« Apache reverse proxy memory consumption observations | Main | Extended Validation Certificates: A change for the better (but not enough) »

ModSecurity has been acquired

September 24, 2006

It gives me great pleasure to announce that Thinking Stone Ltd. and ModSecurity have been acquired! We will be joining forces with Breach Security, Inc. (http://www.breach.com), a company also focused on the web application firewall market. The merger is going to be officially announced tomorrow but I thought you'd want to hear about it sooner.

It has been clear to me for some time now that I've done all I could working on ModSecurity on my own. The limited resources available to me have become the main bottleneck. Having spent the largest part of this year trying to determine what is the best course of action I believe the merger with Breach Security is the right decision. Their existing product line is fully compatible with ModSecurity and, more importantly, web application security is all they do.

I have known Ofer Shezaf, the CTO of Breach Security, for several years. We have worked on various projects together, mostly as part of the Web Application Security Consortium. It is this friendship that ultimately lead to the merger of two companies.

So much good is going to come out of this:

  • I am going to continue to work on ModSecurity, now able to spend more time on the technical aspects of the project.

  • There is going to be another developer assigned to work full time on ModSecurity.

  • Yet another full time position will be created to to expand the documentation and interact with the community.

Breach Security are going to bring their web application security expertise to the table. While I expect for their entire organisation to become involved with the ModSecurity community in one form or another, there are also going to be several immediate benefits:

  • ModSecurity Console, limited to supporting three remote sensors, is going to be made free for a limited time.

  • Breach Security are going to design a core ModSecurity rule set and make it a part of the official distribution.

So not only is ModSecurity for Apache going to remain an open source product, but a large amount of resources is going to be invested into it to make sure the community is supported and the development accelerates.

For me, these events are a culmination of my efforts to make web application firewalls available to everyone. It was a joint effort; none of this would have happened without the strong support from the community.

In many ways this is a new life for ModSecurity. Now it's time to go for places we couldn't reach before!