Will Open Source Save WAFs?

It is no secret that the WAF market has not sky rocketed in recent years. With most open source security closing up, open source security has also seen better days. Do the two stand better chances together? Two open source WAFs announcements from WAF veterans during RSA will put this to a test.

Ivan Ristic, the creator of ModSecurity, the one and only open source WAF until today, is back with IronBee, sponsored by Qualys, his current employer. The project is in very early stages however the feature list seems promising and builds on huge experience in both WAFs and open source. Two decisions that Ivan took in order to make IronBee more popular is avoiding GUI front end, leaving that to commercial entities, and providing IronBee under the Apache license which makes it easier for commercialization of derived solutions. Ivan prefers the Apache open source model which promotes commercial participation as key to open source success.

Art Of Defense, which shifted in recent years to focus on “WAF in the cloud” services, has released openWAF, open sourcing its core product. This is a major move for Art Of Defence which tries to reinvent itself as an open source security company, profiting from enterprise features, service and training. This is an uncommon change: most open source security tools go the other way – starting as a successful open source project and later being commercialized.

Time will tell if the new open source movement will resurrect the WAF market or just a sign that WAFs are good only as freeware.