We receive questions about ModSecurity running on HP-UX from time to time, but since we don't have access to the platform there is very little we can do to help. Fortunately, most questions fall into the "Does it run?" category....

As you may know, ModSecurity is licensed under GPL version 2. This licence has served us reasonably well, but there’s been one problem that has been following us for a long time. I chose to use the GPLv2 for ModSecurity,...

In case you missed it, Breach Security has teamed up with WhiteHat Security so that their Sentinel scanning service will automatically create custom ModSecurity rules for certain classes of vulnerabilities that they find in your web applications. This works with...

OWASP AppSec Europe 2008 in Ghent, which I wrote about in a previous post, indeed felt like a ModSecurity user meeting. We kicked-off the conference with 2 days of ModSecurity training, with 8 people attending. Eight is not only the...

In my earlier post entitled "What's the Score of the Game?" I presented the concept that what ultimately matters with web application security is how the application performs during a "Real Game" which means when it is deployed live on...

We are excited to announce that Breach Security will be running the 2-day ModSecurity Bootcamp class at this year's Blackhat conference in Las Vegas, NV! We are currently scheduled for 1 session on August 2nd - 3rd, however if there...

We, as the webappsec community, should try and move away from "Holy Wars" debating that there is only one right way to address web application vulnerabilities - source code reviews, vulnerability scanning or web application firewalls - and instead focus...

ModSecurity 2.6 will likely be the last branch before ModSecurity 3. The 2.6 branch will concentrate on polishing up the current 2.5 feature set, performance, ease of use, supporting arbitrary character sets, and better documentation. I'll be posting 2.6 development...

Quite a few people have asked about the performance differences between using the regular expression (@rx) operator and using the phrase match (@pm or @pmFromFile) operator. Lately, I have been working on better methods of gathering performance statistics and want...

In my previous post, in which I was commenting on the OWASP AppSec agenda, I forgot to mention the party. What was I thinking?! Breach Security is throwing a cocktail party on May 20th, which is the last training day...