ModSecurity End-of-Life
ModSecurity is an open-source signature-based WAF technology that has been used by many organizations for almost 20 years, often integrated as an add-on to NGINX. NGINX team announced back in May 2022 that it will “End of Life“ ModSecurity by the end of March 2024.
If you are using ModSecurity, you have to switch to an alternative solution soon. This is also an opportunity for improvement as will be explained in this blog that discusses how you can upgrade your NGINX/ModSecurity deployment to an open-source, free alternative. An alternative that uses machine learning to protect against OWASP-Top-10 and even zero-day attacks, with no need for threat signature upkeep, called “open-appsec”.
Comparison between ModSecurity and open-appsec
In contemplating a shift to a new technology, it is essential to ensure the new system delivers at least the same functionalities. Moreover, the transition should be seamless and not cause any operational interruptions. Here is a comparison that might be useful in this context, followed by additional points for consideration.
| ModSecurity WAF | open-appsec WAF |
OWASP-Top-10 Protection | Yes | Yes |
Zero-Day Protection | No | Yes (Machine Learning-Based) |
Custom Rules | Supported | Supported |
Signature Updates | Yes, needed often | Not needed, open-appsec uses two ML models – supervised and unsupervised. |
88.06% | 97.32% | |
JSON/XML Parsing | No | Yes |
Open Source | Yes | Yes |
Free | Yes | Yes |
Performance | - | More than x4 performance of ModSecurity in the same setup |
Supported with | NGINX NGINX Ingress | NGINX NGINX Plus NGINX Ingress NGINX Ingress Plus Kong API Gateway Envoy (available soon) |
Declarative Configuration (using files) | Yes | Yes |
Central Management | No | Yes |
Web User Interface | No | Yes |
Support | No | Yes, paid option |
Anti-Bot | No | Yes, paid option |
API Discovery | No | Yes, paid option (available soon) |
Schema Enforcement | No | Yes, paid option |
Understanding the shift
At its core, ModSecurity operates as a rule-based WAF, meaning it depends on predefined rules (or signatures) to detect and prevent malicious activities. While this strategy has proven effective against known threats, it grapples with a major limitation: it falls short against zero-day attacks or sophisticated, evolving threats.
Zero-day exploits refer to cyberattacks that take advantage of a previously unknown vulnerability in an application, which means there is no existing signature to detect the threat. Signature-based WAFs like ModSecurity can only defend against threats they 'know' — the ones they have rules for. This is a bit like having an immune system that can only fight diseases it's encountered before. In the rapidly shifting world of cyber threats, this approach leaves significant gaps in protection.
Moreover, signature-based approaches demand constant tuning and updating. As new vulnerabilities are discovered and old ones patched, rules need to be adjusted to reflect the changing landscape. The continuous rule management can be time-consuming and require a high level of expertise to ensure accuracy and prevent false positives.
Enter open-appsec. Rather than relying on predefined rules, open-appsec leverages machine learning for threat detection and prevention.
open-appsec
open-appsec embodies a transformative approach to WAF design, employing machine learning technology as opposed to ModSecurity's traditional signature-based methods. This shift fosters the creation of dynamic, evolving security solutions that adapt to an ever-changing threat landscape.
open-appsec machine learning algorithms allow it to guard against known threats, but crucially, they also empower it to identify and respond to new, emerging threats — including zero-day attacks.
It is powered by a fully automatic machine-learning engine that continuously analyzes HTTP/S requests to Websites or APIs. Incoming HTTP requests are evaluated against two machine-learning models:
a supervised model that was trained off-line with millions of malicious and benign requests
a non-supervised model that is built in real-time in the protected environment and is specific to its traffic patterns
Contextual analysis includes the application structure and how users interact with the content, in order to automatically stop and block malicious requests and bad actors. This inherent adaptability reduces the need for manual rule tuning, freeing up valuable resources while improving security.
The engine proved itself many times with the ability to pre-emptively block zero days without any signatures or software updates. Including Log4Shell, Spring4Shell, Text4Shell, Claroty WAF Bypass and others.
