« June 2007 | Main | February 2008 »

4 posts from January 2008

January 29, 2008

Do not confuse companies with open source products for Open Source

Nokia today announced their intention to acquire Trolltech, the makers of Qt (a cross-platform application development toolchain, on which KDE is famously based) and Qtopia (a platform for creation of Linux-based devices). The deal will be going through provided at least 90% of the shareholders agree to it. We know that approximately 66.43% agreed so far.

In response to the news, Matt Asay writes:

"Interesting days. Will there be any open-source companies left to acquire in 2008? Who will drive forward the changes to the software world if the old world keeps devouring the new?"

The software world has already been changed, and it wasn't the companies that did it.  Companies, even those with strategies based around open source, exist to make money. In the process, such companies generate a lot of value for the community, and we should respect that. But we shouldn't be giving them more credit than they deserve. It was the open source movement that led to the creation of the open source companies—not the other way round.

Posted by Ivan Ristić at 9:26 AM in Open Source | Permalink | Comments (0) | TrackBack (0)

January 22, 2008

Tide is turning for web application firewalls

There is a long-running tradition in the web application firewall space; every year we say: "This year is going to be the one when web application firewalls take off!" So far, every year turned out to be a bit of a disappointment in this respect. This year feels different, and I am not saying this because it's a tradition to do so. Recent months have seen a steady and significant rise in the interest in and the recognition of web application firewalls. But why is it taking so long?

Having been involved with the industry for many years, I come up with many valid theories to explain the apparent slow adoption of web application firewalls. Here are some of them: 

  • It's a brand new type of product that requires effort to learn how to use. Articles, books and papers need to be written, conference talks need to be scheduled and best practices need to be established. We need a critical mass of people with access to the technology in order for discussions to take place and for users to start to be comfortable.
  • Network security people are the likely ones to be tasked to deal with application security. To deploy a WAF one needs at least a minimal understanding of application security, but to achieve this, in a field where attacks are still evolving at a rapid pace, is not easy.
  • Many organisations are yet to assign people to deal with application security full-time, let alone web application firewalls.
  • It is often not clear who is supposed to manage the technology. Does it fall under network security or application development? Or should we assign it to the application security team instead (where it exists)? This decision is made more difficult by the fact that some web application firewalls can be deployed inline (e.g. as a bridge or a reverse proxy), where they impact performance (not necessarily in a negative way) and create a point of failure.

Above all, the perception seems to have been that web application firewalls are not something we cannot live without. At the same time, the opposite is true for network firewalls. This has to do with the differences in risk distribution in network security and application security. In the network application space virtually all organisations run off-the-shelf products on their servers. Once vulnerabilities in these products are exposed exploits are written. These exploits are easy to deploy in an automated and indiscriminate manner, and this sort of thing is happening on a massive scale. The likelihood of being hit by such an exploit is very high, although the damage coming from such an attack might not be. When you add to this the fact workstations (whose numbers by far outweigh those of the servers) are also targets, it becomes clear why firewalls are viewed as essential.

In the application security world most attacks are still carried out by hand. One reason for this is that people haven't started automating the attacks yet (but this is changing, as demonstrated by recent automated SQL Injection attacks); the other that most web applications, unlike network security products, are custom-developed and thus require manual exploitation. The net result is that some organisations are hit by application security problems and some others aren't, although most are equally insecure. Lack of mass-scale exploitation is contributing to the feeling there is still more time to act.

This, of course, is an illusion. Organisations without web application firewalls are playing a game not unlike that of Russian roulette, hoping they won't be affected. But in this game you get hit—eventually. It's just a matter of time. We are seeing the increased interest now because people are starting to get fed up with web application security issues appearing left and right. Every new day sees a new type of problem discovered. Every day we hear of a new massive attack with damages running into millions. (The Web Hacking Incidents Database project is particularly good at documenting these.) People are waking up to the fact that addressing their problems before attacks take place is going to be much less painful (and far less costly) than doing the same afterwards.

In other words, and to simplify greatly, we haven't seen mass adoption of web application firewalls so far because that market was too young. The time was not right. But it will be right this year. I think.

Posted by Ivan Ristić at 10:18 AM in Security, Web Application Firewalls | Permalink | Comments (2) | TrackBack (0)

January 10, 2008

Another year, another blog

I have decided to start the new year with a new blog. Looking back at my blogging in 2007 I came to realise it was very low-level and technical, with only brief excursions into higher-level topics. There is nothing wrong with being technical, of course. But I do find myself with strong opinions on non-technical topics and need a venue to get those out in the open.

But why a new blog? After all, I already contribute to two: the Apache Security Blog (where I am the only author) and the ModSecurity Blog (which I share with Brian Rectanus, Ofer Shezaf, and Ryan Barnett). It's a matter of focus. These other blogs have established audiences that are happy with the content (one hopes). Forcing other topics upon them would probably lower the satisfaction level and make some of them to cancel their subscriptions. At the same time, those interested in the topics I am planning to cover here (computer security and open source) are probably not very much interested in that other technical stuff. With multiple blogs come multiple audiences and a chance to give everyone exactly what they want.

Finally, I wanted my new blog to allow people to post comments and trackbacks. My other blogs are purely static (mostly for security reasons) and couldn't do that. Hosting of this blog is outsourced so I can enjoy the dynamic functionality without having to worry about the security of the platform. For a change.

Posted by Ivan Ristić at 9:51 PM | Permalink | Comments (0) | TrackBack (0)

January 08, 2008

Speaking about ModSecurity at ApacheCon Europe 2008

I will be speaking about ModSecurity at ApacheCon Europe in Amsterdam later this year.  I hear ApacheCon Europe 2007 (also in Amsterdam) was great so I am looking forward to participating this year. Interestingly, for some reason or another, this will be the first time ModSecurity will be officially presented to the Apache crowd, in spite of the fact we've been going at it for years. As always, the best part is meeting the people you've been communicating with for years.

Intrusion detection is a well-known network security technique -- it introduces monitoring and correlation devices to networks, enabling administrators to monitor events and detect attacks and anomalies in real-time. Web intrusion detection does the same but it works on the HTTP level, making it suitable to deal with security issues in web applications. This session will start with an overview of web intrusion detection and web application firewalls, discussing where they belong in the overall protection strategy. The second part of the talk will discuss ModSecurity and its capabilities. ModSecurity is an open source web application firewall that can be deployed either embedded (in the Apache HTTP server) or as a network gateway (as part of a reverse proxy deployment). Now in its fifth year of development, ModSecurity is mature, robust and flexible. Due to its popularity and wide usage it is now positioned as a de-facto standard in the web intrusion detection space.

Posted by Ivan Ristić at 4:50 PM in ModSecurity | Permalink | Comments (0) | TrackBack (0)

MY WORK

IronBee is the next generation web application firewall engine, and it's open source too.
ModSecurity Handbok cover
ModSecurity Handbook is the definitive guide to the world's most popular web application firewall.
Apache Security cover
Apache Security is the complete guide to securing your Apache web server.
SSL Labs offers a comprehensive SSL security assessment consisting of 250+ checks. To start, enter your domain name below:

ABOUT ME

Ivan Ristić is an open source advocate, entrepreneur, writer, programmer and web security specialist. He is the principal author of ModSecurity, the open source web application firewall, and the author of Apache Security, a concise yet comprehensive web security guide for the Apache web server.   [LinkedIn Profile]

My Photo

TWITTER

@ivanristic

    Categories

    Archives

    FEEDS