuade us to do the right thing and patch our servers. Bad incentives make us eat unhealthy food and follow stupid security practices. There is a huge resource problem in the IT industry and especially in the security industry. So you would expect people to pay attention to the existing incentives and th incentives they create with their documentation, their awareness trainings, their security reports, etc. But reality paints a different picture: Bad incentives all around! We see insane security practices eating valuable time and online trainings annoying users, slowly teaching them to become a brainless zombie whenever they hear the keyword "security". But it's even worse. I've come across incentives that lure companies into creating bad products and I've seen companies create products that incentivize their customers to waste their time and money. Sometimes the mechanisms are too strong to fight. But sometimes it takes people like you and me to say NO and stand up for real security! Follow me on a journey and security will never look the same to you again!]]> Thu, 23 Mar 2023 17:37:51 GMT /slideshow/crazy-incentives-and-how-they-drive-security-into-no-mans-land/256797120 ChristianFolini@slideshare.net(ChristianFolini) Crazy incentives and how they drive security into no man's land ChristianFolini Everybody, Blueteam and Redteam players alike, are driven by incentives. Good incentives persuade us to do the right thing and patch our servers. Bad incentives make us eat unhealthy food and follow stupid security practices. There is a huge resource problem in the IT industry and especially in the security industry. So you would expect people to pay attention to the existing incentives and th incentives they create with their documentation, their awareness trainings, their security reports, etc. But reality paints a different picture: Bad incentives all around! We see insane security practices eating valuable time and online trainings annoying users, slowly teaching them to become a brainless zombie whenever they hear the keyword "security". But it's even worse. I've come across incentives that lure companies into creating bad products and I've seen companies create products that incentivize their customers to waste their time and money. Sometimes the mechanisms are too strong to fight. But sometimes it takes people like you and me to say NO and stand up for real security! Follow me on a journey and security will never look the same to you again! <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/upload-version-230323173751-faadeea4-thumbnail.jpg?width=120&height=120&fit=bounds" /> Everybody, Blueteam and Redteam players alike, are driven by incentives. Good incentives persuade us to do the right thing and patch our servers. Bad incentives make us eat unhealthy food and follow stupid security practices. There is a huge resource problem in the IT industry and especially in the security industry. So you would expect people to pay attention to the existing incentives and th incentives they create with their documentation, their awareness trainings, their security reports, etc. But reality paints a different picture: Bad incentives all around! We see insane security practices eating valuable time and online trainings annoying users, slowly teaching them to become a brainless zombie whenever they hear the keyword "security". But it's even worse. I've come across incentives that lure companies into creating bad products and I've seen companies create products that incentivize their customers to waste their time and money. Sometimes the mechanisms are too strong to fight. But sometimes it takes people like you and me to say NO and stand up for real security! Follow me on a journey and security will never look the same to you again!

Crazy incentives and how they drive security into no man's land from Christian Folini

]]> 346 0 https://cdn.slidesharecdn.com/ss_thumbnails/upload-version-230323173751-faadeea4-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Never Walk Alone - Inspirations from a Growing OWASP Project /slideshow/never-walk-alone-inspirations-from-a-growing-owasp-project/253747126 folini-first-conference-2022-221021135447-7f431e16
The OWASP ModSecurity Core Rule Set (CRS) was a dormant project, when a group of three developers picked it up in 2016. Today, this open source web application firewall project counts 14 active developers, annual sponsoring of over 40K USD and the rules run on over 100Tbit/s. This presentation explains how the new management took over the project and developed it in three key areas: (1) the code, (2) the developers and (3) the users and partners. The growth of OWASP CRS serves as an example how you can grow and mature your project too.]]>
The OWASP ModSecurity Core Rule Set (CRS) was a dormant project, when a group of three developers picked it up in 2016. Today, this open source web application firewall project counts 14 active developers, annual sponsoring of over 40K USD and the rules run on over 100Tbit/s. This presentation explains how the new management took over the project and developed it in three key areas: (1) the code, (2) the developers and (3) the users and partners. The growth of OWASP CRS serves as an example how you can grow and mature your project too.]]> Fri, 21 Oct 2022 13:54:47 GMT /slideshow/never-walk-alone-inspirations-from-a-growing-owasp-project/253747126 ChristianFolini@slideshare.net(ChristianFolini) Never Walk Alone - Inspirations from a Growing OWASP Project ChristianFolini The OWASP ModSecurity Core Rule Set (CRS) was a dormant project, when a group of three developers picked it up in 2016. Today, this open source web application firewall project counts 14 active developers, annual sponsoring of over 40K USD and the rules run on over 100Tbit/s. This presentation explains how the new management took over the project and developed it in three key areas: (1) the code, (2) the developers and (3) the users and partners. The growth of OWASP CRS serves as an example how you can grow and mature your project too. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/folini-first-conference-2022-221021135447-7f431e16-thumbnail.jpg?width=120&height=120&fit=bounds" /> The OWASP ModSecurity Core Rule Set (CRS) was a dormant project, when a group of three developers picked it up in 2016. Today, this open source web application firewall project counts 14 active developers, annual sponsoring of over 40K USD and the rules run on over 100Tbit/s. This presentation explains how the new management took over the project and developed it in three key areas: (1) the code, (2) the developers and (3) the users and partners. The growth of OWASP CRS serves as an example how you can grow and mature your project too.

