Established in 2005, Breach Security Labs is the research arm of Breach Security, Inc. Breach Security Labs conducts and sponsors global research and open-source projects which focus on emerging trends in web application security. In addition to open-source and research projects, Breach Security Labs provides the security content, including rules, correlations and signatures, for Breach Security’s web application security products including WebDefend™ , ModSecurity Pro™ and ModSecurity™.
Breach Security Labs plays an active role in leading web application security industry organizations such as the Open Web Application Security Project (OWASP) and the Web Application Security Consortium (WASC). Breach Security Labs team members are WASC officers and lead the OWASP chapters in the UK and Israel.
Breach Security Labs is led by industry leaders Ivan Ristic, Ryan Barnett and Ofer Shezaf.
News
Projects
ModSecurity Open Source
The leading open source web application firewall, led by Ivan Ristic.
The Open Proxy Honeypot Project
An initiative to analyze attack data by deploying open proxy honeypots based on ModSecurity, led by Ryan Barnett.
The Web Application Firewall Evaluation Criteria
The most comprehensive document defining web application firewalls. A Web Application Security Consortium project sponsored by Breach Labs and led by Ivan Ristic.
The Core Rule Set
An open source generic web application security rule set, led by Ofer Shezaf.
The Web Hacking Incidents Database Project
A comprehensive research project that tracks and analyzes publicly disclosed web hacking incidents. A Web Application Security Consortium project sponsored by Breach Security Labs and led by Ofer Shezaf.
Research and Publications
Breach Security Labs research papers and presentations are located at Breach Security Network. Some of our recent publications are:
The Web Hacking Incidents Annual Report 2007, Ofer Shezaf.
WASC Distributed Open Proxy Honeypot Project: Phase 2 Update on Attacks and Vulnerabilities, Ryan Barnett, 7th OWASP & WASC AppSec Conference, San Jose 2007.
Protecting Web Applications from Universal PDF XSS: A discussion of how weird the web application security world has become, Ivan Ristic, 6th OWASP AppSec Europe, Milan 2007.
Generic Detection of Application Layer Attacks: ModSecurity Core Rule Set, Ofer Shezaf, 6th OWASP AppSec Europe, Milan 2007.
Behavioral Analysis for Generating A Positive Security Model For Applications, Ofer Shezaf, 2nd OWASP Israel conference, 2007.
Additional research can be found at:
Breach Labs Blogs: ModSecurity Blog, Ivan Ristic