Breach Security announced the release of the ModSecurity version 2.0 open source web application firewall on an appliance delivering the lowest cost commercial web application firewall available. The ModSecurity Pro M1000 appliance is easy to deploy and manage with rules sets for compliance with Payment Card Initiative v1.1, as well as protection for Microsoft Outlook Web Access (OWA).

"We have listened to the community and taken the ModSecurity open source project to an entirely new level -- with an appliance that delivers web application security immediately. It is ideal for small-to-medium businesses or large organizations needing just-in-time virtual patching," said Ivan Ristic, chief evangelist, Breach Security. "The M1000 is easy to install and provides an affordable, essential layer of proven security, along with the PCI rule set that addresses important security vulnerabilities."

With increasing amounts of customer data flooding complex networks, the risk of stolen or lost information continues to rise. The Payment Card Industry (PCI) Data Security Standard v1.0 was adopted in December 2004 by major credit card companies including Visa, MasterCard, American Express, and Discover. It is designed to prevent fraud and protect consumer privacy when sensitive data is transmitted to a financial institution, merchant or vendor over the web and stored on their network. Released in June 2006, PCI v1.1 calls for source code review or deployment of a web application firewall by mid-2008.

The ModSecurity PCI rule set provides the following measures for compliance:

* Build and maintain a secure network: The M1000 is a hardened appliance and is built with secure configurations of the OS and Apache web server.
* Protect cardholder data: The PCI rule set identifies inbound credit card data and obfuscates this information in the audit log file. Furthermore, the PCI rule set will identify and block data if full credit card numbers are being sent to the client. The M1000 uses an SSL encryption module to provide network encryption and is configured to only use strong encryption/ciphers.
* Maintain a vulnerability management program: Has the capability to run antivirus applications to scan uploaded files. The M1000 will be continuously updated with new signature rule sets and addresses the OWASP Top 10 with the ModSecurity Core rule set.
* Regularly monitor and test networks: the M1000 Audit Engine logs complete HTTP transactions. The Console can be used to search for transactions of interest and will include PCI template reports.

The ModSecurity M1000 also includes the OWA rule set providing web application security for organizations enabling remote employee access to Microsoft Outlook over the internet. A component of the Microsoft Office suite of products, Outlook is the most broadly used corporate personal information manager in the world.

Along with the PCI and OWA rule sets, the M1000 appliance will include the ModSecurity v2.0 web application firewall, a management console and an enhanced rule set. ModSecurity v2.0 is a highly flexible web application firewall that can be used for a wide range of functions including web application monitoring, web intrusion detection and prevention, as well as just-in-time patching of known vulnerabilities. Released in October, ModSecurity version 2.0 provides greater flexibility, enhanced attack detection, and support for XML and Web Services.

"Our stated goal has been to deliver effective web application security for any size organization, and we have delivered on that promise with our first ModSecurity Pro appliance," said Marc Shinbrood, CEO, Breach Security, Inc. "The appliance brings to market all of the advantages of the open source ModSecurity web application firewall in an easy-to-deploy package that includes protection for PCI compliance and enterprise-level support."