Anurag Agarwals' Threat Modeling Blog: Reflection on Ivan Ristic

If we hear so much about web application firewalls and their role as a first line of defense in protecting our web applications, a large amount of credit has to go to Ivan Ristic. Ivan Ristic is the creator of ModSecurity (an open source web application firewall and intrusion detection/prevention engine). He started playing in the webappsec space sometime around 2002 and working seriously since 2004. Based out of London, UK, he is only 33 years old and works for Breach Security. He is currently in charge of the ModSecurity product line, which includes ModSecurity, sensor appliances based around it and management appliances. Ivan also wrote Apache Security for O'Reilly, a web security guide for administrators, system architects, and programmers. Prior to web application security, he has worked as a developer, system architect and technical director in the software development industry. He shared briefly his journey with ModSecurity for us. In his own words

"I started developing web applications in 1997. At that time no one really thought about web application security. Since the applications I worked on were sensitive, I had to deal with the problem then or shortly there after. Over time it became apparent to me that designing 100% secure web applications is simply not possible. And even pretty good security is difficult to achieve for an average programmer. The only choice then (and it's the same today) was to fix applications. So the real choice was between having IDS (a network level tool) or a proper HTTP-level tool. Using IDS to deal with HTTP-level problems is very difficult. They will not reassemble transactions and are typically very easy to evade. On top of that most can't see into SSL traffic. So I don't really think there was a choice.

I started working on ModSecurity in November 2002. I came up with a beta version pretty quickly. If I recall 1.2 was the first version to be made available to the public. But it wasn't until 1.5 that I felt comfortable enough with the product to tell others they can use it in production. Version 1.5 was out in May 2003. Although 1.4.2 (February 2003) was actually ready for production, version 1.5 had a web site, manual, mailing lists, etc. In other words the whole package needed for a project.

My biggest hurdle was lack of documentation for Apache and (especially) Apache 2 programming. That's where I spent most of my time in the first couple of years. Getting content interception to work in Apache 1.3.x was difficult because there is no API in Apache 1.3.x for that purpose (so my solution is a hack). And it's been very difficult in Apache 2.0.x because there was no documentation and when there was - it was outdated. In terms of code I always worked on the project alone. But the community is not only about code - I've had a lot of help from various people over the years, in one form or another.

The biggest decision I made was about the model. At the time I was thinking of building a separate program or writing an Apache module. I am still happy with my decision (to write an Apache module) because it allowed me to focus on the areas I really cared about. Plus it allowed me to learn a lot about Apache and that lead me to write Apache Security, which was a tremendous project on its own.

I didn't work for a security company up until 2004. In 2004 I started my own business (Thinking Stone) to support ModSecurity. Thinking Stone was subsequently bought by Breach Security in 2006. I am still working for Breach Security today. We are a web application firewall company.As for the future of Web Application Firewall, I cannot see a world without them. Even if web applications magically become secure overnight, a large part of what I think WAFs do is auditing and monitoring. In other words - defence in depth. I don't see that need ever going away."

Ivan spends his time thinking about web intrusion detection, web application security and security patterns. When he is not working, he spends his time cooking, photography, and studying the English language but most of the time he ends up back in the webappsec space. He is probably the first to talk about the concept of "impedance mismatch" between applications and external security layers. Below are various other contributions from him

Books:-

Apache Security (O'Reilly, 2005)
http://www.apachesecurity.net/
http://www.oreilly.com/catalog/apachesc/index.html

Articles:-

Software Documentation with DocBook Quick HOWTO
http://www.oreillynet.com/sysadmin/blog/2005/11/software_documentation_with_do.html

Web Security Appliance with Apache and ModSecurity
http://www.securityfocus.com/infocus/1739

ModSecurity 2.0 with Ivan Ristic
http://www.securityfocus.com/columnists/418

Introducing mod_security
http://www.onlamp.com/pub/a/apache/2003/11/26/mod_security.html

What's New in ModSecurity
http://www.onlamp.com/pub/a/apache/2005/12/01/modsecurity.html

The public life of Apache Security begins
http://www.oreillynet.com/sysadmin/blog/2005/04/the_public_life_of_apache_secu.html

Web Application Firewalls Primer
http://www.net-security.org/dl/insecure/INSECURE-Mag-5.pdf

Contributions:-