PHP chapter from Apache Security available for download
I have made the PHP chapter from Apache Security available for free download. When we made the decision to set the installation and configuration chaper free, several months ago, I did not realise this chapter only told one half of the story. Most people need to configure Apache *and* PHP. This is now fixed, and the two chapters together make a valuable resource. My long-term plans are to convert both chapters to DocBook, keem them up-to-date, and publish them as PDF and as HTML. But not yet--the content is still very fresh!
More on impedance mismatch
Recently there has been increased interest in the impedance mismatch problem, which occurs between multiple layers of a HTTP stack (e.g. proxy/security/web server) when they interpret HTTP differently. If you recall, I wrote about it in March. Shortly after Sverre talked about his worries: Incompatible Parameter Parsing. Then, a few days ago, Watchfire released a detailed analysis of how to smuggle two requests in a transaction where there should be only one: HTTP Request Smuggling. Finally, yesterday Amit Klein posted a message to the web security list, subtitled "A survey of new attacks on the less explored parts of the web application".
This topic is of great interest to security professionals that work with HTTP (who isn't nowadays!). The more we talk about it the greater the understanding of the strengths and the weaknesses of layered approach to application protection. To the end users, this is another clear message they should work to deploy secure applications in the first place.
The future of web application firewalls
It always pays off to visit Richard Bejtlich's blog once in a while. (Or, even better, subscribe to his RSS feed and get updated in real-time.) A short visit today uncovered a plethora of information relevant to web application security and web application firewalls.
First, there is this post, where Richard shares a few thoughts from his discussion with Marcus Ranum, on the subject of proxies as security devices (which is what web application firewalls are).
Something Marcus said stroke a cord with me (emphasis mine):
"Proxies keep cropping up over and over, because they are fundamentally a sound idea. Every so often someone re-invents the proxy firewall - as a border spam blocker, or a 'web firewall' or an 'application firewall' or 'database gateway' - etc. And these technologies work wonderfully. Why? Because they're a single point where a security-conscious programmer can assess the threat represented by an application protocol, and can put error detection, attack detection, and validity checking in place."
You should also read Marcus' thoughts on deep packet inspection firewalls. Proxy-based application firewalls were hot stuff a decade or so ago but they lost to network firewalls. They came back to fashion as "web application firewalls" because of terrible insecurities present in most web applications today.
The other interesting post discusses the convergence of application firewalls and network firewalls, in response to the extensive coverage of network firewalls at the Network Computing magazine. The basic sentiment is that application firewalls and intrusion prevention are just network firewall features, and that customers simply do not want or need to run two devices.