Cops are always getting together to swap tips and techniques. Same thing with computer security guys. What some object to is the idea of the code being open and available to outsiders, some of whom (it can be assumed) are bad guys.
Projects like the Open Source Security Foundation framework and Eureka Streams can be valuable – assuming that is they're not just government-funded copies of something which already exists, like Snort. If they are they're just a waste of time and resources.
The good news in these cases is that government contractors are acknowledging the legitimacy of open source as a development process, even in the area of security. But will any side support a governance process that makes the most of what open source has to offer?
And so we come to IronBee, a new open source web application firewall created by Qualsys and supported by Akamai. The goal, as this whitepaper notes, is a universal web application security sensor. The announcement took place this week at the RSA Security Conference.
All this sounds a bit like teenage girls. Martin doesn't want to play with us, so we'll go over here. But will anyone play with us or will they follow Martin because he's actually more fun?
That may sound like I'm dismissing the governance issue. I have learned in the last few years that's a mistake. IronBee will be offered under the Apache license while Snort is under the GPL, with a proprietary license for commercial support. IronBee, by contrast, will allow others to build proprietary extensions on its code – that's the idea behind Apache, and why many in the commercial space call it “more free” than the GPL.
What's more important in governance is not the license, but the process. If Ristic follows the Apache governance process – if he can welcome other developers as partners rather than competitors – then we may have something.
Meanwhile, let the code be your guide on what to implement.