Never Walk Alone - Inspirations from a Growing OWASP Project from Christian Folini

]]> 14 0 https://cdn.slidesharecdn.com/ss_thumbnails/folini-first-conference-2022-221021135447-7f431e16-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 What’s new in CRS4? An Update from the OWASP CRS project /slideshow/whats-new-in-crs4-an-update-from-the-owasp-crs-project/251959371 folini-modsec-crs-news-v4-2022-220610092114-7ad68fd0
Latest news from planet CRS (June 2022)]]>
Latest news from planet CRS (June 2022)]]> Fri, 10 Jun 2022 09:21:14 GMT /slideshow/whats-new-in-crs4-an-update-from-the-owasp-crs-project/251959371 ChristianFolini@slideshare.net(ChristianFolini) What’s new in CRS4? An Update from the OWASP CRS project ChristianFolini Latest news from planet CRS (June 2022) <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/folini-modsec-crs-news-v4-2022-220610092114-7ad68fd0-thumbnail.jpg?width=120&height=120&fit=bounds" /> Latest news from planet CRS (June 2022)

What’s new in CRS4? An Update from the OWASP CRS project from Christian Folini

]]> 263 0 https://cdn.slidesharecdn.com/ss_thumbnails/folini-modsec-crs-news-v4-2022-220610092114-7ad68fd0-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 The Adventurous Tale of Online Voting in Switzerland /slideshow/the-adventurous-tale-of-online-voting-in-switzerland-251429134/251429134 adventurous-tale-of-online-voting-in-switzerland-220325223246
Overview over 20 years of online voting in Switzerland, including publication of source code in 2019, collection of signatures for referendum, scientific dialogue, public consultation for new regulation and some bold predictions about the future.]]>
Overview over 20 years of online voting in Switzerland, including publication of source code in 2019, collection of signatures for referendum, scientific dialogue, public consultation for new regulation and some bold predictions about the future.]]> Fri, 25 Mar 2022 22:32:45 GMT /slideshow/the-adventurous-tale-of-online-voting-in-switzerland-251429134/251429134 ChristianFolini@slideshare.net(ChristianFolini) The Adventurous Tale of Online Voting in Switzerland ChristianFolini Overview over 20 years of online voting in Switzerland, including publication of source code in 2019, collection of signatures for referendum, scientific dialogue, public consultation for new regulation and some bold predictions about the future. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/adventurous-tale-of-online-voting-in-switzerland-220325223246-thumbnail.jpg?width=120&height=120&fit=bounds" /> Overview over 20 years of online voting in Switzerland, including publication of source code in 2019, collection of signatures for referendum, scientific dialogue, public consultation for new regulation and some bold predictions about the future.

The Adventurous Tale of Online Voting in Switzerland from Christian Folini

]]> 149 0 https://cdn.slidesharecdn.com/ss_thumbnails/adventurous-tale-of-online-voting-in-switzerland-220325223246-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 EVoting in der Schweiz - Ein Fortsetzungsroman /slideshow/evoting-in-der-schweiz-ein-fortsetzungsroman/251251601 folini-winterkongress-2022-220226123050
Historischer Ueberblick über 20 Jahre E-Voting in der Schweiz mit Schwerpunkten auf Entwicklungen im Jahr 2019, wissenschaftlicher Dialog 2020 und Vernehmlassung zur neuen Regulierung 2021.]]>
Historischer Ueberblick über 20 Jahre E-Voting in der Schweiz mit Schwerpunkten auf Entwicklungen im Jahr 2019, wissenschaftlicher Dialog 2020 und Vernehmlassung zur neuen Regulierung 2021.]]> Sat, 26 Feb 2022 12:30:50 GMT /slideshow/evoting-in-der-schweiz-ein-fortsetzungsroman/251251601 ChristianFolini@slideshare.net(ChristianFolini) EVoting in der Schweiz - Ein Fortsetzungsroman ChristianFolini Historischer Ueberblick über 20 Jahre E-Voting in der Schweiz mit Schwerpunkten auf Entwicklungen im Jahr 2019, wissenschaftlicher Dialog 2020 und Vernehmlassung zur neuen Regulierung 2021. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/folini-winterkongress-2022-220226123050-thumbnail.jpg?width=120&height=120&fit=bounds" /> Historischer Ueberblick über 20 Jahre E-Voting in der Schweiz mit Schwerpunkten auf Entwicklungen im Jahr 2019, wissenschaftlicher Dialog 2020 und Vernehmlassung zur neuen Regulierung 2021.

