« ModSecurity Handbook in print | Main | Lua Programming Gems PDF now available from Feisty Duck »

The state of ModSecurity in March 2010 (Part 1)

March 19, 2010

Last night, during the recording of an OWASP Podcast episode, Jim Manico asked me what the state of ModSecurity was. The question was so simple and straightforward, yet it remained with me for long after the recording. Indeed, what is the state of ModSecurity?

To understand where ModSecurity is today you need to understand where it's been. In today's post I will look back at the history of ModSecurity. In my next post I will cover the current state of affairs.

I started to work on ModSecurity in 2002. Initially, it was only a hobby, but in 2004 I started to work on it full time. ModSecurity 2.x, a complete rewrite, came out in 2006, and was a great step forward. In that same year I sold my business (and ModSecurity with it) to Breach Security. (For those interested, here's the blog post I wrote at the time.) By the time Breach Security approached me I was getting seriously frustrated with the slow pace of development. I was working on my own, developing ModSecurity and supporting the community at the same time. I had so many ideas, but there was only so much time I could do alone.

In the months following the acquisition we formed the ModSecurity team, consisting of myself, Ofer Shezaf (who was already at Breach Security), and Brian Rectanus and Ryan Barnett (who were new hires). In retrospective, I don't think we could have assembled a better team. Breach Security kept ModSecurity open, as they had promised, and the hard work of the team greatly improved the quality of the ModSecurity package (the code, documentation, community aspects, and rules). ModSecurity reached maturity, which was further reinforced with the release of 2.5 in 2008.

Ultimately, however, the business interests of Breach Security did not align with the interests of ModSecurity. The team remained in place, but, over time, we found ourselves spending more and more time on other things. In late 2008, after several years of working very hard and having little life outside work, I found myself very tired and decided to leave Breach Security. Above all, I wanted do something else with my life. My unhappiness with the pace of ModSecurity certainly influenced my decision to leave, but it was not the deciding factor.

Whenever a business is acquired and the founder leaves, the inevitable question comes to mind: did he leave because of an internal disagreement? I didn't, and I remain in good relations with everyone at Breach Security. It was a pleasure to work with them -- I learned so much. Sure, the acquisition could have worked out better for ModSecurity, but I can say the same for many other things in my life, and so can you. The acquisition did a lot of good for ModSecurity and the net result is overwhelmingly positive. Breach Security gave so much to ModSecurity, and continues to do so.