Qualys Launches Open Source Web App Firewall Project
February 22, 2011 Alex Woodie
Qualys last week unveiled IronBee, a new open source Web application firewall (WAF) project. The goal of the project is to leverage the open source community to build a high performance WAF that can protect users against the latest security threats to Web applications. The software will feature a liberal license, and will be free to anybody.
Security on the Web continues to be a giant concern for everybody who does business on the public Internet. And while many organizations are vaguely aware there’s some kind of problem going on out there, there is far too little actively being done about it.
How bad is it? According to the recently released “State of Application Security Survey” by the Ponemon Institute, nearly three-quarters of organizations have been hacked at least once via insecure Web applications during the last two years. One of the problems highlighted by the study was that about 70 percent of organizations rely on old-school network firewalls to protect them, instead of investing in modern WAFs that can identify recent attack methods.
But the most appalling statistic from the Ponemon study may be this: 88 percent of organizations spend more money on coffee than on securing their Web applications.
The IronBee project won’t change that last statistic, since the goal of the project is to make a strong WAF available to anybody, free of charge. But if the project gets enough support from the application development and security communities, it can certainly lower the bar of entry into the WAF product category, and possibly stem the free flow of money and data from the world’s insecure Web apps into the hands of cyber criminals.
In its introductory white paper Qualys says its goal with IronBee is to create a “universal application security sensor.” In other words, it wants a flexible WAF framework upon which users can customize their specific rules and restrictions, and upon which software vendors can build commercial open source products.
IronBee will offer several WAF deployment modes, including passive, embedded, reverse proxy, command line (for batch processing), and out-of-process. Capabilities that will become part of IronBee include virtual patching, application hardening, real-time security monitoring, continuous passive monitoring, and protection against known exploits.
The first IronBee build is complete, and Qualys is ready to take it to the next level. There is still a lot of work left to be done, and Qualys hopes that taking the next steps together with the open source community is the best way to create a powerful and universally acceptable WAF solution. The goal is to have a production-ready version of IronBee by year’s end.
Web application security requires a community approach, according to Qualys CEO and chairman Philippe Courtot. “It is quite obvious that no single company alone can fight the sophistication of attacks we are now facing,” Courtot states in a press release. The IronBee project will “leverage the collective intelligence of the community to develop a cloud-based WAF with a diverse rule set that can help protect us all against cyber attacks.”
One of the first backers of IronBee is Akamai, the inventor of network resiliency technology that is the best friend of every high-volume e-business website. Akamai vice president of product development John Summers says the two companies share a vision “that Web security must evolve to become an intercommunicating ecosystem of controls located both in the cloud and within the user’s infrastructure.” Amen to that.
For more information, see www.ironbee.com.