Custom rules for Web Application Firewall
Problem to solve
GitLab provides WAF with OWASP default rules. This provides a powerful set of out-of-the-box controls. However, some users will need to tune the configuration to fit the specific needs of their application's security requirements in order to tune the rules for false positives (blocking legitimate requests), false negatives (missed attacks), and performance impact (as WAF rules can introduce latency even if they don't detect an issue - example). This is especially relevant for those users who will be using the blocking mode of the WAF as false positives can break normal functionality of the application. Additionally, the WAF rules may need to be tuned over time as the applications protected by the WAF change.
This is our users first opportunity to provide custom rules. This will be done in parallel with additional UX work to uncover & validate the long-term experience we want to provide around WAF rules. As such, we should focus on the minimal way to provide custom WAF rules in case we decide to go a different direction after discovery completes.
Provide a way for users to specify a set of custom rules that
ModSecurity should use for their project specifically.
- Allow users to specify a list of files that contain custom ModSecurity rules using an environment variable
Should this be done in a fixed config file (e.g.
- Where does this configuration live? Does this need to be done at cluster-config level or can it be part of the project? Project-level is more natural but is it feasible?
- Should this be done in a fixed config file (e.g.
- Usage ping & GitLab.com reporting
- Report when a custom rule has been provided.
- A GitLab Ultimate license is required to use this functionality
Permissions and Security
What does success look like, and how can we measure that?
- At least 20% of WAF installations using customized rules, beyond the default Core Rule Set.
- This will measure if the capability is being adopted or not.
- First customized rule introduced within 30 days (median time) of enabling the WAF.
- This will measure if the problem custom rules solves is urgent enough to immediately adopt it and that customers are able to do so successfully.
What is the type of buyer?
Custom rules require a GitLab Ultimate license.
Links / references
nginx.ingress.kubernetes.io/modsecurity-snippetdocumentation for specifying WAF rules (https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#modsecurity)