At 14, he chose computer science over Latin in high school, at 17 he found a bug in Facebook—and he knew most of the CRS team in person before he met them online. As a predominant user of Coraza rather than ModSecurity, Matteo Pace brings a much welcome outsider’s perspective to the CRS team. Community and shared purpose define his professional and private life.
Matteo Pace likes the social aspects in everything he does – like here during the CRS developer retreat 2023 in the Hungarian capital Budapest
Strolling through Turin, Italy's Piedmont capital, you might assume half its residents are chocolatiers, pastry chefs, or café owners. But Turin offers more than chocolate and hazelnuts—like expertise in open-source WAF. Here lives OWASP CRS’s core team member Matteo Pace.
Born in 1996 and raised in Turin's province, Matteo was surrounded by technology early on, thanks to his father, a mechanical engineer. Computers fascinated him from a young age. “I remember seeing my father working with computers all the time. I guess that’s why I've always been curious about them,“ he says. Initially, computers meant gaming with his brother—playing single-player games in “cooperative mode” (sitting together in front of the screen), as he fondly recalls. Soon, he began designing custom maps in Age of Empires, which sparked his deeper interest in computers. By high school, he was writing small pieces of code and automating tasks with simple scripts.
At 14, Matteo chose computer science over Latin in high school—though not without hesitation. “I would have enjoyed Latin too. It gives you a classical background and knowledge of our roots,“ he reflects. But ultimately, he knew computers would shape his future.
Around 16, he discovered bug bounty programs. “I started reading blogs from security researchers. The more I read, the more I understood,“ he says. This curiosity led him to set a goal: “Before turning 18, I wanted to find a bug in Facebook.” And he did. It wasn’t a highly technical flaw but a logical permissions issue that allowed malicious users to hide from administrators. Matteo still remembers the moment he received confirmation: “I was on the bus to school at 6 AM when I got an email from the U.S. confirming my discovery as a valid bug.“
He pursued computer engineering at the Polytechnic University of Turin. While his undergraduate studies covered mathematics, physics, and electronics, cybersecurity came later in his master’s program. “Of course, I was into security, but I was also curious enough to explore other areas,“ he recalls. For his master’s thesis, Matteo worked with CRS (without contributing yet). His research focused on integrating WAF functionality into cloud environments, adapting tools like ModSecurity and CRS for modern service mesh architectures under a zero-trust concept. The goal was to create a small module—essentially a plug-in—that would operate between entities in a service mesh. Though only a proof of concept, his work caught the attention of Tetrate, a U.S.-based company specialized in cloud and service mesh technologies. “They had found my work on GitHub and reached out. Their email basically said, ‘We don’t know if you’ve started working or if you’re still studying, but we would like to tell you more about our work and to get a better understanding of you and what you do”. Matteo joined Tetrate in March 2022, working initially on integrating Coraza into cloud-native environments to deploy WAFs across distributed systems. With no physical office, he collaborates remotely with colleagues worldwide. “Sometimes I wish my colleagues were closer, but I also get to work with amazing and talented people from places like Japan—people I might never have had the chance to work with otherwise.“
Through Tetrate, Matteo began contributing to Coraza in September 2022, which led him to CRS. To ensure full compatibility with Coraza, he started exploring CRS in depth. That’s when Felipe Zipitría noticed him. Coincidentally, the CRS team was about to hold its annual retreat in Varese, just 150 km from Turin, and extended Matteo a last-minute invitation. “I was a total newbie when it came to CRS,“ he says. “But as a curious person, I just took the car and drove to Varese.“ There Matteo met the CRS core team for the first time in person. When asked what he wanted to work on, he simply said, “I'm ready to learn whatever is needed.“ The event was a pivotal moment: “I started to understand the importance of the people behind a project. I’ve always enjoyed being part of communities—even during university, I joined a student association to give back and help others.“ After the retreat, Matteo contributed to CRS whenever he could. And when he couldn’t, he still attended monthly CRS Slack meetings to stay updated. Six months later, the core team officially invited him to join. “It was unexpected, but one of those great opportunities you just can’t say no to,“ he says.