EVoting in der Schweiz - Ein Fortsetzungsroman from Christian Folini

]]> 191 0 https://cdn.slidesharecdn.com/ss_thumbnails/folini-winterkongress-2022-220226123050-thumbnail.jpg?width=120&height=120&fit=bounds presentation 000000 http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set /slideshow/securing-access-to-internet-voting-with-the-owasp-modsecurity-core-rule-set/250298540 folini-modsec-crs-intro-and-evoting-2021-romhack-210926063043
This presentation from #RomHack2021 introduces the OWASP ModSecurity Core Rule Set Web Application Firewall (CRS). It then introduces the 20 years history of Internet Voting in Switzerland and then explains how the Swiss Post system was secured with the help of OWASP CRS. The presentation links several resources including government reports and an important tuning description by Swiss Post.]]>
This presentation from #RomHack2021 introduces the OWASP ModSecurity Core Rule Set Web Application Firewall (CRS). It then introduces the 20 years history of Internet Voting in Switzerland and then explains how the Swiss Post system was secured with the help of OWASP CRS. The presentation links several resources including government reports and an important tuning description by Swiss Post.]]> Sun, 26 Sep 2021 06:30:42 GMT /slideshow/securing-access-to-internet-voting-with-the-owasp-modsecurity-core-rule-set/250298540 ChristianFolini@slideshare.net(ChristianFolini) Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set ChristianFolini This presentation from #RomHack2021 introduces the OWASP ModSecurity Core Rule Set Web Application Firewall (CRS). It then introduces the 20 years history of Internet Voting in Switzerland and then explains how the Swiss Post system was secured with the help of OWASP CRS. The presentation links several resources including government reports and an important tuning description by Swiss Post. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/folini-modsec-crs-intro-and-evoting-2021-romhack-210926063043-thumbnail.jpg?width=120&height=120&fit=bounds" /> This presentation from #RomHack2021 introduces the OWASP ModSecurity Core Rule Set Web Application Firewall (CRS). It then introduces the 20 years history of Internet Voting in Switzerland and then explains how the Swiss Post system was secured with the help of OWASP CRS. The presentation links several resources including government reports and an important tuning description by Swiss Post.

Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set from Christian Folini

]]> 143 0 https://cdn.slidesharecdn.com/ss_thumbnails/folini-modsec-crs-intro-and-evoting-2021-romhack-210926063043-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Extensive Introduction to ModSecurity and the OWASP Core Rule Set /slideshow/extensive-introduction-to-modsecurity-and-the-owasp-core-rule-set/248880715 folini-modsec-crs-intro-2021-cisoplattform-210602131729
Extensive introduction presentation]]>
Extensive introduction presentation]]> Wed, 02 Jun 2021 13:17:28 GMT /slideshow/extensive-introduction-to-modsecurity-and-the-owasp-core-rule-set/248880715 ChristianFolini@slideshare.net(ChristianFolini) Extensive Introduction to ModSecurity and the OWASP Core Rule Set ChristianFolini Extensive introduction presentation <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/folini-modsec-crs-intro-2021-cisoplattform-210602131729-thumbnail.jpg?width=120&height=120&fit=bounds" /> Extensive introduction presentation

Extensive Introduction to ModSecurity and the OWASP Core Rule Set from Christian Folini

