IronBee: a new open source web application firewall is announced at RSA
Philippe Courtot, chairman and CEO of Qualys, is sometimes described as a serial entrepreneur – and he might just be on the point of revolutionising software development. Today at RSA Qualys announced a new open source project: IronBee. It was proposed by Ivan Ristic, who could himself be described as a serial open source developer, and accepted within minutes. Qualys will fund the initial development of a new, free, open source, untied web application firewall (WAF).
Why? Vulnerabilities in web applications are rapidly becoming one of the industry’s biggest headaches. “What we’ve been seeing in recent years,” Ristic told me, “is that applications have become the major source of problems for companies, mostly because of those companies’ need to get from planning to implementation very quickly. The security industry has to play catch-up, and we’re still trying to figure out how to develop web application security. In the meantime business has to continue doing business, and we must somehow manage this situation.
“WAFs are one possible answer to the problem. With a WAF, what you get is something like an all-seeing eye that sees everything that comes in from the outside world and everything that goes out from the organisation. By being able to intercept the traffic, both inbound and outbound, a WAF can prevent or stop an attack before it does any damage. And on the outbound it can catch data leakage and other similar issues.”
And this appeals to Courtot because Qualys is primarily a scanning company. You use Qualys to see if you are safe. It is a slice in time. Then you wait a while and scan again to see if you are still safe. But between scans you are vulnerable and could be compromised; so the continuous monitoring of a WAF is appealing to a security man like Courtot.
But there is already an open source and very popular WAF. “At the moment,” continued Ristic, “the most popular WAF is called ModSecurity [Ristic was also the original author of ModSecurity]. In 2002 I was running a software development team producing web applications – and I couldn’t sleep at night worrying about how to keep them secure. I was trying to think of ways I might be able to improve the security of my applications – and that’s how ModSecurity was born. Fast forward 5 or 6 years and tens of thousands of companies all over the world have adopted this open source WAF. The only problem is that it uses the GPL licence, which is effectively a viral licence which prevents commercial exploitation (viral nature of GPL). But with this new project I have a team of four people and we’re building a more efficient WAF from scratch, not only choosing a better license, but also, hopefully, avoiding all the same mistakes we made with ModSecurity.”
Key to the new approach is its unlimited licence. Qualys will place no limitations whatsoever on its use. If a company chooses to take the software and incorporate it into a proprietary product with no further reference to the project – so be it. But what Ristic hopes, and believes, is that other companies will take the code, add to it, and return it to the open source project – and in this way it will grow and improve. Similarly, he believes that the existing army of open source enthusiasts will adopt the project and work with it to develop a genuinely free and advanced web application firewall.
“Qualys is funding the effort to build this project from scratch and to make it available to the world under a business-friendly user licence. We are putting no restrictions on this project or the use of the code. We’re doing it because that’s the only way to make it universal. And because we are giving it away for free, we will be encouraging all cloud providers to adopt it and to take it. We are not asking for anything in return. They are free to take the code and to use it and to keep it. That’s the key – that’s the most important message of this project. We’re hoping that they are not just going to use the code, we’re hoping that they will join the project. Because there are no strings attached we hope to form a community that will be a mixture of commercial organisations and individuals and security researchers and anyone else who will jointly collaborate in creating this product that will allow us to deal with the web application security issues.” Within six months Ristic expects to have evolved the project into a genuinely democratic project with a life of its own.
Akamai is an enthusiast. “We are excited about the unveiling of the IronBee open source web application firewall project,” said John Summers, vice president of product management for Akamai Technologies. “Akamai and Qualys share a vision that web security must evolve to become an intercommunicating ecosystem of controls located both in the cloud and within the user’s infrastructure. Akamai looks forward to IronBee improving the industry’s ability to address the escalating number and sophistication of web application attacks.” There will be many more supporters by the end of RSA.
Think of that. A single web application firewall that will be as free to individuals running a website from their home computer as to major cloud providers embedding the software into their services. And all supported by the online open source community of developers and researchers. That model could change the way that cloud products are developed in the future.