Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/25/2012
04:45 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Micro​soft/Trust​wave Expand ModSecurit​y To IIS And Nginx Servers

ModSecurity is a free, open source Web application firewall

CHICAGO– July 25, 2012 – Trustwave, a leading provider of cloud-based compliance and information security solutions, today announced that the popular, open source ModSecurity® Web Application Firewall now supports the top three Web server platforms, including new support for Microsoft’s Internet Information Services (IIS) and Nginx, in addition to existing support for Apache Web servers. Trustwave collaborated with the Microsoft Security Response Center (MSRC) to extend the reach of ModSecurity to Microsoft IIS.

Web applications allow companies to use the power of the Internet to conduct business and interface with a larger market, delivering a better user experience for their customers and partners. With this growth in usage, attackers are targeting Web applications to break into the core of an organization and gain access to its privileged information.

ModSecurity is a free, open source Web application firewall (WAF) that is continuously developed and managed by SpiderLabs, Trustwave's advanced security team. This open source technology enforces security policies to Web transactions, reducing the risk of Web-based attacks. As an open source technology, users and developers contribute to the community to help maintain a sustainable solution that defends Web applications.

"Having ModSecurity available for these additional platforms will help organizations protect their Web applications from attacks," said Nicholas J. Percoco, senior vice president and head of Trustwave SpiderLabs. "As the principal custodian of the ModSecurity open source product, we believe this new support for Microsoft IIS and Nginx will further expand the popularity of the industry’s open-source Web application firewall.”

Trustwave’s participation in the Microsoft Active Protections Program (MAPP), a program for security software providers, gives Trustwave early insight into “Patch Tuesday” vulnerabilities. Trustwave SpiderLabs uses this insight to develop protections for Trustwave products, including Trustwave’s managed security services and its Web application firewalls, Web Defend and ModSecurity.

"It is critical for organizations to address identified Web application vulnerabilities as soon as possible," added Percoco. "ModSecurity is an excellent tool for addressing the vulnerability before the Web application can be updated. Our update for ModSecurity is another testament to Trustwave’s commitment to helping organizations secure their applications and data.”

ModSecurity is a viable option for organizations such as hosting providers that have multiple customers using Web applications or companies that want a deeply customized Web application firewall to protect their Web application environment.

Trustwave also offers a proprietary Web application firewall called Trustwave Web Defend, which gives organizations a simplified and easy-to-install Web application firewall that offers out-of-the-box reporting, a graphical user interface, and secured integration with Trustwave SIEM. Trustwave WebDefend can be purchased as a stand-alone product, or as a component of the Trustwave360 Application Security program, which combines secure code training, application penetration testing and code review with the Trustwave Web Defend Web application firewall.

Supporting this announcement, Greg Wroblewski of Microsoft’s Security Response Center and Ryan Barnett of Trustwave SpiderLabs will present: “ModSecurity as a Universal Cross-Platform Web Protection Tool,” and give live demonstrations as part of Arsenal Tools at the Black Hat USA2012 security conference in Las Vegas, today, July 25.

The latest version of ModSecurity is currently available at http://www.modsecurity.org/download/.

About Trustwave

Trustwave is a leading provider of compliance, Web, application, network and data security solutions delivered through the cloud, managed security services, software and appliances. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its TrustKeeper® portal and other proprietary security solutions. Trustwave has helped hundreds of thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructures, data communications and critical information assets. Trustwave is headquartered in Chicago with offices worldwide. For more information, visit https://www.trustwave.com.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
8/2/2012 | 12:19:07 PM
re: Micro​soft/Trust​wave Expand ModSecurit​y To IIS And Nginx Servers


We think that WAF is not a solution to the application
security problem challenging us today. WAFs have their place, we canGt deny it,
but that is just a small part of the story. For more information about our
vision, we invite you to read the following article: http://blog.securityinnovation...
-

Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21510
PUBLISHED: 2021-03-08
Dell iDRAC8 versions prior to 2.75.100.75 contain a host header injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary ‘Host’ header values to poison a web-cache or trigger redirections.
CVE-2020-27575
PUBLISHED: 2021-03-08
Maxum Rumpus 8.2.13 and 8.2.14 is affected by a command injection vulnerability. The web administration contains functionality in which administrators are able to manage users. The edit users form contains a parameter vulnerable to command injection due to insufficient validation.
CVE-2020-27576
PUBLISHED: 2021-03-08
Maxum Rumpus 8.2.13 and 8.2.14 is affected by cross-site scripting (XSS). Users are able to create folders in the web application. The folder name is insufficiently validated resulting in a stored cross-site scripting vulnerability.
CVE-2020-27838
PUBLISHED: 2021-03-08
A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulner...
CVE-2021-21503
PUBLISHED: 2021-03-08
PowerScale OneFS 8.1.2,8.2.2 and 9.1.0 contains an improper input sanitization issue in a command. The Compadmin user could potentially exploit this vulnerability, leading to potential privileges escalation.