]]> 146 0 https://cdn.slidesharecdn.com/ss_thumbnails/folini-modsec-crs-intro-2021-cisoplattform-210602131729-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conference) /ChristianFolini/the-adventurous-tale-of-online-voting-in-switzerland presentation-folini-210201173010
The Swiss tale with online voting serves as a typical example of the iterative development of highly critical IT systems and the growing involvement of scientists as a necessary step for a government that is willing to learn from past mistakes. Switzerland has been experimenting with online voting for over 15 years. Several generations of electronic voting systems have been implemented and almost all of them died along the way because of their profound security problems or when the money ran out. In 2019, Swiss Post published the source code of its online voting system, the last system that was still in the race. Several highly critical findings were discovered in a matter of weeks and the system was stopped right before the national elections. In 2020, the government rebooted the process and invited two dozen international researchers into an intense dialogue that lasted several months. The resulting report is the base for the renewed regulation that will pave the way forward in 2021.]]>
The Swiss tale with online voting serves as a typical example of the iterative development of highly critical IT systems and the growing involvement of scientists as a necessary step for a government that is willing to learn from past mistakes. Switzerland has been experimenting with online voting for over 15 years. Several generations of electronic voting systems have been implemented and almost all of them died along the way because of their profound security problems or when the money ran out. In 2019, Swiss Post published the source code of its online voting system, the last system that was still in the race. Several highly critical findings were discovered in a matter of weeks and the system was stopped right before the national elections. In 2020, the government rebooted the process and invited two dozen international researchers into an intense dialogue that lasted several months. The resulting report is the base for the renewed regulation that will pave the way forward in 2021.]]> Mon, 01 Feb 2021 17:30:09 GMT /ChristianFolini/the-adventurous-tale-of-online-voting-in-switzerland ChristianFolini@slideshare.net(ChristianFolini) The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conference) ChristianFolini The Swiss tale with online voting serves as a typical example of the iterative development of highly critical IT systems and the growing involvement of scientists as a necessary step for a government that is willing to learn from past mistakes. Switzerland has been experimenting with online voting for over 15 years. Several generations of electronic voting systems have been implemented and almost all of them died along the way because of their profound security problems or when the money ran out. In 2019, Swiss Post published the source code of its online voting system, the last system that was still in the race. Several highly critical findings were discovered in a matter of weeks and the system was stopped right before the national elections. In 2020, the government rebooted the process and invited two dozen international researchers into an intense dialogue that lasted several months. The resulting report is the base for the renewed regulation that will pave the way forward in 2021. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/presentation-folini-210201173010-thumbnail.jpg?width=120&height=120&fit=bounds" /> The Swiss tale with online voting serves as a typical example of the iterative development of highly critical IT systems and the growing involvement of scientists as a necessary step for a government that is willing to learn from past mistakes. Switzerland has been experimenting with online voting for over 15 years. Several generations of electronic voting systems have been implemented and almost all of them died along the way because of their profound security problems or when the money ran out. In 2019, Swiss Post published the source code of its online voting system, the last system that was still in the race. Several highly critical findings were discovered in a matter of weeks and the system was stopped right before the national elections. In 2020, the government rebooted the process and invited two dozen international researchers into an intense dialogue that lasted several months. The resulting report is the base for the renewed regulation that will pave the way forward in 2021.

The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conference) from Christian Folini

]]> 504 0 https://cdn.slidesharecdn.com/ss_thumbnails/presentation-folini-210201173010-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Introduction to ModSecurity and the OWASP Core Rule Set /ChristianFolini/introduction-to-modsecurity-and-the-owasp-core-rule-set folini-modsec-crs-intro-2020-owasp-munich-200721194022
An extended introduction to ModSecurity and the OWASP Core Rule Set]]>
An extended introduction to ModSecurity and the OWASP Core Rule Set]]> Tue, 21 Jul 2020 19:40:22 GMT /ChristianFolini/introduction-to-modsecurity-and-the-owasp-core-rule-set ChristianFolini@slideshare.net(ChristianFolini) Introduction to ModSecurity and the OWASP Core Rule Set ChristianFolini An extended introduction to ModSecurity and the OWASP Core Rule Set <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/folini-modsec-crs-intro-2020-owasp-munich-200721194022-thumbnail.jpg?width=120&height=120&fit=bounds" /> An extended introduction to ModSecurity and the OWASP Core Rule Set

Introduction to ModSecurity and the OWASP Core Rule Set from Christian Folini

]]> 302 0 https://cdn.slidesharecdn.com/ss_thumbnails/folini-modsec-crs-intro-2020-owasp-munich-200721194022-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Folini Extended Introduction to ModSecurity and CRS3 /slideshow/folini-extended-introduction-to-modsecurity-and-crs3/198485050 folini-modsec-crs-intro-2019-bcs-extended-191127175647
This is a longer slide deck abou WAFs / ModSecurity and CRS I developed for the British Computer Society, presented in London at 2019-11-27.]]>
This is a longer slide deck abou WAFs / ModSecurity and CRS I developed for the British Computer Society, presented in London at 2019-11-27.]]> Wed, 27 Nov 2019 17:56:47 GMT /slideshow/folini-extended-introduction-to-modsecurity-and-crs3/198485050 ChristianFolini@slideshare.net(ChristianFolini) Folini Extended Introduction to ModSecurity and CRS3 ChristianFolini This is a longer slide deck abou WAFs / ModSecurity and CRS I developed for the British Computer Society, presented in London at 2019-11-27. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/folini-modsec-crs-intro-2019-bcs-extended-191127175647-thumbnail.jpg?width=120&height=120&fit=bounds" /> This is a longer slide deck abou WAFs / ModSecurity and CRS I developed for the British Computer Society, presented in London at 2019-11-27.

