CGISecurity Logo

CGISecurity Interview: Interviewing Ivan Ristic the Author of ModSecurity

After the announcement that ModSecurity was purchased by Breach Security I decided to email Ivan and ask him a few
questions that many of us are wondering regarding the future of modsecurity.

How will the sale of ModSecurity to breach affect existing users?

"There are going to be many positive changes resulting from this sale.
Development is going to accelerate as we will have one developer
assigned to working on the code full time, and that’s in addition to me
having more time to spend on development. The documentation and
community support are going improve too, as we are going to have
someone dedicated full-time to growing and nurturing the community. The
latter is very significant as I have come to the conclusion that the
interaction with the community is the main opportunity for further
expansion. Web application security is complicated due to the dynamic
environment and the web application firewalls protecting those
applications must manage a changing environment.
Right now ModSecurity is difficult to use for some because there are no
wizards and no implicit protection facilities. Users must have a high
level of expertise. While this works well for the professionals, I want
to make ModSecurity an equally suitable solution for people who are not
web application security gurus but have an equally important need to
protect themselves, while minimising their time investment in the
process.

I also believe the ModSecurity users are going to benefit from
the commercial offerings.
They will have the option to purchase a commercially supported version
of ModSecurity from an organisation with broad reach to places I
previously could not support. That, and the range of appliances we will
come out with, will ensure the users have a very wide choice of
deployment options.

Our first appliance, expected in November, is going to be
*very* affordable. Breach Security want to continue to pursue the main
goal of the ModSecurity project, and that is to make web application
firewalls accessible to everyone. This, of course, makes me personally
very happy as it’s a goal I’ve been working on for some years now."

Will future versions of ModSecurity be closed source?

"No.
ModSecurity for Apache is going to remain open source. Not only that,
but the open source version is where the improvements are going to
continue to be added, meaning the community is going to get them
straight away.

I know this question – “will product remain open source?” – is
what many think about in situations like this . Breach Security are
committed to keeping ModSecurity open source, but you don’t have to
take my (or anyone’s) word for it. Just wait and see. Actions are
always stronger than words. Also, as many have pointed out before me,
open source products do not die unless the community wants them to
die."

How will the licensing model be affected?

"The licensing model
is not going to be affected. ModSecurity was always available under two
licences and that will not change. The open source version uses GPLv2.
There is also the commercial licence, which we are going to use for the
commercial version of ModSecurity. The commercial version of
ModSecurity is going to be based on the same code base with added
services and more responsibilities on our part (e.g. support with a
service level agreement, support for the ruleset, etc)."

What are the terms of the acquisition?

" Undisclosed."

What are Breach Security’s plans for ModSecurity and when will we expect to see those changes?

"The main plan is to give the project the resources it needs to
continue to develop. For this we need to find the right people and we
have already started to look. The ultimate plan is, as it has always
been, to make ModSecurity into the best possible open source web
application firewall.

The project is already benefiting because an independent
security code review of the ModSecurity 2.0 code base it taking place
before the product is released (on October 2nd).
Breach Security has also decided to make the ModSecurity Console
(limited to supporting 3
sensors) available for free for a limited time. Finally, we are going
to release the certified rule set to the community and make it part of
the core product. This, the rules, is a feature every member of the
community we talked to requested."

Boxers or briefs?

"Briefs. Too much freedom is not necessarily a good thing."

Additional information about the acquisition can be found at this blog at
http://www.modsecurity.org/blog/archives/2006/09/modsecurity_has.html