“I need activities that get me outside.” Luckily, Matteo lives in Turin, close to the alps.
Matteo brings an outsider’s perspective to CRS due to his background with Coraza. “My focus has always been on adapting CRS rules to work seamlessly with Coraza as an alternative to ModSecurity.“ His contributions have improved test compatibility, making tools like Go-FTW more agnostic. His efforts in testing and enhancing the CRS test suite have expanded its applicability beyond traditional platforms like Apache and Nginx. Where does he see the project’s future? “Ideas aren’t the problem—we have plenty, especially after our yearly meetups,“ Matteo says with a grin. “The real issue is time. More contributors who can dedicate some effort to the project would make a big difference“ And what skills should be added to the team? “Curiosity and an interest in security are enough,“ Matteo insists. “The project is broad enough for almost any skill set—even if it’s just for documentation.“
Matteo himself wishes he could spend more time on CRS. “My involvement really depends on my availability—lately, it’s been inconsistent“. While Tetrate has always supported his open- source involvement, the fast-moving nature of the startup leaves little room for extra time. CRS work happens in his spare time, competing with Coraza maintenance and hobbies like hiking in the Alps and snowboarding in winter. “I’m lucky to be close to both the city and the mountains in Turin,“ Matteo says. Stepping away from screens helps him recharge and gain fresh perspectives. “I need activities that get me outside—otherwise it’s always, ‘I have to fix this, I have to take a look at that,’ and it never ends”, he admits. Recently, he’s taken up paddle tennis. The sport keeps him active, motivates him to improve, and keeps him socially engaged.
Matteo’s commitment to community and the emphasis on social aspects shines through in another private activity dear to his heart. While at university, he was an active member of the IEEE Honor Society’s HKN MuNu chapter, organizing hackathons, study groups, and workshops. After leaving university, he continues to follow the chapter’s work, mentor young talent, bridging the gap between academia and industry. This commitment is another expression of his passion for community building, social interaction, and sharing that defines both his personal and professional life. Or in Matteo’s own words: “It shouldn’t be just about yourself, your well-being, or making money. We live in a society, and my true fulfillment comes from both taking and giving back.”
You can find Matteo on Slack under the username Matteo Pace and on GitHub under @M4tteoP. How to get onto the project Slack? You can get an invitation from https://owasp.org/slack/invite, once registered head to our channel #coreruleset.*
Three more questions for the nerds …
What is your favorite part of CRS. Why is that?
Working alongside people with such strong dedication, knowledge, and attention to detail. From the very first moment I met them, it was clear how passionate they are about the project. Everyone brings a different perspective and vision, which helps spark discussions and evolve ideas to hopefully find the best path forward for the project.
What is your favorite rule and why?
I’m going to mention one of the (rightfully) most hated ones, 942100. It was the very first rule I worked on, back in Varese, side by side with Max. We spent the session debugging libinjection, and it was a great first experience working with him, even with the tricky libinjection behaviors.
Can you share the biggest f***-up that happened on your ModSecurity setup?
Well … I’m using Coraza. :) On a more serious note, I was involved in an effort to simplify the integration of CRS rules into a setup. Later, I discovered that in one environment, the single line responsible for including all CRS rules had been commented out to avoid false positives—effectively leaving the WAF running with no rules loaded.
Related pages:
- Meet the CRS team: Max, the Kiwi-German software developer from the Swiss Alps
- Meet the CRS team: Jozef, the cat loving father from Slovakia
- Meet the CRS team: Felipe, the team player on the other side of the Atlantic
- Meet the CRS team: Andrew, the technical writer who loves Eurovision and Doom II
- Meet the CRS team: Fränzi, the puzzle-loving hard worker with a mission
- Meet the CRS team: Ervin, the gardening radio amateur in the background
- Meet the CRS team: Andrea, the musical man-in-the-middle