ModSecurity Trustwave
This blog has moved! Please update your
bookmarks to http://blog.spiderlabs.com/modsecurity/.

ModSecurity Blog: April 2005

The public life of Apache Security begins


My book, Apache Security, is finally out, after a year and a half of hard labour. I began talking to the publisher in the summer of 2003, and began research shortly after. I began writing in March 2004 and finished in December 2004. O'Reilly had it in stock on March 1st 2005, but it only become widely available in late March.

The work itself was great fun. It is a great privilege to be able to explore the boundaries of your own knowledge in detail. I did have periods of despair, of course. But I was prepared for them from reading blog entries of other book writers. I knew how difficult it was going to be. The biggest challenge I had was deciding what to cover, and what to leave out. It was never going to be a book for absolute beginners (officially, it's an "intermediate to advanced" type of book) but I didn't want to write a book that would be understood only by a few people who are already Apache experts. On an another level, it was also not possible to look at the security of the Apache web server in isolation. A book that pretends to provide "everything you need to know to secure your Apache web server" must delve into topics such as networks security, host security, and web application security. As it turned out I had to deal with these questions every single day. It was a struggle to keep the book from growing too much. Initially, the book was supposed to be around 280 pages long. In the end, it grew to over 400 pages.

As my work progressed I began to think more and more about the process. The traditional book writing process restricts the author to his experience, the experience of his immediate peers, and the experience of the technical reviewers. While this may work in some, or even many cases, I came to believe that a piece of technical writing can achieve its best only through the collaboration process with the readers. Now that the book is out, this is exactly what I am looking forward to.

The first step, the book's web site, is already completed. In the following months I plan to put more material from the book online, start adding fresh content, and generally try to engage the public by offering them the stuff they are interested in. The way I see it, my work has just began.

AppSec Europe 2005 Slides Available Online

The slides from the OWASP AppSec Europe 2005 conference are now available online. All the sessions are excellent, but I'd like to bring a couple to your attention.

Jeff Williams, the OWASP Chair, gave a talk called OWASP Status / Reorganization, but he spent more time discussing the fundamental application security problems we are facing today. Very effectively, comparing application security to the past of the automobile market, he explained where we are, and gave some ideas where we might want to go. The star of the presentation is the idea to force vendors to explicitly declare the level of security of their applications. (The label to the right is from the presentation. It provoked a healthy laugh and an applause from the audience when it appeared on the screen.) I must say, this is a *very* interesting idea. Provided a nice list of guidelines exists (OWASP is certainly capable of drafting such a list), this approach could force the vendors to come out in the open. I also like the idea of third-party certification for this kind of thing.

Arian Evans gave two talks: Application Security Assessment Tools: An Overview of Available Testing Tools and Advanced Defense Techniques against Web Application State and Session Management Threats. His talks are interesting because he is a fun guy to listen to, but also because he presents the listeners with a *lot* of raw facts, and then leaves them to draw their own conclusions.

OWASP AppSec 2005 Impressions

Last weekend I attended the OWASP AppSec 2005 Europe here in London. I was there to give two talks, meet the people I only knew from email, and listen to the other speakers. When a conference is not aligned with my interests I tend to only come for the day(s) I speak on. This time, however, I was interested very much in what the others had to say! The experience has been great - two days filled with interesting talks and charismatic people. I hear the others had similar views of the event. On Saturday there was a dinner organised at a hotel/restaurant nearby. I was looking forward to attending but then had to be elsewhere that afternoon. That's the trouble when you live at the same place where the conference is being held.

I have uploaded my talks to the Thinking Stone web site: Apache Web Platform Security and Web Intrusion Detection With ModSecurity. I'll post again when the other presentations appear on the OWASP web site - there are some very interesting ones.

Calendar

November 2010
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30

Feeds

Atom Feed

Search

Categories

Recent Entries

Archives