[TYPO3-waf] Re: [TYPO3-project-waf] WAF project: brainstorming
Xavier Perseguers
typo3 at perseguers.ch
Wed Jan 27 08:13:34 CET 2010
Hi Dmitry,
Thanks for starting this thread.
> My ideas about this project are:
> - it uses mod_security2 as a backend
yes
> - it contains a freely downloadable basic rule set
yes
> - rule set will be updated as often as necessary
I thought of a way to automate this for users that are aware of
security, want to do something against attacks but "trust" the updates
or are not able to really review updates before applying changes.
I thought that some kind of "control panel" in TYPO3 (optional) may be
great too, for instance to read some comments about latest update or to
gather some statistics.
> - rule set will contain rules to prevent known and possible future attacks
yes
> - WAF is NOT a replacement for TYPO3 security updates, it is a
> prevention and rescue solution, not a tool to use instead of security
> updates
I agree here as well.
I would add Suhosin as well (optional) as it provides some interesting
features too.
> [...]
>
> What is required from contributors?
> - knowledge of common attack (SQLi, XSS, etc)
> - knowledge of mod_security2
> - certain amount of enthusiasm
How true... :-)
--
Xavier Perseguers
http://xavier.perseguers.ch/en
More information about the TYPO3-project-waf
mailing list