Folini Extended Introduction to ModSecurity and CRS3 from Christian Folini

]]> 551 0 https://cdn.slidesharecdn.com/ss_thumbnails/folini-modsec-crs-intro-2019-bcs-extended-191127175647-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Gedanken zur elektronischen Stimmabgabe für Datenschützer https://de.slideshare.net/ChristianFolini/gedanken-zur-elektronischen-stimmabgabe-fr-datenschtzer folini-alumni-zhaw-2019-191115194653
Verschiedene Gedanken zum Thema E-Voting und zur Sicherheit der verschiedenen Abstimmungs- und Wahlkanäle der Schweiz.]]>
Verschiedene Gedanken zum Thema E-Voting und zur Sicherheit der verschiedenen Abstimmungs- und Wahlkanäle der Schweiz.]]> Fri, 15 Nov 2019 19:46:53 GMT https://de.slideshare.net/ChristianFolini/gedanken-zur-elektronischen-stimmabgabe-fr-datenschtzer ChristianFolini@slideshare.net(ChristianFolini) Gedanken zur elektronischen Stimmabgabe für Datenschützer ChristianFolini Verschiedene Gedanken zum Thema E-Voting und zur Sicherheit der verschiedenen Abstimmungs- und Wahlkanäle der Schweiz. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/folini-alumni-zhaw-2019-191115194653-thumbnail.jpg?width=120&height=120&fit=bounds" /> Verschiedene Gedanken zum Thema E-Voting und zur Sicherheit der verschiedenen Abstimmungs- und Wahlkanäle der Schweiz.

from Christian Folini

]]> 428 1 https://cdn.slidesharecdn.com/ss_thumbnails/folini-alumni-zhaw-2019-191115194653-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Medieval Castles and Modern Servers /slideshow/medieval-castles-and-modern-servers/137658090 medieval-castles-insomnihack-2019-190322100830
We have been building castles and fortifications for thousands of years. Many of them were never breached. IT security, on the other hand, is a very young discipline where defense mechanisms have not really stood the test of time and breaches are happening every day. Looking at historical defense techniques and fortress architectures can therefore serve as an inspiration for strong IT security architectures. This presentation looks at agile and flexible defenses, layered security and whitelisting. None of these concepts are entirely new to the IT security industry. But implementations usually stop with the buzzword or at the network level. This talk brings evidence for the effectiveness of the concepts across the centuries and hopes to help them achieve a breakthrough on all levels. Furthermore, the talk educates the audience about medieval castles and how the metaphor can be put to use when explaining complicated IT security concepts to non-technical audiences. Again, the metaphor is not new, but people are usually only scratching the surface when they talk of medieval castles and modern servers.]]>
We have been building castles and fortifications for thousands of years. Many of them were never breached. IT security, on the other hand, is a very young discipline where defense mechanisms have not really stood the test of time and breaches are happening every day. Looking at historical defense techniques and fortress architectures can therefore serve as an inspiration for strong IT security architectures. This presentation looks at agile and flexible defenses, layered security and whitelisting. None of these concepts are entirely new to the IT security industry. But implementations usually stop with the buzzword or at the network level. This talk brings evidence for the effectiveness of the concepts across the centuries and hopes to help them achieve a breakthrough on all levels. Furthermore, the talk educates the audience about medieval castles and how the metaphor can be put to use when explaining complicated IT security concepts to non-technical audiences. Again, the metaphor is not new, but people are usually only scratching the surface when they talk of medieval castles and modern servers.]]> Fri, 22 Mar 2019 10:08:30 GMT /slideshow/medieval-castles-and-modern-servers/137658090 ChristianFolini@slideshare.net(ChristianFolini) Medieval Castles and Modern Servers ChristianFolini We have been building castles and fortifications for thousands of years. Many of them were never breached. IT security, on the other hand, is a very young discipline where defense mechanisms have not really stood the test of time and breaches are happening every day. Looking at historical defense techniques and fortress architectures can therefore serve as an inspiration for strong IT security architectures. This presentation looks at agile and flexible defenses, layered security and whitelisting. None of these concepts are entirely new to the IT security industry. But implementations usually stop with the buzzword or at the network level. This talk brings evidence for the effectiveness of the concepts across the centuries and hopes to help them achieve a breakthrough on all levels. Furthermore, the talk educates the audience about medieval castles and how the metaphor can be put to use when explaining complicated IT security concepts to non-technical audiences. Again, the metaphor is not new, but people are usually only scratching the surface when they talk of medieval castles and modern servers. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/medieval-castles-insomnihack-2019-190322100830-thumbnail.jpg?width=120&height=120&fit=bounds" /> We have been building castles and fortifications for thousands of years. Many of them were never breached. IT security, on the other hand, is a very young discipline where defense mechanisms have not really stood the test of time and breaches are happening every day. Looking at historical defense techniques and fortress architectures can therefore serve as an inspiration for strong IT security architectures. This presentation looks at agile and flexible defenses, layered security and whitelisting. None of these concepts are entirely new to the IT security industry. But implementations usually stop with the buzzword or at the network level. This talk brings evidence for the effectiveness of the concepts across the centuries and hopes to help them achieve a breakthrough on all levels. Furthermore, the talk educates the audience about medieval castles and how the metaphor can be put to use when explaining complicated IT security concepts to non-technical audiences. Again, the metaphor is not new, but people are usually only scratching the surface when they talk of medieval castles and modern servers.

