The
OWASP Core Rule Set (CRS) is one of the Foundation’s flagship projects—quietly powering Web Application Firewalls (WAFs) across the world, safeguarding applications large and small. But it’s been a while since CRS has shared a full update with the community. This talk changes that.
We’ll explore the full lifecycle of CRS—from its origins under Trustwave, through the pivotal leap to version 3, and into the challenges we’re addressing as we build toward version 4. Along the way, we’ll reflect on what it takes to maintain and evolve a high-impact open source project within a constantly shifting security landscape.
Attendees will get a clear picture of what CRS is today: a sophisticated, extensible, community-driven detection framework. You’ll hear how we’re doubling down on quality assurance, introducing a plugin architecture, and transitioning from traditional SecLang rules to a YAML-based format designed to make contributions easier and tooling more powerful.
This session is for anyone who works with WAFs, contributes to open source, or is curious about the future of web application defense. You’ll walk away with a deeper understanding of the CRS roadmap—and how you can be part of shaping what comes next.
Key Takeaways:- What OWASP CRS is—and why it matters more than ever
- Lessons learned from building and maintaining a global ruleset
- The roadmap to CRS 4.0 and what’s next for the project
- How the community can get involved and contribute meaningfully
