Re: [mod-security-users] What is holding ModSecurity back?
Brought to you by:
victorhora,
zimmerletw
From: Victor J. <li...@in...> - 2009-11-12 10:29:41
|
Hi Ivan, two more for the list: - It seems it still remains relatively unknown. I still encounter security people that don't know it, even if they are into open source as well. - First responses when telling about it usually go down the line of a disappointed sounding "oh it's just an apache module". So I think a big issue is that many ppl don't know it and/or don't know that/how it can be used to protect other servers as well in for example a reverse proxy mode. Cheers, Victor Ivan Ristic wrote: > I have this nagging feeling that ModSecurity is not used as widely as > it could be, and I've been trying to figure out the root cause. > > One obvious problem is that web application firewalls in general are > not taking off -- we are only now seeing WAFs entering mainstream. > Traditionally, open source project thrives where they can replace > expensive commercial products. I think that, at least at the moment, > there isn't a big-enough WAF installed base for an open source product > to chew on. Fortunately, this problem is easy to deal with: we just > sit and wait (I am not implying that further improvement to > ModSecurity is not desired, or even required). > > Other than the above, I have a list of several more practical issues: > > - No good literature; This is already taken care of -- watch for news > in the next couple of days. > > - ModSecurity is not easy to use; I have started to work on some of > the easy fixes, but a sustained focused effort is required. > > - Similar as above, perhaps the users just want to run a robust rule > set that is update automatically and promises to address known > threats? > > - Missing features; The lack of learning is one obvious problem, but > there are few other major ones. > > - Performance; Is there anyone not happy with the performance of ModSecurity? > > - Slow development pace; The truth is that the development has slowed > down (although we've seen very exciting changes in the rules area). Is > there a fear that the project might be abandoned? > > - Packaging; Do the users want up-to-date binaries? What about > packaged appliances (Apache and ModSecurity combined and > pre-installed)? > > - Commercial support; I don't know what the current position of Breach > Security is regarding ModSecurity, but, judging from the web site, > there does not seem to exist a strong desire to provide commercial > support. More worryingly, I am not seeing small consultancies offer > ModSecurity support. Or perhaps they do, but we are not seeing them > because they are not mentioning ModSecurity by name? > > - Unclear commercial upgrade path; Perhaps the lack of commercial > options is making the users insecure about the technology? > -- --------------------------------------------- Victor Julien http://www.inliniac.net/ PGP: http://www.inliniac.net/victorjulien.asc --------------------------------------------- |