The idea of open source security seems like a contradiction in terms. But it's not.
Cops are always getting together to swap tips and techniques. Same thing with computer security guys. What some object to is the idea of the code being open and available to outsiders, some of whom (it can be assumed) are bad guys.
Projects like the Open Source Security Foundation framework and Eureka Streams can be valuable – assuming that is they're not just government-funded copies of something which already exists, like Snort. If they are they're just a waste of time and resources.
The good news in these cases is that government contractors are acknowledging the legitimacy of open source as a development process, even in the area of security. But will any side support a governance process that makes the most of what open source has to offer?
And so we come to IronBee, a new open source web application firewall created by Qualsys and supported by Akamai. The goal, as this whitepaper notes, is a universal web application security sensor. The announcement took place this week at the RSA Security Conference.
As with Eureka Streams we're talking about another Snort competitor. Project manager Ivan Ristic said Snort does not have a solution to the problem of governance. Snort has evolved, under Martin Roesch , as a corporate project – the company is called SourceFire – and the rest of the security world wants more of a community process, he said.
Maybe.
All this sounds a bit like teenage girls. Martin doesn't want to play with us, so we'll go over here. But will anyone play with us or will they follow Martin because he's actually more fun?
That may sound like I'm dismissing the governance issue. I have learned in the last few years that's a mistake. IronBee will be offered under the Apache license while Snort is under the GPL, with a proprietary license for commercial support. IronBee, by contrast, will allow others to build proprietary extensions on its code – that's the idea behind Apache, and why many in the commercial space call it “more free” than the GPL.
What's more important in governance is not the license, but the process. If Ristic follows the Apache governance process – if he can welcome other developers as partners rather than competitors – then we may have something.
Meanwhile, let the code be your guide on what to implement.
Dana,
Actually, IronBee does not compete with Snort. IronBee is a web application firewall and works on the HTTP level, whereas Snort works on the network level. The two are complementary. We can and should work together, and I have already reached out to Marty to talk about it.
There is no controversy here. My comments on governance actually come from my own experience running ModSecurity (my earlier open source web application firewall) for 7 years. The GPLv2 license of ModSecurity proved to be a significant hurdle to community building.
For the record, I only have respect for Snort and Marty. The article you point to does not reflect the conversation I had with the journalist.
Ivan Ristic
Dana,
Actually, IronBee does not compete with Snort. IronBee is a web application firewall and works on the HTTP level, whereas Snort works on the network level. The two are complementary. We can and should work together, and I have already reached out to Marty to talk about it.
There is no controversy here. My comments on governance actually come from my own experience running ModSecurity (my earlier open source web application firewall) for 7 years. The GPLv2 license of ModSecurity proved to be a significant hurdle to community building.
For the record, I only have respect for Snort and Marty. The article you point to does not reflect the conversation I had with the journalist.
Ivan Ristic