Inquiry Regarding Use of ModSecurity in Production Environments Post End-of-Life...
58 views
Skip to first unread message
Michael Bullut
May 20, 2025, 9:28:16 AMMay 20
to modsecurity-core...@owasp.org
Good Afternoon Good People,
I hope this e-mail finds you well.
I am writing to inquire about the current viability of using ModSecurity in production environments, particularly in light of its end-of-life (E.O.L.) status. While I understand that official support and updates may have ceased, I would appreciate clarification on whether the engine remains a safe and practical option for protecting web applications, especially when used alongside the latest OWASP Core Rule Set.
While I understand official support and updates have ceased, I’d appreciate clarity on:
- Whether ModSecurity (with CRS) can still be safely deployed in production, assuming known vulnerabilities are mitigated.
- Any recommended alternatives or forks (e.g., Coraza) for long-term maintenance and feature support.
- Critical risks or limitations to consider if continuing to use ModSecurity as-is.
Christian Folini
May 20, 2025, 9:41:25 AMMay 20
to 'Michael Bullut' via ModSecurity Core Rule Set project
Hi there
www.modsecurity.org is alive and kicking.
The preference for the traditional ModSecurity rule engine or an open source
alternative like Coraza or a commercial variant pretty much depends on the
use case / platform.
ModSecurity is actively maintained. I remains a safe and practical option and
ModSec 2.9.x is still the reference implementation for the SecRule language
at the heart of CRS.
Best,
Christian Folini
On Tue, May 20, 2025 at 04:27:54PM +0300, 'Michael Bullut' via ModSecurity Core Rule Set project wrote:
> Good Afternoon Good People,
>
> I hope this e-mail finds you well.
>
> I am writing to inquire about the current viability of using ModSecurity in
> production environments, particularly in light of its end-of-life (E.O.L.)
> status. While I understand that official support and updates may have
> ceased, I would appreciate clarification on whether the engine remains a
> safe and practical option for protecting web applications, especially when
> used alongside the latest OWASP Core Rule Set.
>
> While I understand official support and updates have ceased, I’d appreciate
> clarity on:
>
> 1. *Whether ModSecurity (with CRS) can still be safely deployed in
> production, assuming known vulnerabilities are mitigated.*
> 2. *Any recommended alternatives or forks (e.g., Coraza) for long-term
> maintenance and feature support.*
> 3. *Critical risks or limitations to consider if continuing to use
> ModSecurity as-is.*
> *Twitter:* *@MichaelBullut* <https://x.com/MichaelBullut>
> *Blog:* *http://www.kipsang.com/ <http://www.kipsang.com/>*
> *E-mail Address:* *ma...@kipsang.com* <ma...@kipsang.com>
>
> ---
>
> --
> You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.
> To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/CAGy%2BNY3A4G53Hx3DcEb5LNPA9XRxtMR8S5F6LYBi6iKYiJPGjg%40mail.gmail.com.
www.modsecurity.org is alive and kicking.
The preference for the traditional ModSecurity rule engine or an open source
alternative like Coraza or a commercial variant pretty much depends on the
use case / platform.
ModSecurity is actively maintained. I remains a safe and practical option and
ModSec 2.9.x is still the reference implementation for the SecRule language
at the heart of CRS.
Best,
Christian Folini
On Tue, May 20, 2025 at 04:27:54PM +0300, 'Michael Bullut' via ModSecurity Core Rule Set project wrote:
> Good Afternoon Good People,
>
> I hope this e-mail finds you well.
>
> I am writing to inquire about the current viability of using ModSecurity in
> production environments, particularly in light of its end-of-life (E.O.L.)
> status. While I understand that official support and updates may have
> ceased, I would appreciate clarification on whether the engine remains a
> safe and practical option for protecting web applications, especially when
> used alongside the latest OWASP Core Rule Set.
>
> While I understand official support and updates have ceased, I’d appreciate
> clarity on:
>
> production, assuming known vulnerabilities are mitigated.*
> 2. *Any recommended alternatives or forks (e.g., Coraza) for long-term
> maintenance and feature support.*
> 3. *Critical risks or limitations to consider if continuing to use
> ModSecurity as-is.*
>
> Thank you for your time and continued efforts in advancing web application
> security. I look forward to your guidance.
