Ivan Ristić

Last night, during the recording of an OWASP Podcast episode, Jim Manico asked me what the state of ModSecurity was. The question was so simple and straightforward, yet it remained with me for long after the recording. Indeed, what is the state of ModSecurity?

To understand where ModSecurity is today you need to understand where it's been. In today's post I will look back at the history of ModSecurity. In my next post I will cover the current state of affairs.

I started to work on ModSecurity in 2002. Initially, it was only a hobby, but in 2004 I started to work on it full time. ModSecurity 2.x, a complete rewrite, came out in 2006, and was a great step forward. In that same year I sold my business (and ModSecurity with it) to Breach Security. (For those interested, here's the blog post I wrote at the time.) By the time Breach Security approached me I was getting seriously frustrated with the slow pace of development. I was working on my own, developing ModSecurity and supporting the community at the same time. I had so many ideas, but there was only so much time I could do alone.

In the months following the acquisition we formed the ModSecurity team, consisting of myself, Ofer Shezaf (who was already at Breach Security), and Brian Rectanus and Ryan Barnett (who were new hires). In retrospective, I don't think we could have assembled a better team. Breach Security kept ModSecurity open, as they had promised, and the hard work of the team greatly improved the quality of the ModSecurity package (the code, documentation, community aspects, and rules). ModSecurity reached maturity, which was further reinforced with the release of 2.5 in 2008.

Ultimately, however, the business interests of Breach Security did not align with the interests of ModSecurity. The team remained in place, but, over time, we found ourselves spending more and more time on other things. In late 2008, after several years of working very hard and having little life outside work, I found myself very tired and decided to leave Breach Security. Above all, I wanted do something else with my life. My unhappiness with the pace of ModSecurity certainly influenced my decision to leave, but it was not the deciding factor.

Whenever a business is acquired and the founder leaves, the inevitable question comes to mind: did he leave because of an internal disagreement? I didn't, and I remain in good relations with everyone at Breach Security. It was a pleasure to work with them -- I learned so much. Sure, the acquisition could have worked out better for ModSecurity, but I can say the same for many other things in my life, and so can you. The acquisition did a lot of good for ModSecurity and the net result is overwhelmingly positive. Breach Security gave so much to ModSecurity, and continues to do so.

It's been an adventurous journey, but we are nearing a major milestone: the official publication of the first book published by our publishing company, Feisty Duck! We've just received a batch of ModSecurity Handbook paperbacks and we're enjoying them in all their glory. Two further batches are on their way to our warehouses (one in the US and one in the UK), from where they will be shipped to early adopters. (If you're one of the early adopters, you will soon get an email from us with more information.)

Our work is nowhere near the end, however, because now we need to focus on reaching out to the book's audience to inform them that the book exists.

If you haven't purchased the book yet, now would be a very good time: because the official publication date is the 15th, we'll be maintaining the pre-order discount for a little while longer. You only have about 4-5 days to take advantage of the 25% discount. Buy now!