ModSecurity — WAF
OSS (Apache-2.0) · OWASP · owasp-modsecurity/ModSecurity · Docs · Rule library: OWASP Core Rule Set (Apache-2.0)
What ModSecurity does
ModSecurity inspects HTTP requests before they reach your application and decides — by way of rules written in the SecRule language — whether to block, log, or allow. It runs as a module inside Apache, nginx, or as a standalone library in front of any reverse proxy.
For vulnerability management it serves one purpose. When a CVE in your application can be exploited via an identifiable request pattern, a ModSecurity rule that blocks that pattern is a valid mitigation. You record the mitigation in an OpenVEX statement and the rule itself — its ID, its version, and where it’s deployed — becomes the evidence.
WAF rules aren’t SBOM components, so the attestation is always OpenVEX, never CycloneDX VEX.
Rule structure
Writing a mitigation rule
# Block requests exploiting a path traversal in /api/files
SecRule REQUEST_URI "@contains /api/files" \
"id:10001,phase:1,deny,status:403,\
msg:'Path traversal blocked — CVE-XXXX-XXXX mitigation',\
tag:'vuln-coordinator/CVE-XXXX-XXXX'"
# Block SQL injection pattern in query string
SecRule ARGS "@detectSQLi" \
"id:10002,phase:2,deny,status:400,\
msg:'SQL injection blocked — CVE-XXXX-XXXX mitigation',\
tag:'vuln-coordinator/CVE-XXXX-XXXX'"
Testing the rule
OpenVEX outcome
See also
- SSVC Engineer Triage — the framework that maps a rule deployment to the
Mitigation Optioninput. - OpenVEX appendix — the format these rule guides produce.
- Glossary.