From 03e5f4819cbdfc2b6b6b71546e8d0403f2fe2f0e Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Thu, 14 Nov 2024 15:10:09 +0000 Subject: [PATCH 1/2] [WAF] Add clarification about OWASP Top 10 --- .../reference/owasp-core-ruleset/index.mdx | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/content/docs/waf/managed-rules/reference/owasp-core-ruleset/index.mdx b/src/content/docs/waf/managed-rules/reference/owasp-core-ruleset/index.mdx index 4c1098362520cc..f989833b51a546 100644 --- a/src/content/docs/waf/managed-rules/reference/owasp-core-ruleset/index.mdx +++ b/src/content/docs/waf/managed-rules/reference/owasp-core-ruleset/index.mdx @@ -3,15 +3,22 @@ pcx_content_type: configuration title: Cloudflare OWASP Core Ruleset sidebar: order: 3 - --- -import { DirectoryListing } from "~/components" +import { DirectoryListing } from "~/components"; The Cloudflare OWASP Core Ruleset is Cloudflare's implementation of the [OWASP ModSecurity Core Rule Set](https://owasp.org/www-project-modsecurity-core-rule-set/) (CRS). Cloudflare routinely monitors for updates from OWASP based on the latest version available from the official code repository. The Cloudflare OWASP Core Ruleset is designed to work as a single entity to calculate a [threat score](/waf/managed-rules/reference/owasp-core-ruleset/concepts/#request-threat-score) and execute an action based on that score. When a rule in the ruleset matches a request, the threat score increases according to the rule score. If the final threat score is greater than the configured [score threshold](/waf/managed-rules/reference/owasp-core-ruleset/concepts/#score-threshold), Cloudflare executes the action configured in the last rule of the ruleset. +:::note + +The Cloudflare OWASP Core Ruleset is Cloudflare's implementation of the OWASP ModSecurity Core Rule Set, which is different from the [OWASP Top 10](https://owasp.org/www-project-top-ten/). + +The OWASP Top 10 is a list of security risks and recommendations for addressing them. Some of the identified security risks cannot be protected by a firewall, which means that the Cloudflare OWASP Core Ruleset will not directly address all security risks and vulnerabilities identified in OWASP Top 10. + +::: + ## Resources From ba9a7667f9f13ef93f2e72c49f44a3fb43caf3c4 Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Mon, 18 Nov 2024 11:00:34 +0000 Subject: [PATCH 2/2] Update proposal (feedback) --- .../managed-rules/reference/owasp-core-ruleset/index.mdx | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/content/docs/waf/managed-rules/reference/owasp-core-ruleset/index.mdx b/src/content/docs/waf/managed-rules/reference/owasp-core-ruleset/index.mdx index f989833b51a546..78c06a2c5d8458 100644 --- a/src/content/docs/waf/managed-rules/reference/owasp-core-ruleset/index.mdx +++ b/src/content/docs/waf/managed-rules/reference/owasp-core-ruleset/index.mdx @@ -15,7 +15,13 @@ The Cloudflare OWASP Core Ruleset is designed to work as a single entity to calc The Cloudflare OWASP Core Ruleset is Cloudflare's implementation of the OWASP ModSecurity Core Rule Set, which is different from the [OWASP Top 10](https://owasp.org/www-project-top-ten/). -The OWASP Top 10 is a list of security risks and recommendations for addressing them. Some of the identified security risks cannot be protected by a firewall, which means that the Cloudflare OWASP Core Ruleset will not directly address all security risks and vulnerabilities identified in OWASP Top 10. +The OWASP Top 10 is a list of the most severe security risks that can affect applications. Some of the identified security risks can be addressed by the OWASP Core Ruleset, but other risks cannot be protected by a web application firewall, such as the following: + +- Insecure Design +- Identification and Authentication Failures +- Security Logging and Monitoring Failures + +These risks depend more on how the application is built or how the entire monitoring pipeline is set up. :::