Welcome!

Open Source Cloud Authors: Liz McMillan, Zakia Bouachraoui, William Schmarzo, Elizabeth White, Yeshim Deniz

Related Topics: Open Source Cloud, Cloud Security

Open Source Cloud: Article

Qualys Starts an Open Source WAF Project

IronBee open sourced, community under constuction

On Monday at the 2011 RSA Conference, Qualys announced that they were creating an open source Web Application Firewall (WAF) project. Companies create open source projects for a variety of reasons. Those reasons include attempts to commoditize a market, build a community, or dump a failing project. One way to understand which kind of open source announcement Qualys is making is to find out how they are investing in the project. If they are not allocating any resources to the new project, you can be sure this is the later kind of announcement, otherwise known as a “dump-and-run.” However, if a company has real people whose principal job is to work on this project in the open, then this project is for real. Communities do not build themselves any more, so trying to ascertain the level of “open source marketing” efforts can also shed light.

Several questions were sent to Qualys about this project, and here are the responses they sent. The responses were penned by Ivan Ristic, director of engineering at Qualys.

Q: Where did the name come from?

A: We spent a lot of time in looking for a good name for the project. Today, just having a reasonably unique name is difficult enough, but we also wanted something to represent the spirit of the project. We believe that the association with bees describes our intentions well, which is to build a community focused on mitigating application security issues.

Q: Why is Qualys doing this now?

A: Initially, the motivation came from our own need. We were looking to complement our current services with a real-time access control. There is an opportunity to integrate scanning with real-time mechanisms, combining the best of both world. Scanning is a pro-active activity that can be very deep and complements real-time monitoring which is continuous.

Q: Most companies open source a project when they want to a) commoditize a market or b) abandon a product but make the code available. Which one is it?

A: I don't believe it's either of those. We simply looked for the best possible approach to developing a complex product that needs to run in some very diverse environments. Only the involvement of a large community can deal with that diversity of environments. And only a liberal open source license can remove the barriers to wide adoption (including adoption in commercial environments, for example cloud and infrastructure providers).

Having said that, commoditization is likely to come as a byproduct of the approach. However, that will only change the playing field, moving it into a different direction. Because of the Apache 2 open source license, a high quality product such as IronBee will help everyone, not only Qualys.

Q: The INSTALL file says its not ready for users yet. When will it be?

A: We announced IronBee as early as practically possible, in the spirit of open source development. We with to involve others sooner rather than later. The first production ready release will be ready by the end of the year. Practically speaking, we expect to have a working product earlier than that.

Q: How many employees from Qualys will be working on this? Will they be full-time on this project?

A: The IronBee team currently consists of 3 employees, and we have 2 further positions open. With small distractions (on other projects, for example our SSL research), they will all work full time on IronBee.

Q: Will Qualys provide a community manager?

A: Yes, and we already have one -- Will Metcalf, a long-time open source contributor, is the community manager.

Q: How much will Qualys invest in "community development"? in USD.

A: I don't want to discuss the actual amount, but the size of the development team is a good starting point to estimate the size of the investment.

Based on these answers, it is safe to say that this is a real, serious project. Use of the Apache license shows that Qualys is serious about open-ness. The only concern is that the project is not fully functional at the moment, so open source developers should take a wait and see approach as to when this get to “release status”.

More Stories By Bill Roth

Bill Roth is a Silicon Valley veteran with over 20 years in the industry. He has played numerous product marketing, product management and engineering roles at companies like BEA, Sun, Morgan Stanley, and EBay Enterprise. He was recently named one of the World's 30 Most Influential Cloud Bloggers.

IoT & Smart Cities Stories
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitoring and Cost Management … But How? Overwhelmingly, even as enterprises have adopted cloud computing and are expanding to multi-cloud computing, IT leaders remain concerned about how to monitor, manage and control costs across hybrid and multi-cloud deployments. It’s clear that traditional IT monitoring and management approaches, designed after all for on-premises data centers, are falling short in ...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...