The OWASP CRS project mourns the death of Co-Leader Walter Hop

Walter died last week and we are at a loss of words. For CRS, he has been a wonderful friend, a strong colleague, a developer with an impressive knowledge of PHP and WordPress in particular, a very smart thinker and one of very few regex wizards. He was also a dedicated Pokemon Go player and I remember how he would go for walks in the afterhours of IT conferences to hunt for some rare beasts. He enjoyed nature that way and the occasional catch in remote places.

Walter had a unique talent to bring out the best in people. Every conversation, namely technical discussions, improved in his presence. I would not call him charismatic, actually he was maybe more on the nerdy, if not socially awkward side. But his mere presence, his brief questions, asked with his soft voice, the witty observations here and there and the experience he could bring to the table were an immense contribution to the project. His calm demeanor also meant there would not be any heated debates as long as he was in the room. It was clear that you had to convince Walter in any discussion and if you were able to convince Walter, then the team would side with whatever solution he chose in the end. That way he contributed a big deal to the cohesion of the project.

Walter and the team in front of the Tolkien museum in Switzerland in 2021

Walter and the team in front of the Tolkien museum in Switzerland in 2021

Walter and I exchanged messages on the ModSecurity and Core Rule Set mailinglist for a couple of years until we got pulled into the project by Chaim Sanders in early 2016. I contributed my work on Paranoia Levels and Walter shared PHP rules that he had developed for his company

In hinsight, these rules look fairly standard. But the conceptual approach and how he split the problems into smaller chunks and more manageable rules have become a standard pattern that we use to great benefit to this day.

Walter made a tremendous effort so we could release CRS3 in late 2016. Unlike anybody in the team back in the day, Walter had ISP experience, which translated directly to attack knowledge. Chaim was a developer, I worked on high security websites, there was a consultant with us and another engineer, but Walter would see all the stuff the criminals were throwing at websites running on WordPress and he forged that into new rules, he contributed a lot to the simplification of the rule set and the reduction of false positives with the default installation.

As time progressed he and I moved into a co-lead position for CRS and I see that period as one of the most rewarding ones in my career. I got the feeling, that I did not even have to explain myself to him, he would immediately understand what my opinion on a specific problem was. We trusted each other blindly and we were able to interest extremely talented people for our project. These new people contributed work that was far beyond what he and I ever accomplished. To see an open source project grow and prosper brings a unique sense of satisfaction with it and we cherished these moments.

Throughout and following the pandemic, he encountered several tragedies. During this time, our team felt a deep sense of compassion for him and harbored hopes of being able to assist. Unfortunately, our global dispersion with infrequent face-to-face interactions made providing support challenging. For a while, it seemed he derived pride and energy from his contributions to the project. It remained enjoyable to collaborate with him, but his contributions began to lag. This situation wasn’t an issue for the project, as we were able to assign his tasks to new developers. However, his growing backlog appeared to become more of a burden to his well-being. It was at this point we approached him to convey that it was perfectly acceptable for him to focus on his health first and encouraged him to take the time needed for recovery.

Unfortunately, that was also the moment where we started to lose touch with him, first for a week or two, then for months and now we received the message of his death. We are stunned and we wish we had not let him move away from the project that much.

Losing Walter is a severe blow for us and we will all keep a dear memory of him.

Link to the family’s obituary for Walter

Dr. Christian Folini, OWASP CRS co-lead

Christian Folini / [@ChrFolini]