Medieval Castles and Modern Servers from Christian Folini

]]> 1044 9 https://cdn.slidesharecdn.com/ss_thumbnails/medieval-castles-insomnihack-2019-190322100830-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 E-Voting, die Sicherheit und die Rolle der Experten https://de.slideshare.net/slideshow/evoting-die-sicherheit-und-die-rolle-der-experten-133376442/133376442 tmp-190226100927
- Warum macht E-Voting bei aller Skepsis Sinn? - Wie können wir es absichern? - Was kann jede und jeder beitragen, um es sicher zu machen?]]>
- Warum macht E-Voting bei aller Skepsis Sinn? - Wie können wir es absichern? - Was kann jede und jeder beitragen, um es sicher zu machen?]]> Tue, 26 Feb 2019 10:09:27 GMT https://de.slideshare.net/slideshow/evoting-die-sicherheit-und-die-rolle-der-experten-133376442/133376442 ChristianFolini@slideshare.net(ChristianFolini) E-Voting, die Sicherheit und die Rolle der Experten ChristianFolini - Warum macht E-Voting bei aller Skepsis Sinn? - Wie können wir es absichern? - Was kann jede und jeder beitragen, um es sicher zu machen? <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/tmp-190226100927-thumbnail.jpg?width=120&height=120&fit=bounds" /> - Warum macht E-Voting bei aller Skepsis Sinn? - Wie können wir es absichern? - Was kann jede und jeder beitragen, um es sicher zu machen?

from Christian Folini

]]> 517 1 https://cdn.slidesharecdn.com/ss_thumbnails/tmp-190226100927-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Black alps 2018-folini-d-dos /slideshow/black-alps-2018foliniddos/122412391 blackalps-2018-folini-ddos-181108134500
Application Level DDoS, the Rise of CDNs and the End of the Free Internet]]>
Application Level DDoS, the Rise of CDNs and the End of the Free Internet]]> Thu, 08 Nov 2018 13:45:00 GMT /slideshow/black-alps-2018foliniddos/122412391 ChristianFolini@slideshare.net(ChristianFolini) Black alps 2018-folini-d-dos ChristianFolini Application Level DDoS, the Rise of CDNs and the End of the Free Internet <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/blackalps-2018-folini-ddos-181108134500-thumbnail.jpg?width=120&height=120&fit=bounds" /> Application Level DDoS, the Rise of CDNs and the End of the Free Internet

Black alps 2018-folini-d-dos from Christian Folini

]]> 574 3 https://cdn.slidesharecdn.com/ss_thumbnails/blackalps-2018-folini-ddos-181108134500-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Optimizing ModSecurity on NGINX and NGINX Plus /slideshow/optimizing-modsecurity-on-nginx-and-nginx-plus/85934324 modsec-nginx-webinar-2018-01-180109202133
�ݺ�ߣs for an O'Reilly Media Webcast on Januar 9, 2018. In this webcast, we introduce the open source ModSecurity Web Application Firewall. ModSecurity allows you to thwart web attacks by inspecting the incoming HTTP requests a selection of granular rules. The standard ruleset accompanying ModSecurity, the OWASP ModSecurity Core Rule Set, will be presented by one of its authors. You will learn how to set it all up with NGINX open source and NGINX Plus, how to begin addressing common security threats, and where to find additional information.]]>
�ݺ�ߣs for an O'Reilly Media Webcast on Januar 9, 2018. In this webcast, we introduce the open source ModSecurity Web Application Firewall. ModSecurity allows you to thwart web attacks by inspecting the incoming HTTP requests a selection of granular rules. The standard ruleset accompanying ModSecurity, the OWASP ModSecurity Core Rule Set, will be presented by one of its authors. You will learn how to set it all up with NGINX open source and NGINX Plus, how to begin addressing common security threats, and where to find additional information.]]> Tue, 09 Jan 2018 20:21:33 GMT /slideshow/optimizing-modsecurity-on-nginx-and-nginx-plus/85934324 ChristianFolini@slideshare.net(ChristianFolini) Optimizing ModSecurity on NGINX and NGINX Plus ChristianFolini �ݺ�ߣs for an O'Reilly Media Webcast on Januar 9, 2018. In this webcast, we introduce the open source ModSecurity Web Application Firewall. ModSecurity allows you to thwart web attacks by inspecting the incoming HTTP requests a selection of granular rules. The standard ruleset accompanying ModSecurity, the OWASP ModSecurity Core Rule Set, will be presented by one of its authors. You will learn how to set it all up with NGINX open source and NGINX Plus, how to begin addressing common security threats, and where to find additional information. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/modsec-nginx-webinar-2018-01-180109202133-thumbnail.jpg?width=120&height=120&fit=bounds" /> �ݺ�ߣs for an O'Reilly Media Webcast on Januar 9, 2018. In this webcast, we introduce the open source ModSecurity Web Application Firewall. ModSecurity allows you to thwart web attacks by inspecting the incoming HTTP requests a selection of granular rules. The standard ruleset accompanying ModSecurity, the OWASP ModSecurity Core Rule Set, will be presented by one of its authors. You will learn how to set it all up with NGINX open source and NGINX Plus, how to begin addressing common security threats, and where to find additional information.

