Often when implementing customised ModSecurity solutions we need to extend the built-in functionality via Lua scripting. One of the disadvantages to this approach is the added latency penalty paid for not using the native rules language. When web site performance is critical for business continuity, every additional millesecond counts. The current trunk code fixes a long-standing limitation where ModSecurity needed to create a new VM for each request, which added latency every time a Lua script was executed.
Fairly often applications include a password recovery feature that uses extremely weak questions. Password recovery mechanisms are problematic as they can be used as a secondary means of authentication which are not subject to the same strict criteria as the primary means of authentication. A perfect example of this is when U.S.
