Art of Defence (see previous CloudAve coverage), originally founded in Germany with offices at San Francisco, announced during the ongoing RSA conference that they are open sourcing the core of their distributed web application firewall (dWAF). The project called openWAF will help protect the web based applications in this cloud era. This is an interesting move because it gives more open source choices for the users and, more importantly, it will help the parent company, Art of Defence, push their Hyperguard firewall to more places easily. However, the success is not guaranteed and it depends on the traction it is going to get in the coming months and year.
What is a distributed web application firewall?
In the Web 1.0 era, we used web applications firewall which will add a layer around webservers fending off any attacks based on the rules we set up. Mod Security is a great example for a firewall around Apache. Personally, I have used Mod Security extensively in those old days to protect my web applications from malicious attacks. With the move to Clouds and the emergence of SaaS, things got a bit complex and traditional web application firewalls cannot be used to protect the applications. The traditional web application firewalls were tied to the hardware and use quite a bit of resources. With the move to cloud where hardware becomes invisible and any additional overheads costing additional money, the old fashioned WAFs became meaningless.
A better way to do it is to implement the security measures into the applications itself so that the security scales seamlessly with the cloud. There is a long way to go before such approach becomes the norm and we need a different kind of solution to handle current application security requirements. Enter dWAF, distributed Web Applications Firewall. dWAF comes in the form of a plugin or even a SaaS service and seamlessly integrates with many cloud environments. These firewalls offer support for detection of vulnerabilities and protection from attacks in a seamless way without consuming much resources.
What is openWAF?
openWAF is the open source implementation of the core of the current Art of Defence product called Hyperguard. Hyperguard is a distributed Web Application Firewall that ensures application security on the clouds. They have partnered with Amazon Web Services and GoGrid to offer their firewall solution as a SaaS. AWS customers can access Hyperguard SaaS by simply adding a small software plug-in to an existing web server Amazon Machine Image (AMI), or by using art of defences custom AMI. GoGrid customers can also do the same.
Art of Defence is seeding the project with the source code from their core product with the hope that there will be enough developers committing to the project. They will reorganize the business model of Art of Defence around this core open source product, monetizing on enterprise features, training and support. They haven’t released the source code yet and they are waiting to clean up the code for third party IP before releasing it to the public. It appears the source code will be available under a flexible Apache License.
I am observing this company for the past year or so and they have an interesting solution for web application security. I know they have been trying hard to crack open the US market by opening an office in San Francisco. This move to open source, if it gains enough traction, will help them go further. It will be interesting to watch as openWAF project and Art of Defence attempt to get enough people to work on the project.
- Qualys Introduces IronBee Open Source Web App Firewall (riosec.com)
- Is it time to consider a Web Application Firewall? (securityskeptic.typepad.com)
- RSA Guide 2011: Application Security (securosis.com)
- A Multi-Layered Defense for Web Applications (thehealthcareblog.com)
- Seeing Through The Clouds: Understanding the Options and Issues (thesecuritysamurai.com)