>
> Warm regards,
>
> Michael Bullut.
>
> ---
>
> *Cellphone:* *+254 723 393 114.*
> Thank you for your time and continued efforts in advancing web application
> security. I look forward to your guidance.
>
> Warm regards,
>
> Michael Bullut.
>
> ---
>
> *Twitter:* *@MichaelBullut* <https://x.com/MichaelBullut>
> *Blog:* *http://www.kipsang.com/ <http://www.kipsang.com/>*
> *E-mail Address:* *ma...@kipsang.com* <ma...@kipsang.com>
>
> ---
>
> --
> You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.
> To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/CAGy%2BNY3A4G53Hx3DcEb5LNPA9XRxtMR8S5F6LYBi6iKYiJPGjg%40mail.gmail.com.
Ervin Hegedüs
May 20, 2025, 10:05:02 AMMay 20
to Michael Bullut, modsecurity-core...@owasp.org
Hi Michael,
my name is Ervin Hegedüs, I'm a co-leader of the ModSecurity project[1].
> particularly in light of its end-of-life (E.O.L.) status
No, the project is not finished at all. There is no E.O.L status - probably you read an article about the Trustwave rule set.
The project was transferred to OWASP from the previous project owner[2].
> While I understand that official support and updates may have ceased,
No, the official support is still active, updates are provided continuously. The company where I work provides commercial support too[3].
You can check the project's Github page, there have been new releases since the takeover[4].
> I
would appreciate clarification on whether the engine remains a safe and
practical option for protecting web applications, especially when used
alongside the latest OWASP Core Rule Set.
Yes, I think both engines (mod_security2 for Apache2 and libmodecurity3 + Nginx connector) are safe and practical options. We continuously follow users' reports about incidents and maintain CVE's.
In addition, we work closely with the CRS team: I'm a CRS developer too and many CRS developers help to maintain the engines.
> While I understand official support and updates have ceased
Again: it's not ceased.
> 1 Whether ModSecurity (with CRS) can still be safely deployed in production, assuming known vulnerabilities are mitigated.
Yes, it can still be safely used in production, and as I wrote we continuously care with all possible vulnerabilities.
> 2 Any recommended alternatives or forks (e.g., Coraza) for long-term maintenance and feature support.
We plan to continue the support for the long-term, but as I know there is only one engine which has almost the same functionality, the Coraza.
> 3 Critical risks or limitations to consider if continuing to use ModSecurity as-is.
Sorry, I don't understand exactly what you mean here.
Regards,
a.
--
Michael Bullut
May 20, 2025, 10:40:46 AMMay 20
to Ervin Hegedüs, modsecurity-core...@owasp.org
Good Evening Ervin,
Many thanks for your e-mail! I first came across ModSecurity while browsing HackerSploit's YouTube channel and I thought it was pretty neat. I even developed a script to deploy it (it still needs work though). While doing research on ModSecurity, I had read this article and that is what prompted me to write this e-mail.
Warm regards,
Michael.
Ervin Hegedüs
May 20, 2025, 11:00:48 AMMay 20
to Michael Bullut, modsecurity-core...@owasp.org
Hi Michael,
> While doing research on ModSecurity, I had read this article and that is what prompted me to write this e-mail.
I think this article is about the previous developer company ending their support. I think it's more about their rule set (they had one), not the engine. As I know they couldn't find any provider who continues the rule set support.
But the engines were transferred to OWASP - see my previous e-mail.
Regards,
a.
Emilio Campos
May 21, 2025, 2:51:25 AMMay 21
to modsecurity-core...@owasp.org
Regarding the CRS ruleset and modsecurity presentation "2021-04-14_OWASP_ModSec-CRS-Intro.pdf", I also wanted to mention that SKUDONET Community Edition integrates Libmodsecurity v3 and CRS v4. it can be a good alternative to manage rules from web GUI.
Reply all
Reply to author
Forward
0 new messages