by Ivan Ristic
ISBN 0-596-00724-8. Index. One Appendix.
Reviewed by Robert Bruen 12/07/05
Apache software is used for the majority of web servers around the world, and with good reason. Besides the fact that it is free and open source, it is high quality software. There have only been a few security problems, all of which were answered quickly. Another great feature is the expectation that other people want to extend and add and modify and improve, and so on, so it has been designed to enable a community to contribute. In spite of the minimal security problems, we all still worry about them. Software can be written to minimize vulnerabilities and it can also be written to allow proactive measures to deal with potential problems. Apache has done both. Ristic has written mod_security for Apache and has written this book to explain security for it and for Apache.
While I have a few nitpicks about an index reference or two, I have found this book to be excellent. It is written in a teaching style, covering general security where appropriate, then linking each concept to the specific mutation within the http protocol that underlies web server operation. In order to create security techniques for a process or program, one really needs to understand the program and security. Ristic clearly does. The best part is his writing in a such a way that you learn as you read through the book. I have a special appreciation of techies who can communicate ideas.
The web is the main connection to places on the 'net for most people. I am repeatedly astonished at how many people think there is no difference between the World Wide Web, the Internet and their (local) network. Instead of thinking that the web is an important use of the Internet, they think it is the Internet. For those of us who worry about the security of such things, it is straightforward to expect serious work to secure web based interactions. For the rest of us who just want to use it, it is expected that it will just work. Unfortunately, there is also that element that sees the network as place to disrupt others and commit crimes. I expect that most admins would be happier staying off the 11:00pm newscast highlighting how their web site was cracked.
A number of attacks over the recent year or two have become more sophisticated by using syntax problems in addition to the old faithfuls buffer overflow and cross-site scripting. The rapid deployment of web sites has contributed to the target rich environment. Not only are there the usual security problems, but also web specific and web language specific issues. The list has become long enough that a book that details them is needed. This book does that, and it provides procedures to cope with them and provides code to help. Mod_security acts like a firewall to filter packets, modifying, for example, those pesky syntax errors that can lead to a compromise. The book has lots of references for more information in every chapter for these issues and most other issues. Apache Security certainly will go on my O'Reilly Apache bookshelf next to Apache The Definitive Guide and the Apache Cookbook. It is a highly recommended book for anyone, but especially for those who run (or want to run) an Apache web server