Optimizing ModSecurity on NGINX and NGINX Plus from Christian Folini

]]> 2187 2 https://cdn.slidesharecdn.com/ss_thumbnails/modsec-nginx-webinar-2018-01-180109202133-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 A General Look at the State of Security - AFCEA 2017 https://de.slideshare.net/slideshow/a-general-look-at-the-state-of-security-afcea-2017/80659227 afceahack-2017-folini-171010163156
Overview presentation for the participants of the AFCEA Hack conference within AFCEA TechNet 2017 in Stockholm, October 10, 2017. The overview covers the topics dependency / complexity / interoperability, online crime, digitalisation, spear phishing, manipulation, internet of things, and denial of service.]]>
Overview presentation for the participants of the AFCEA Hack conference within AFCEA TechNet 2017 in Stockholm, October 10, 2017. The overview covers the topics dependency / complexity / interoperability, online crime, digitalisation, spear phishing, manipulation, internet of things, and denial of service.]]> Tue, 10 Oct 2017 16:31:56 GMT https://de.slideshare.net/slideshow/a-general-look-at-the-state-of-security-afcea-2017/80659227 ChristianFolini@slideshare.net(ChristianFolini) A General Look at the State of Security - AFCEA 2017 ChristianFolini Overview presentation for the participants of the AFCEA Hack conference within AFCEA TechNet 2017 in Stockholm, October 10, 2017. The overview covers the topics dependency / complexity / interoperability, online crime, digitalisation, spear phishing, manipulation, internet of things, and denial of service. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/afceahack-2017-folini-171010163156-thumbnail.jpg?width=120&height=120&fit=bounds" /> Overview presentation for the participants of the AFCEA Hack conference within AFCEA TechNet 2017 in Stockholm, October 10, 2017. The overview covers the topics dependency / complexity / interoperability, online crime, digitalisation, spear phishing, manipulation, internet of things, and denial of service.

from Christian Folini

]]> 231 2 https://cdn.slidesharecdn.com/ss_thumbnails/afceahack-2017-folini-171010163156-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Introducing the OWASP ModSecurity Core Rule Set /slideshow/introducing-the-owasp-modsecurity-core-rule-set-75913263/75913263 presentation-170512081028
The CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls that saw a new major release in November 2016 (3.0 -> CRS3). CRS is the 1st line of defense against web application attacks like those summarized in the OWASP Top Ten and all with a minimum of false alerts. This talk demonstrates the installation of the rule set and introduces the most important groups of rules. It covers key concepts like anomaly scoring and thresholds, paranoia levels, stricter siblings and the sampling mode. The important handling of false positives is also covered as well as pre-defined lists of rule exclusions for popular web applications helping to avoid false positives. This presentation was delivered at AppSecEU 2017 in Belfast.]]>
The CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls that saw a new major release in November 2016 (3.0 -> CRS3). CRS is the 1st line of defense against web application attacks like those summarized in the OWASP Top Ten and all with a minimum of false alerts. This talk demonstrates the installation of the rule set and introduces the most important groups of rules. It covers key concepts like anomaly scoring and thresholds, paranoia levels, stricter siblings and the sampling mode. The important handling of false positives is also covered as well as pre-defined lists of rule exclusions for popular web applications helping to avoid false positives. This presentation was delivered at AppSecEU 2017 in Belfast.]]> Fri, 12 May 2017 08:10:28 GMT /slideshow/introducing-the-owasp-modsecurity-core-rule-set-75913263/75913263 ChristianFolini@slideshare.net(ChristianFolini) Introducing the OWASP ModSecurity Core Rule Set ChristianFolini The CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls that saw a new major release in November 2016 (3.0 -> CRS3). CRS is the 1st line of defense against web application attacks like those summarized in the OWASP Top Ten and all with a minimum of false alerts. This talk demonstrates the installation of the rule set and introduces the most important groups of rules. It covers key concepts like anomaly scoring and thresholds, paranoia levels, stricter siblings and the sampling mode. The important handling of false positives is also covered as well as pre-defined lists of rule exclusions for popular web applications helping to avoid false positives. This presentation was delivered at AppSecEU 2017 in Belfast. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/presentation-170512081028-thumbnail.jpg?width=120&height=120&fit=bounds" /> The CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls that saw a new major release in November 2016 (3.0 -> CRS3). CRS is the 1st line of defense against web application attacks like those summarized in the OWASP Top Ten and all with a minimum of false alerts. This talk demonstrates the installation of the rule set and introduces the most important groups of rules. It covers key concepts like anomaly scoring and thresholds, paranoia levels, stricter siblings and the sampling mode. The important handling of false positives is also covered as well as pre-defined lists of rule exclusions for popular web applications helping to avoid false positives. This presentation was delivered at AppSecEU 2017 in Belfast.

