Modsecurity: Why it matters to PHP
There is a new book released that should be in the libraries of web application developers everywhere. The title? ModSecurity Handbook:The Complete Guide to the Popular Open Source Web Application Firewall by Ivan Ristic. What is ModSecurity in the first place? Why does it matter to you? What makes this book important to the practice of web application design?
ModSecurity is a web application firewall. It can live in and out of the Apache web server environment, one of the most popular web servers around. ModSecurity is infinitely customizable and extremely powerful. The philosophy of ModSecurity can be summed up in a few words. Look, and only modify if I tell you to. It sports a custom rule engine that makes it extremely powerful. The syntax takes a little bit of work to wrap your head around, but the learning curve is not terrible. It’s an efficient system that aims to cut out unnecessary logic and expressions and focus solely on the job of security. That being said, the rule language is rich and extensible. It is quite possible to make use of external scripts (such as php) to do specific security tasks. Additionally, the use of Lua is extremely useful. According to the author, the rule system will cover about 80% of the needs for most tasks. The last 20% or so where you need a ‘real’ programming language is covered by Lua and its tight integration with ModSecurity. Now, as a disclaimer, ModSecurity is not an excuse to make you a lazy programmer. You still need to use good, secure programming practices to make your clients’ applications secure as well as useful.
Now, the book. Why is this book so important? It is THE source for ModSecurity if you care at all about the application. This book covers everything from download and install to configuration and to creating your own rule sets. Additionally, this book was written by the author that created ModSecurity, Ivan Ristic. The book reads like your best programmer friend sitting right next to you guiding you as to what to do step by step. I am going to be extremely honest with you though, ModSecurity isn’t the easiest thing in the world to implement at first glance, but the rewards are well worth it. This book teaches you step by step how to reap those rewards and build a reasonably secure system for your clients. Seeing the steps on how to block basic attacks such as XSS attacks, and brute force attacks were intriguing and educational. It made me think about how I could implement these same techniques into my programming. Additionally, the comprehensive reference manual was a great touch and welcome addition. A lot of books just give tutorials, but sometimes a simple paragraph or bullet point is needed to explain a component.
The book itself takes some time and digestion. I am convinced that this book needs more than one read to get all the benefits from it. That being said, the additional reads will make you a better programmer and put you ahead the pack. Feisty Duck publishes a hardcopy of the book and a digital version.
Leave a comment
Use the form below to leave a comment:
Responses and Pingbacks
July 10th, 2010 at 3:58 am
Check out my step-by-step guide for securing PHP
http://eyalestrin.blogspot.com/2010/05/hardening-guide-for-php-532-on-apache.html
July 16th, 2010 at 3:37 pm
mod_security is the worst-idea-with-good-intentions ever. The developer should be responsible for securing his own crap, not the server. The regexes aren’t good, the overhead can be annoying, and it’s dangerous to rely on something like this. It’s the same as if you were relying on register_globals to be turned off: you can’t make these sorts of assumptions, secure your own crap.
http://www.thejach.com/view/2010/4/mod_security_can_kiss_my_ass
August 7th, 2010 at 2:53 pm
If developers did an acceptable job of securing their crap, there would less of a need for solutions like mod_security. The reality is many don’t or they don’t do it very well, so these types of solutions are necessary.
Plus, it’s also about defense-in-depth. Even responsible developers make mistakes, so a solution like can help catch things that were missed, but that doesn’t eliminate the need for secure coding practices.
September 2nd, 2010 at 3:36 am
Mod_security doesn’t only cover code security – I bought this book last week and it covers a whole range of useful things (reverse proxy and variable storage are 2 of the better things) this could be great for data protection and catching / dealing with bots