SpiderLabs Blog

ModSecurity Award Nominations and the Challenges of Open Source

Written by SpiderLabs Researcher | Mar 12, 2020 10:36:00 AM

In the hustle and bustle of everyday work life we tend to look at the current issues we’re working to resolve, the next feature we want to develop, the next version release. We rarely take the time to look back and think about the work we’ve already done. On some rare occasions, however, something external makes you look back at them and it’s an opportunity to stop and appreciate what you’ve accomplished.

Recently, one of our own, Felipe Costa, was one of five people nominated by Microsoft at their Microsoft Security 20/20 Awards for “Top Github Contributor”.

First and foremost, we’d like to congratulate Felipe and the four other nominees for their accomplishment, given how sizable and active Github’s user base is, being nominated for top contributor is a feat in and of itself!

Second, we’d like to highlight some of the work that put Felipe on that list:

As you may or may not know, Trustwave is the custodian of ModSecurity, an open source WAF engine and, as the Lead Developer of ModSecurity, much of Felipe’s contribution has been either to the ModSecurity project directly, or to other related projects.

To add some words of congratulation from Ziv Mador, our VP of SpiderLabs Research:

“Over the years, ModSecurity has helped secure many web servers around the world, and behind ModSecurity there is a strong and dedicated team, which Felipe Costa is a central part of. Felipe has proven professionalism, deep expertise and dedication ever since he started leading the development of this technology. We congratulate Felipe for being selected as one of the top five contributors in Github. We also appreciate the strong community that supports ModSecurity. It is due to this community and strong players such as Felipe that made ModSecurity so successful.”

 Felipe at the Microsoft Security 20/20 Awards 

 

Working on an open source project is an entirely different experience to that of most developers out there working on “black box” products. Contributing to an open source project doesn’t just mean pushing in new code and fixing bugs, it also means interacting with a community, having discussions about features, understanding how people use your project, reviewing others’ contributions. Then make sure that the ideas, thoughts, requests and complaints of thousands of people somehow fit together to make one engine that serves the needs and is also usable of as many people as possible. You might imagine the project as a caravan moving along a path, with people joining to ride along. Sometimes they stay, sometimes they part ways later on, occasionally they throw some items into one of the carts, and with all these things happening around you’re trying to keep the caravan going down a clear path at a reasonable steady pace where everyone will be happy to arrive. If it sounds tricky to navigate, that’s because sometimes it is, but on the upside, you get to interact and collaborate with many different people, and that can help take the project in new directions or just move it along faster.

Given Felipe’s years of experience working on the ModSecurity project, we asked him to share his thoughts on the challenges of working on an open source project:

If I had to summarize working for the ModSecurity project with one word I would say: funny!​. ModSecurity is meant to be the swiss-army-knife of WAFs. That statement helps ModSecurity to be adopted from minimalist routers to high-end production servers. Sometimes, drawing an ideal picture of a road map is very challenging as different stakeholders put different requirements, especially for ModSecurity v3 which is widely adopted within Trustwave and our clients. Keeping up with the expectations of different users is a very challenging task.

Maybe one of the most challenging tasks here is not on what to have, but rather what not to have. I always remember that I cannot be ​Herb Powell from the Powell Motors building “The Car Built for Homer”. Not that the users are Homer, but they all have different perspectives and different ​use cases​ for ModSecurity and sometimes what’s good for one user is bad for another, it’s on us to make sure we keep all of our users in mind.

"The Car Built for Homer"

 

On Making Changes:

Since the day I started as Lead developer for ModSecurity, a lot has changed. Automation on the QA process was established, as well as migration to an industry-standard platform to support the development and community such as GitHub. There is also the birth of the ModSecurity v3. In the beginning, it was a Proof-Of-Concept that turned out to be further adopted by the company as the benefit of its further development was clear.

As with every huge change, there was a buzz, there were people that loved it and people who hated it. That strong feeling was indeed a good response. Regardless if it is love or hate, people caring tells you that you really made some major design changes, which was one of the goals with v3: Make some major changes that will put us on the path to a goal everyone would be on board with: A better ModSecurity for the community.

 

On Fuel and Fire:

The indication that we are on the right path came not only as direct feedback from our users but also when we participated in some of the most important security conferences: 3 times at BlackHat, Nginx conference and hopefully more to come. Not to mention the individual awards such us the ​ngixexpert​, and now the nomination for Microsoft Security 20/20 as one of the biggest contributors on GitHub (security). The affection of the users and such praises are the fuel that makes me work happy every day.

But, none of those praises are really mine alone. They belong to an entire community that works hard to have a better ModSecurity!! It goes to Trustwave which continues to support the project all these years. To nginx who are very actively participants in the project and all the other micro-communities which are under the ModSecurity umbrella! Thank you all! And thank you Microsoft for the award nomination!