Web Application Firewall (WAF) technology is seen by many as a much needed technology for Web application security.

In the open source world, the ModSecurity project has helped to lead the charge for WAFs, but there is now a group that is aiming to build a new open source WAF called IronBee. Spearheaded by Qualys security researcher Ivan Ristic, the IronBee project has already gained the interest of content delivery network vendor Akamai.


"I don't believe we've achieved what needs to be achieved in terms of availability of WAFs," Ristic said. "So what Qualys is doing is funding development of a brand new project and the whole goal is to focus on the community side first and technical issues second."

IronBee is being developed under the Apache 2.0 open source license, which Ristic described as “business friendly." Unlike the GPL open source license, the Apache license does not require that developers contribute all their code back to the project.

"The GPL license actually hinders the growth of the community around ModSecurity," Ristic said. "I don't want to be negative about ModSecurity; it's a great and fantastic tool."

Ristic added that he also intends to maintain his book, titled, "The ModSecurity Handbook."

The goal with IronBee, according to Ristic, is to do more than what ModSecurity currently offers. The ambition with IronBee is to build a universal application security sensor. Instead of being directly tied to a specific type of Web server, with IronBee the goal is to build an open source component that is embedded in multiple types of scenarios, cloud or on-premise.

Ristic stressed that the IronBee project has been started from scratch, which also represents a key opportunity for the effort to develop an entirely new type of WAF. The IronBee project is starting off with at least three full-time developers that are being funded by Qualys with the hope that more developers will join the project soon. Among the developers is Brian Rectanus who had at one time been the maintainer of the ModSecurity project.

One possible implementation of IronBee under consideration is as a network sniffer.

"So you don't have to have a Web server, you could run it as a process on a server, or it could be a sniffing process on the network," Ristic said. "We're even considering an out-of-process approach where there is a small piece of code on the server which communicates with the inspection code that could be running somewhere else on the Internet."

Such an out-of-process WAF could enable remote monitoring by a cloud service that is always updated with the latest threat mitigation rules.

Among those that are interested in IronBee at this point is Akamai. Akamai is no stranger to the world of WAF, as they've had a Cloud-Based WAF service since 2009 that leverages rules from ModSecurity.

"I think that Akamai is representative of the commercial target market we're trying to attack," Ristic said.

According to Ristic, a barrier to adoption for WAFs to date has been that they're costly, which has limited their deployment.

"I think there is a very large untapped market of people that have application security issues but they can't afford WAFs," Ristic said. "I think that the key to adoption is to push WAF into the cloud and into hosting environments so if you have a virtual server, you'll have a virtual WAF and that's how this technology will be exposed everywhere."

IronBee is currently in development and Ristic is hopeful that a full beta will be available in the summer with a final version targeted by the end of the year.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.

Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.