Trustwave and Microsoft Team to Bring Open-Source Web Application Firewall ModSecurity To IIS and Ngix Web Servers
LAS VEGAS - BLACK HAT USA - The highly popular open source WAF (Web Application Firewall), largely found on Apache deployments, has finally come to IIS thanks to a collaboration between Microsoft and Trustwave. In addition, Trustwave also announced that Nginx would also be supported by the ModSecurity project.
ModSecurity is a standard webserver defense, leveraging pre-defined rules that prevent scores of Web-based attacks, which can be both automated and manual. Over the years, ModSecurity has been maintained by a large community of developers, rule writers, and engineers from Trustwave. Yet, for the longest time it was only available for Apache.
Granted, Apache is widely used online, and is the world’s largest webserver platform. But plenty of IIS and Nginx deployments exist online, and many have been targeted by attacks that would have been stopped by even the most basic of ModSecurity rules. Now, server admins have the option to layer their defenses even further.
Moreover, since Trustwave is part of MAPP, they are able to deploy and develop rules for IIS as needed in advance of Microsoft’s monthly patch cycle.
In October 2011, NGIX said its web server, known for its speed, powered over 20% of the top 1,000 biggest websites, including Facebook, Groupon, LivingSocial, Hulu, Dropbox and WordPress.
"Having ModSecurity available for these additional platforms will help organizations protect their Web applications from attacks," said Nicholas J. Percoco, senior vice president and head of Trustwave SpiderLabs. "As the principal custodian of the ModSecurity open source product, we believe this new support for Microsoft IIS and Nginx will further expand the popularity of theindustry's open-source Web application firewall."
ModSecurity is available under the Apache License v2.0. It’s free to use and is supported via several channels. Additional details are here.
Related Reading: Why Web Application Firewalls Are Not the Enemy of the SDLC