Rethinking the Roadmap of WAF, ModSecure, Coraza & CRS

Cloudsine Team

18 July 2024

5 min read

owasp-conference

The Cloudsine-WebOrion team, represented by CEO Matthias Chin, joined the OWASP CRS Community Summit and Global Appsec Conference in Lisbon from 26 to 28 June 2024. This gathering of cyber security experts from around the globe provided invaluable insights into the future of WAF and application security.

Highlights from the OWASP CRS Summit

The OWASP CRS Community Summit featured several notable speakers from CRS, ModSecurity and Coraza WAF. Here were some of the key presentations: 

  • Lukas Funk, United Security Providers: Lukas delved into the journey from the USP Secure Entry Server to CoreWAAP with CRS and Coraza.  
  • Ervin Hegedüs: Ervin introduced the ModSecurity Regression Test Set, a comprehensive rule set designed to test the entire WAF engine, ensuring robust protection against various threats. 
  • Juan-Pablo Tosso, Seclang 2.0: Juan-Pablo’s session discussed the deliberations on developing a new language for describing WAF rules. 
  • Felipe Zipitría, CRS Co-Lead: Felipe presented Project Seaweed, which focuses on the automatic testing of Common Vulnerabilities and Exposures (CVEs) against CRS, enhancing the system’s ability to mitigate known threats. 
  • Christian Folini, CRS Co-Lead: Christian conducted a hands-on CRS plugin workshop, providing attendees with practical knowledge on implementing and optimizing CRS plugins in their security systems. 

All in all, the summit was an excellent opportunity to build relationships and gain inspiration from the top minds within the WAF community.  

Insights from the OWASP Global Appsec Conference

An interesting topic was presented by Cloudflare’s CTO – will machine learning replace WAFs? While machine learning offers promising advancements, the consensus was that WAFs remain crucial in 2024.

In addition, Jose Carlos, Security Software Engineer at Okta, shared some reasons why WAFs will still be necessary in 2024 

  • Zero Trust Security: As organizations increasingly adopt zero trust principles, WAFs play a critical role in enforcing strict access controls and continuous monitoring. 
  • PCI DSS 4.0 Compliance: Under PCI DSS 4.0 requirement 6.4.2, organizations collecting cardholder data are required to procure and deploy a WAF
  • OWASP Top 10: WAFs remain instrumental in defending against the most critical security risks identified by OWASP, such as SQL injection, which was notably the biggest hack of 2023. 

Conclusion

Cloudsine’s participation in the OWASP CRS Community Summit & Appsec Conference reaffirms our active engagement with the global WAF community and our access to top-tier insights and innovations. By connecting with leading experts and adopting the latest advancements in web application security, we continue to strengthen our commitment to providing robust web security solutions for our clients.  

Learn more about the WebOrion® Protector, Cloudsine’s WAF, here.