TAGS: |

Curiefense, A New Open Source Web App Firewall, Tackles Cloud-Native Security

Drew Conry-Murray

Curiefense is an open-source, Web application firewall (WAF) for microservices environments. Curiefense became generally available on March 2nd, 2021. And yes, it’s named after Marie Curie.

It’s currently a sandbox project within the Linux Foundation’s Cloud Native Computing Foundation (CNCF). “Sandbox” is the first stage for experimental open source projects. It builds the groundwork for a project to move to the Incubation phase and on to graduation into the CNFC.

As with other open source projects, Curiefense is being productized/monetized through a company called Reblaze, which offers a supported version of the software. Reblaze is also the official maintainer of Curiefense, though the open-source project promises to be vendor-neutral.

Curiefense plugs into the Envoy proxy, where it filters HTTP traffic. Curiefense has table-stakes WAF features, including protecting against the OWASP Top 10 list and other application security threats. It can perform input validation, use signatures to find and block attacks, and perform behavioral profiling.

It also includes app-level DDoS protection, rate limiting to block resource exhaustion attacks, and API security.

It includes Grafana dashboards for data visualization and stores logs and data in Prometheus. The project is designed to be DevOps-friendly. It’s API-driven and integrates with a variety of deployment tools including Terraform, Docker Compose, and Helm.

Curiefense isn’t alone in providing an open-source, developer-friendly WAF. HAProxy and NGINIX both offer WAF capabilities.

The question is, how widely will they be deployed? Web app firewalls are notoriously problematic. The rulesets are complex, security checks could drag down application performance, and false positives could kill legitimate business transactions. At first glance, tossing those problems into a massively distributed environment of highly interdependent services and functions seems like a Dante-esque  hell designed specifically for DevOps sinners.

On the other hand, precise (and limited) sets of rules and policies could be applied to individual applications based on each application’s specific parameters. This targeted approach might make WAFs more feasible.

And with other capabilities, including the aforementioned API gateway and DDoS protection, Curiefense has a variety of use cases. Users could also deploy it in alert-only mode as a way of getting application visibility while monitoring for threats.

No Bait ‘N Switch

Justin Dorfman, the Open Source Program Manager for Reblaze, said in an interview with the Packet Pushers that getting Curiefense into the CNCF is vital for building trust with the community. Such trust is critical given the increasingly fraught relationship between open-source projects and the or-profit companies that back them.

For instance, Red Hat raised hackles when it squashed CentOS in favor of CentOS Stream. More recently there was high drama after Elastic changed the licensing terms for its popular Elasticsearch and Kibana projects because it felt AWS was taking advantage of the project without significant contributions. In turn, AWS simply forked the project.

Parking Curiefense within the CNCF should limit the potential for shenanigans because Reblaze must hand over critical intellectual property to the Linux Foundation, and the project must follow Linux Foundation governance.

For more on Curiefense, you can find it on GitHub.

About Drew Conry-Murray: Drew Conry-Murray has been writing about information technology for more than 15 years, with an emphasis on networking, security, and cloud. He's co-host of The Network Break podcast and a Tech Field Day delegate. He loves real tea and virtual donuts, and is delighted that his job lets him talk with so many smart, passionate people. He writes novels in his spare time.