• 2 min read

Microsoft sponsors OWASP ModSecurity CRS to improve application security

We are continuously innovating and seeking ways to enhance our products to help our customers protect against evolving threats.

This post was co-authored by Henry Yan, Product Marketing Manager.

Increased cloud adoption and the shift to hybrid work has resulted in increased usage of digital assets. While moving web applications and APIs to the cloud provides many advantages for organizations, including transforming business models and enhancing the customer experience, it also presents new security challenges. We have seen that attackers come up with new sophisticated attack patterns and we see new vulnerabilities (for example, Log4J, SpringShell, and Text4Shell) emerging constantly. Vulnerabilities in these applications could lead to breaches and allow cybercriminals to gain access to valuable and sensitive data.

At Microsoft, we are committed to making Microsoft Azure the most secure and trusted cloud for all workloads. We are continuously innovating and seeking ways to enhance our products to help our customers protect against evolving threats. This includes supporting organizations and communities that share a common commitment as ours. We are pleased to announce the sponsorship for the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set (CRS) project. We value the contributions of the CRS community and are looking forward to contributing to the success of the community and OWASP ModSecurity CRS open source project.

Intelligent protection from edge to cloud

Azure Web Application Firewall (Azure WAF) is our cloud-native service for protecting your applications and APIs in Azure or anywhere else from web attacks and vulnerabilities. Azure WAF provides built-in managed rules, based off the OWASP ModSecurity CRS, that offer application protection from a wide range of attacks, including the OWASP Top Ten, with minimum false positives. These managed rules provide protection against many common attack categories, including SQL injection, cross site scripting, local file inclusion, and much more.

Azure WAF offers Microsoft Managed Rule Sets, proprietary rulesets, which extends the protection of OWASP ModSecurity CRS 3.x, and includes additional proprietary rules and updated signatures developed by the Microsoft Threat Intelligence Center to provide increased security coverage, patches for specific vulnerabilities, and reduced false positive. Azure WAF includes richer set of features including IP reputation, bot protection, rate limiting, IP restriction, and geo-filtering that further strengthens the security posture for your web application and APIs. Native integration with Azure Monitor, Microsoft Sentinel, and Azure Firewall Manager provides ease of management and advanced analytics capabilities to detect and respond to security threats timely.

Better together

Microsoft has invested heavily in building security-focused products and ensuring security is built into our core technologies. As a gold sponsor for the OWASP ModSecurity CRS project, we are furthering our commitment in contributing to a strong and vibrant security community. We are excited to join efforts to help advance the CRS open source project that serves as a first line of defense for many applications. The collaboration between Microsoft and OWASP CRS teams will help improve signature patterns, reduce false positives, and address critical zero-day vulnerabilities quickly. This is an important step in ensuring we provide the best security possible for all.

Read more about this announcement from OWASP ModSecurity CRS project.