OWASP rules for Plone

The Plone Security Team (via @loechel) got in contact with Michael from Cloudflare back last summer. Cloudflare implements currently a new product around their Web Application Firewall (WAF) for Cloudflare Enterprise with predefined managed rulesets for different setups. Michael asked us if we are interested in providing one or more OWASP rulesets on Github for Plone and having them included in Cloudflare as presets.

I can imagine to have Plone (and Zope) locked more if needed, like different rules for blocked ZMI access, no editors access, for Volto no access to classic and so on.

Overall I like the idea of having ready to use and maintained OWASP rulesets. Those can be used in own Apache, Nginx or IIS setups as well.

Unfortunately I am the wrong person here, because I have zero experience with OWASP rulesets and WAFs.

Who would be interested in this? I am available coordinating this, so I can schedule a meeting with all interested Plonistas and Michael, get repositories setup and so on (except that I am not available for writing and maintaining the rules).

I am sure some of you have already experience or even rulesets for Plone available. Please speak up!

We would be the first OpenSource source project available at Cloudflare and so it might be also some advertisement for Plone as the Secure CMS it is (and vice versa for Cloudflare, I know, but I think its ok).

1 Like

Hi Everyone!

Jens thank you for sharing this idea with the community.

Quick intro: I currently work with the WAF team at Cloudflare. This year we are trying to bring forward initiatives to provide better security for as many Cloudflare users as possible.

One such initiative is to partner with the teams that develop high profile platforms. That is where the conversation with @loechel and @jensens started given we have many Plone sites behind Cloudflare.

A few clarifications:

  • Within the Cloudflare WAF, users can enable two managed rulesets (Cloudflare OWASP and Cloudflare Managed Rules). These are separate and independent;

  • Cloudflare now has the tooling to allow third parties to build rulesets for the WAF - and the idea is for the Plone community to create a separate Plone ruleset, with rules optimised for Plone and other related software created by the developers themselves;

  • This is NOT for enterprise only, this is for all Cloudflare users on the PRO plan or above, and would be given at no additional cost (we have considered also giving this to FREE Cloudflare users but this needs more internal discussion as the WAF execution has a non negligible CPU cost);

  • the rules could be open source and developed in ModSecurity syntax (we do have a converter available internally) although in the WAF engine they are represented in a wireshark like syntax. Of course, you may want to have a specific process in place in the event an update needs to be released before announcing to patch a security vulnerability - we are open for suggestions/ideas;

As Jens mentioned we (Cloudflare) would be happy to have an announcement about the Plone ruleset on the Cloudflare blog if this project was of interest. Additionally all Cloudflare users will also see the Plone ruleset in the WAF, so I'm hoping that would be beneficial from a visibility standpoint.

Happy to answer any questions, have a meeting, or provide more details.

Michael

3 Likes

Plone Foundation Code of Conduct