Introducing the OWASP ModSecurity Core Rule Set from Christian Folini

]]> 1070 2 https://cdn.slidesharecdn.com/ss_thumbnails/presentation-170512081028-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 OWASP ModSecurity Core Rules Paranoia Mode /slideshow/owasp-modsecurity-core-rules-paranoia-mode/62955268 presentation-160611093704
Running ModSecurity with the OWASP ModSecurity Core Rules is hard. A huge wave of false positives drowns sysadmins and logfile servers alike. The upcoming 3.0.0 release of the Core Rules comes with a new paranoia mode. This feature organises the various rules in different paranoia levels. The higher the paranoia level, the more paranoid the rules and the more false positives you will get. However, the default installation gives you a decent security level without too many false positives. This allows for a straight forward ModSecurity setup which is not threatening an existing productive service. Instead you start with a limited set of rules and then you raise the paranoia level step by step to the number that suits the desired security level of your site. In this talk, we will look at the configuration of the paranoia mode. We will look at rules and we will look at ModSecurity defending against popular attack kits at various paranoia levels]]>
Running ModSecurity with the OWASP ModSecurity Core Rules is hard. A huge wave of false positives drowns sysadmins and logfile servers alike. The upcoming 3.0.0 release of the Core Rules comes with a new paranoia mode. This feature organises the various rules in different paranoia levels. The higher the paranoia level, the more paranoid the rules and the more false positives you will get. However, the default installation gives you a decent security level without too many false positives. This allows for a straight forward ModSecurity setup which is not threatening an existing productive service. Instead you start with a limited set of rules and then you raise the paranoia level step by step to the number that suits the desired security level of your site. In this talk, we will look at the configuration of the paranoia mode. We will look at rules and we will look at ModSecurity defending against popular attack kits at various paranoia levels]]> Sat, 11 Jun 2016 09:37:04 GMT /slideshow/owasp-modsecurity-core-rules-paranoia-mode/62955268 ChristianFolini@slideshare.net(ChristianFolini) OWASP ModSecurity Core Rules Paranoia Mode ChristianFolini Running ModSecurity with the OWASP ModSecurity Core Rules is hard. A huge wave of false positives drowns sysadmins and logfile servers alike. The upcoming 3.0.0 release of the Core Rules comes with a new paranoia mode. This feature organises the various rules in different paranoia levels. The higher the paranoia level, the more paranoid the rules and the more false positives you will get. However, the default installation gives you a decent security level without too many false positives. This allows for a straight forward ModSecurity setup which is not threatening an existing productive service. Instead you start with a limited set of rules and then you raise the paranoia level step by step to the number that suits the desired security level of your site. In this talk, we will look at the configuration of the paranoia mode. We will look at rules and we will look at ModSecurity defending against popular attack kits at various paranoia levels <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/presentation-160611093704-thumbnail.jpg?width=120&height=120&fit=bounds" /> Running ModSecurity with the OWASP ModSecurity Core Rules is hard. A huge wave of false positives drowns sysadmins and logfile servers alike. The upcoming 3.0.0 release of the Core Rules comes with a new paranoia mode. This feature organises the various rules in different paranoia levels. The higher the paranoia level, the more paranoid the rules and the more false positives you will get. However, the default installation gives you a decent security level without too many false positives. This allows for a straight forward ModSecurity setup which is not threatening an existing productive service. Instead you start with a limited set of rules and then you raise the paranoia level step by step to the number that suits the desired security level of your site. In this talk, we will look at the configuration of the paranoia mode. We will look at rules and we will look at ModSecurity defending against popular attack kits at various paranoia levels

OWASP ModSecurity Core Rules Paranoia Mode from Christian Folini

]]> 9934 9 https://cdn.slidesharecdn.com/ss_thumbnails/presentation-160611093704-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 https://public.slidesharecdn.com/v2/images/profile-picture.png https://cdn.slidesharecdn.com/ss_thumbnails/gohack-presentation-christian-folini-241115145237-353ee2ce-thumbnail.jpg?width=320&height=320&fit=bounds slideshow/using-a-waf-to-make-the-life-of-bug-bounty-hunters-miserable/273337644 Using a WAF to Make th... https://cdn.slidesharecdn.com/ss_thumbnails/owasp-modsecurity-240319131123-7f42f6f7-thumbnail.jpg?width=320&height=320&fit=bounds slideshow/owasp-modsecurity-a-few-plot-twists-and-what-feels-like-a-happy-end/266867001 OWASP ModSecurity - A ... https://cdn.slidesharecdn.com/ss_thumbnails/upload-version-230323173751-faadeea4-thumbnail.jpg?width=320&height=320&fit=bounds slideshow/crazy-incentives-and-how-they-drive-security-into-no-mans-land/256797120 Crazy incentives and h...