Similar to ModSecurity, open-appsec is deployed either as add-on to standard NGINX reverse proxy/web-server or with a Kubernetes ingress controller, which implements regular ingress resources. It can also be deployed with a Kong API Gateway.
In Kubernetes deployments, the ingress controller is based on a reverse proxy (e.g. NGINX), which has a sidecar container attached to it to provide open-appsec's security inspection and enforcement capabilities.
Security Considerations
The two most important parameter when selecting a Web Application Firewall are is Balanced Accuracy which is a function of two:
Security Quality (True Positive Rate) – the WAF's ability to correctly identify and block malicious requests is crucial in today's threat landscape. It must preemptively block zero-day attacks as well as effectively tackle known attack techniques utilized by hackers.
Detection Quality (False Positive Rate) – the WAF's ability to correctly allow legitimate requests is also critical because any interference with these valid requests could lead to significant business disruption and an increased workload for administrators.
waf-comparison-project is an open-source tool that allows to testing the above factors using a very comprehensive data set that includes:
973,964 legitimate HTTP requests from 185 real websites in 12 categories
73,924 malicious payloads from a broad spectrum of commonly experienced attack vectors
In July 2023 ModSecurity, open-appsec, and various other WAF solutions were tested. You can see the full results in this blog. In the test:
The Balanced Accuracy for ModSecurity is: 88.06%
The Balanced Accuracy for open-appsec is: 98.895%
Planning the transition
Ideally, you would like to test three points before switching to open-appsec in a production environment:
open-appsec is functional and blocks attacks effectively
open-appsec does not consume more resources than ModSecurity
open-appsec allows all legitimate traffic in your environment
Testing the first two points can be easily done first in your own lab or in one of the free virtual playgrounds available here. You can set up open-appsec and test how it blocks attacks as well as monitor resource consumption. To learn more about that, see open-appsec's documentation and tutorials.
After testing in the lab, you can also run a simple security test on your production environment using a tool like waf-comparison-project or just firing a simple SQL Injection string and checking for logs.
Testing that open-appsec allows all legitimate traffic in your environment is a bit trickier, because open-appsec is a learning WAF and it will take a few days for it to learn your environment. To allow learning to happen you can follow this process:
1. Deploy open-appsec before your existing ModSecurity WAF, so that it will get traffic from the Internet, process it, and deliver it to ModSecurity.
2. Allow 2-3 days for open-appsec to learn the traffic automatically and follow the progress. See here for more details.
3. When the Learning Indicator shows that you can move to Prevent, check the logs to see whether open-appsec would have blocked any legitimate traffic. In some cases, you might want to follow the Tuning Suggestions.
4. Move open-appsec operation mode from Learn/Detect Mode to Prevent Mode.
5. Remove the legacy ModSecurity deployment
Conclusion
The upcoming End of Life (EOL) for NGINX ModSecurity in March 2024 marks a pivotal moment in the history of web application security. As ModSecurity open-source WAF used by tens of thousands of organizations reaches its final chapter, a new and innovative open-source solution named open-appsec is stepping into the spotlight.
ModSecurity's upcoming EOL symbolizes more than the end of a trusted WAF; it signifies the advent of an innovative era in web application security. With open-appsec and its machine learning capabilities, we can look forward to a security approach that evolves with us, offering robust, flexible, and forward-thinking protection. As we brace for this new era, starting your transition now ensures you're not just keeping up with the times — you're leading the change.
open-appsec embodies a transformative approach to WAF design, employing machine learning technology as opposed to ModSecurity's traditional signature-based methods. This groundbreaking shift fosters the creation of dynamic, evolving security solutions that adapt to an ever-changing threat landscape.
open-appsec is an open-source project that builds on machine learning to provide pre-emptive web app & API threat protection against OWASP-Top-10 and zero-day attacks. It simplifies maintenance as there is no threat signature upkeep and exception handling, like common in many WAF solutions.
To learn more about how open-appsec works, see this White Paper and the in-depth Video Tutorial. You can also experiment with deployment in the free Playground.
