Introducing SCS Speaker Ivan Ristić

Ivan Ristić and I go back together a very long time. It must have been in 2005 or 2006 that we started to talk about ModSecurity, DDoS and security in general. That was an interesting conversation and it never ended.

Around 2000, Ivan led a team of developers that worked on web development. He was interested in writing secure software with his team, but the visibility of attacks was a major problem (it still is, I guess). He wanted to look into web traffic, so he wrote an Apache module to dump it on disk. And having gained easy access to the traffic, he quickly developed this into ModSecurity. ModSecurity is a module that allows you to filter requests with regular expressions. And that module, later ported to IIS and NGINX, is still the only all-purpose web application firewall with an open source code base. And it is very successful at it. This brought him in touch with O’Reilly, still one of the leading publishers in IT. Ivan wrote the de-facto standard Apache security book. This was back in the days when web servers had a rather relaxed attitude to secure default settings: you absolutely needed to close the most gaping weaknesses yourself.

And from there, the clear red line continues: He brought ModSecurity into Breach, Inc., where he continued the development for a few years. He quit right before Trustwave acquired Breach in 2010. In need of a break from the topic of web application firewalls, he started to work on SSL and TLS research. He was interested in the real world usage of web traffic encryption. So he wrote a scanner that brought him a ton of information, information he needed to write “Bulletproof SSL and TLS”, one of the most successful practical security books. I think it is safe to say that the wide adoption of HTTP encryption stands on the information contained in this thick book. But it also stands on the outcome of the scanner: SSL Labs. I probably do not need to introduce this to you, since every security practitioner knows that site. And I am sure many of you use it when you want to assess the encryption settings of a website and you want a readable report you can show to management.

Once the book was published and SSL Labs was established, it took Let’s Encrypt to simplify the access to affordable (free!) certificates, finally improving the adoption of encryption on the web. It has improved very fast, as always happens when the tipping point of adoption is reached.

And now, Ivan is going public with Hardenize. The beta of Hardenize was announced at Swiss Cyber Storm two years ago and now it’s ready for prime time. So, Ivan will take you on a journey from SSL Labs to Hardenize. Why did SSLLabs work so well? How come it sparked adoption of encryption outside banking and high security applications? Where did he see the limits and how is Hardenize the next logical step for him?

We have wanted to bring Ivan to Swiss Cyber Storm for several years. And it’s not like we did not try. We tried hard, but Ivan is also very good at saying NO. Since he started working on Hardenize, he rarely appears on stage. So getting him to tell us the story from SSL Labs to Hardenize was an effort that took some persistence. Please join us at Swiss Cyber Storm 2018 for this rare opportunity: Ivan Ristić on stage!

[Full disclosure: Ivan Ristić and I wrote the 2nd edition of the ModSecurity Handbook together and I teach ModSecurity courses in collaboration with Feisty Duck, run by Ivan’s wife, Jelena Girić-Ristić.]

More about Ivan Ristić:

• Twitter: @ivanristic
• Blog: https://blog.ivanristic.com/
• Hardenize

 

Christian Folini, Program Chair