Security Expert Interview Series: Christian Folini

We are thrilled to announce our next interview with Christian Folini (see his Linkedin profile here). Christian is an OWASP Project Leader and also the author of the ModSecurity Handbook (you can order the book here). In this interview, Christian touched upon the trends he foresees happening in the information security landscape in 2021 and delved into what his book intends to teach. Continue reading the full interview, we promise it will be insightful.

security expert interview series

1. Firstly, thank you for taking part in this campaign, Christian. Can you tell us about your professional background and areas of interest?

Thank you for having me. It’s a wee bit intimidating to be interviewed alongside such an illustrous display of people.

When I finished my Ph.D. in medieval history, I ended up in the IT industry more or less by accident. All I had was some experience with system administration and an interest in webservers. Around 2006, I got intrigued by ModSecurity, the only open source web application firewall (WAF) solution around and I started to specialize in this direction. I expanded my consulting portfolio and six or eight years ago I started to teach ModSecurity, I wrote the 2nd edition of the ModSecurity Handbook and I became one of the leaders of the OWASP ModSecurity Core Rule Set project, short CRS. CRS is an OWASP flagship project that develops generic security rules to run on top of the ModSecurity WAF engine.

Our rules are very popular, they are used by dozens of commercial WAFs and they inspect beyond 100 Tb/s of HTTP traffic.

So teaching, consulting, and running CRS keeps me quite busy. Yet on top, I also chair the program committee of the Swiss Cyber Storm conference and I host the Swiss Cyber Storm in a Nutshell series, where I interview Swiss security people. Lt. General Thomas Süssli, head of the Swiss Armed Forces was one of my recent guests.

2. What does a typical workweek look like for you as an OWASP project leader?

CRS is a volunteer-driven open source project. Like most open-source projects we run on a shoestring budget and most tech companies selling our rules are rather reluctant to share their profits with us. Motivating them to change their attitude and becoming one of our sponsors is one of my jobs since I am usually the one who represents our project outside.

CRS has around a dozen active developers, and I try to talk to them regularly.

With most of them, I’m in touch on a weekly basis. We have a community/project chat session two times a month, so there is always a week with a long technical chat session and a week where I feel like I should be preparing for the next session. When preparing these sessions, I look at GitHub issues and pull requests. If there are roadblocks, I try to clear them out or ask one of our developers to take a look. If there are things that need to be discussed by the entire project, I put them on the agenda for the next chat session.

Sometimes, I also get to write security rules myself, or there is something I am really interested in from a technical viewpoint, but honestly, I am more of an organizer these days and sometimes I feel like it’s an honor that the smart techies in our project take the time to explain a certain technique or regular expression to me.

3. What do you like most about your work and what are some of your primary concerns on a daily basis?

Over the years I have been working on a great many initiatives and open source projects. So I came to OWASP CRS with a lot of experience and I knew that building a community was key for the success of such a project.

I pity the lonely OSS developers that run a one-man show from their basement. That’s why I made it a priority to recruit more experts into our project and make sure they feel at ease donating their spare time to our project. In most volunteer-driven projects, people vote with their feet and the fact that we’re a happy bunch of roughly a dozen people now is something I enjoy tremendously.

My concern is obviously that we lose traction, that a conflict arises that affects our project or that we receive so many new GitHub issues we can’t cope with them as a project anymore.

And then there is this structural problem that most days only have 24 hours and there are always more ideas than hours to implement them. But I guess I share that concern with most of the people that you interview.

security expert interview series swiss cyber forum

4. What trends do you foresee happening in the information security landscape in Switzerland during the rest of 2021?

It’s hard to see a trend unless you have a lot of information or you fly very, very high. Yet as the program chair for the Swiss Cyber Storm conference, detecting trends or major topics that matter for our industry is one of my main jobs. For 2019, we made “Embracing the Hackers” the motto for our conference.  We saw several projects in this regard in 2020 and the creation of Bug Bounty Switzerland made bug bounty projects all the rage in 2021. So, I think we were right with this motto.

In December 2019, we decided that “E-Health” would be the motto for 2020 and the Coronavirus approved. Yet we had to cancel the conference, nevertheless.

And for 2021, we settled on “Securing the Supply Chain”. I do not think it is particularly bold to predict this as a trend for our industry since it’s been written on the wall for quite some time, but I am getting the feeling that the attitude towards supply chain risks is changing, or the inherent risks are now being taken more seriously.

5. As we noticed, you are an author of the book called “ModSecurity Handbook”. Please share with us what this book teaches and who this book is for.

As explained above, ModSecurity is a web application firewall engine that runs on top of a webserver. It is the only open-source offering, and it runs in many, many commercial products, also in two of the three commercial web application firewalls that are being sold by Swiss companies.

The ModSecurity Handbook is the quasi-official handbook that goes with the ModSecurity WAF and while it introduces various concepts and explains a lot of technical details, most people use it as a reference for the product and I made sure the book serves as a useful reference for ModSecurity.

6. What can you tell our young readers who are pursuing their dreams in the security market?

Think for yourself and don’t be afraid to ask stupid questions. The situation around security is so bad, we need more people to join us and help us solve many, many problems. We left security in the hand of the techies for far too long and look where it got us? We need newbies who approach this with a fresh pair of eyes, new ideas, ideally a non-technical background, and a holistic approach to solving problems: If technology was the solution for the security problems, then we should be done by now, should not we?

Security is not a problem that technology can solve. It’s much harder and it takes people who are able to think beyond technology to come up with creative solutions. This is a great industry to join and we’re embracing everybody who comes along to help us.

Did I mention that the OWASP Core Rule Set project is a very happy place with a fun community to work with?

7. Where do you go for inspiration or resources that you use in your own personal development?

I go for walks, or I work in my garden. There I ponder over the same problems or often the same situations again and again – and again. Sometimes it takes months until I can put a particular experience at rest. Sometimes I start and I immediately have to return to my desk to write down an idea that occurred to me with the shovel in my hands. So, walking or working with my hands is often all it takes to trigger my brain to come up with new ideas.

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.