We announced IronBee, our next-generation web application firewall engine, exactly one year ago at the RSA Conference in San Francisco. Although we had expected to have a fully working product by now, it did not happen. In this post I will explain why.
This time last year, we had a core of the product built on top of libhtp, our security-aware HTTP parsing library. We had also put the project infrastructure out in the public, on GitHub and SourceForge. The initial public release was 0.2, and the state of the project was pretty much what you would expect (except for libhtp, which had been developed earlier and was pretty decent). The goal of the early announcement was to get the word out and hopefully get interested parties to join us. It didn't work. The feedback was overwhelmingly positive and many were genuinely interested in working on IronBee, but, at the end of the day, no one followed through.
The lack of contributors did not stall our project. What did stall it was the fact that our entire development team was busy with other projects, and our inability to hire a full-time developer for the project. It was not until November that we had hired Nicholas LeRoy to fill the developer role, and that's when the development started to pick up. We were also able to free additional resources for work on IronBee.
The official reboot happened internally about a month ago, but we are making it public now. This year's RSA Conference is next week, and we're aware that people will be asking questions about our progress. If it weren't for that, we would probably keep quiet for another month or so, until we had more to show.
In the following weeks, we will start to make regular releases, improve the documentation, and start to write here about our progress and, especially, the new interesting features we have in IronBee. Finally, we will start to track our progress on the development roadmap.