Qualys is spearheading a project to develop a web application firewall within the open source ethic.

Calling the project IronBee, Ivan Ristic, director of engineering at Qualys, told SC Magazine that this effort was a call to the industry to expand into new areas of the web application firewall.

He said: “This is a new project and we want to organise a universal application security centre. We have developed 40-50 per cent of it but we want to run as a community, we have laid down the foundation and are announcing the beginning of the project. We have a background in open source, but we want to further it and Qualys want to fund it. We are hoping to get individuals and commercial organisations involved, this is an open project with an idea that if we pool resources we can make things better.”

Led by the team who designed and built ModSecurity, the new project aims to produce a web application firewall sensor that is secure, high performing, portable and freely available, even for commercial use.

The plan is for IronBee to provide an application security inspection engine that provides new processing tools and analysis for HTTP traffic. Also, it will provide a non-viral open source Apache software v2 licence that allows individuals and commercial organisations alike to participate, creating a community of users and developers. This will be built from the ground up to work in multiple deployment modes, such as passive, embedded, out of process and reverse proxy.

Ristic said: “We will build the engine, that will be the user interface in the first sense and we want to make it work everywhere. We want enterprises to put it in everywhere and do it as open source so there are no strings attached. We are hoping that in due course it will be the de facto standard for firewalls.”

Asked if it being open source will make it more compatible, he said that he believed that organisations want this as no one has a desire to run web applications and embed a firewall into their fabric of infrastructure. “We make it free and open, in terms of collaboration, that will lead to cost savings and effort. This is a situation where there are no restrictions, you can download it and put it into cloud and no permission needed,” he said.

He went on to say that Qualys wants other developers to engage as early as possible to get this into shape, with a view to having a first solution in the third quarter of this year.

He said: “We want to do the same as (Rackspace's) open stack, this is the same principle as Linux by pooling resources. We are now starting from scratch because we want a new option and people want to use the same products wherever they are, today it is all over place and people want one layer.”

Rich Mogull, founder of Securosis, said: “It is increasingly clear that no matter how good we are at secure programming and no matter how effective our code scanning and vulnerability analysis tools are, neither approach can 'solve' our web application security problem. The key mantra is shield and patch.

“When we discover a new vulnerability, we (if possible) shield ourselves through firewalls and other perimeter techniques to buy us time to fix the underlying problem. No, it doesn't always work and we still have a heck of a lot of progress to make, but it is a fundamentally sound approach.”

John Summers, vice president of product management for Akamai, said: “We are excited about the unveiling of the IronBee open source web application firewall project. Akamai and Qualys share a vision that web security must evolve to become an intercommunicating ecosystem of controls located both in the cloud and within the user's infrastructure. Akamai looks forward to IronBee improving the industry's ability to address the escalating number and sophistication of web application attacks.”