Which rules to enable from the available 15138 ModSecurity Commercial rules for a Banking App

31 views
Skip to first unread message

Kamrul Hasan

unread,
Jul 27, 2021, 12:31:58 AM7/27/21
to ModSecurity Core Rule Set project
We have purchased a license for Trustwave ModSecurity Commercial Rules. There are total 15138 rules. Which rules should enable from the available 15138 ModSecurity Commercial rules for a Banking App. Can anyone help please?

App Description:

This is a banking app. Bank customers need to register to use the app. During the registration process customers take selfies and take photos of ID documents.  Registered customers sign in with username and password. They can view balance, do fund transfer, download statements etc. For fund transfer they need OTP sent via SMS.  

  • Server OS: Ubuntu 18.04

  • Back-end Framework: Spring boot, ReSTful API design

  • Web Application: Angular 11, nginx

  • Android, iOS: Flutter

  • Database: PostgreSQL and Redis

  • We use a TLS certificate from lets encrypt. 

  • Nginx with ModSecurity

  • Same nginx instance is used to create https connection. We do not allow any http connection

  • Same nginx instance is used as a reverse proxy server to redirect requests to microservice running on different VMs.

  • We use oAuth 2.0

  • Client App (Mobile, web) only communicates with the API server behind WAF. It does not communicate with any other 3rd party application.

Christian Folini

unread,
Jul 28, 2021, 11:18:49 AM7/28/21
to Kamrul Hasan, ModSecurity Core Rule Set project
Hey Kamrul,

On Mon, Jul 26, 2021 at 09:31:58PM -0700, Kamrul Hasan wrote:
> We have purchased a license for Trustwave ModSecurity Commercial Rules.

You have purchased a commercial license from Turstwave and now you ask the
open source OWASP Core Rule Set project for free support?

I am sure your question is genuine and you mean it well, but it does not sit
very well with me when you give somebody else money, but ask us to give you
some of our time.

When you wrote to Trustwave for their recommendations, what did they respond?

> There are total 15138 rules. Which rules should enable from the available
> 15138 ModSecurity Commercial rules for a Banking App. Can anyone help
> please?

It is a tough joice and AFAICT there is little documentation and direction.
We could not also discuss the quality of the rules, but that's not the
question here.

The Trustwave Spiderlabs Rule Set is not generic, but exploit oriented.
When you run off-the-shelf software you can get some decent coverage. But
when you use your own code, then the only thing it usually protects is
the frameworks you have been using.

I think you need to understand the stack of your application (you mention
Anuglar, Flutter, Postgres, Redis etc.) and then enable the badges of those
rules that you think apply.

Depending on the size of
your servers and the traffic you are getting, you probably want to make sure
you do not enable more than 1 or 2K of rules, but that really depends.

I personally think you need to run a pen-test afterwards to gauge the
effectiveness of the rule set for your setup.

I hope these 2 cents help a bit. In the end it boils down to you and the
official support from Trustwave.

Best,

Christian




>
> App Description:
>
> This is a banking app. Bank customers need to register to use the app.
> During the registration process customers take selfies and take photos of
> ID documents. Registered customers sign in with username and password.
> They can view balance, do fund transfer, download statements etc. For fund
> transfer they need OTP sent via SMS.
>
> -
>
> Server OS: Ubuntu 18.04
> -
>
> Back-end Framework: Spring boot, ReSTful API design
> -
>
> Web Application: Angular 11, nginx
> -
>
> Android, iOS: Flutter
> -
>
> Database: PostgreSQL and Redis
> -
>
> We use a TLS certificate from lets encrypt.
> -
>
> Nginx with ModSecurity
> -
>
> Same nginx instance is used to create https connection. We do not allow
> any http connection
> -
>
> Same nginx instance is used as a reverse proxy server to redirect
> requests to microservice running on different VMs.
> -
>
> We use oAuth 2.0
> -
>
> Client App (Mobile, web) only communicates with the API server behind
> WAF. It does not communicate with any other 3rd party application.
>
>
> --
> You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/ce23749d-2d1a-430a-8a83-a23131bc69ccn%40owasp.org.

Reply all
Reply to author
Forward
0 new messages