ModSecurity Trustwave
This blog has moved! Please update your
bookmarks to http://blog.spiderlabs.com/modsecurity/.

ModSecurity Blog: Other Thoughts

New Blog is Up and Running

We've just completed a move to the new blogging platform. Not only is our blog now visually integrated with the rest of the web site, but we've enabled comments and trackbacks, which should make our blogging from now on much more interesting. The old posts are going to remain where they are. The old feed has been updated to that of the new blog, so if you are a subscriber you don't need to do anything.

Webinar Featuring WHID on the Top Trends in Web Application Threats

On April 11th I’m going to present a webinar on web application security, with a twist. The Webinar will outline the top threats to web sites in 2006 and will predict the trends of web attacks for 2007, but while most discussions of web site security vulnerabilities traditionally focused on the technical complexity of these attacks this time I will try to focus on the business impact of the vulnerabilities.

The traditional “techie” approach is to an extent based on “fear factor” and does not provide tools to assess the risk associated with web application vulnerabilities and therefore the effort and resources required to mitigate them.

This WebEx will use the Web Hacking Incident Database to prioritize web based attacks based on their actual business impact by examining past web site break-ins. The presentation will unveil a major upgrade to the Web Hacking Incident Database project, a Web Application Security Consortium project that documents known web site security incidents. The new upgrade will add business impact information to each incident in addition to the technical information available today.

The WebEx is targeted both at decision makers faced with the dilemma of budgeting web application security mitigation as well as consultants & security professionals tasked with performing risk assessment to web sites and web based applications.

Further details and registration at Breach Security Webinar Center

Anurag Agarwal writes: Reflection on Ivan Ristic

Anurag Agarwal has started profiling prominent personalities from the web applicaation security space. He started with Amit Klein, then RSnake, Jeremiah Grossman, and myself. Needless to say I am very flattered to be in such good company. There's more stuff coming. A bio of Sheeraj Shah is coming soon.

Our bundle of joy has arrived!

I am very happy to report my wife Jelena and I have just become parents of a little baby girl. She is absolutely adorable! She surprised us a bit by arriving a couple of weeks early, but we were more than happy to see her!

Software Documentation with DocBook Quick HOWTO

I am amazed how we still don't have proper technology to produce technical content. If you are just starting on a software project you can, for example, choose to use your favourite text processor. (It is what I initially did for ModSecurity.) This choice is quick to start with and allows you to write comfortably. Unfortunately it is not adequate when it comes to publishing. The text processor I used, OpenOffice, produces nice PDF documents but it fails miserably when it comes to HTML output.

One approach that looks particularly promising is DocBook; I have been looking at it for years. DocBook is a XML-based markup language designed specially to be used with technical content. People behind DocBook have done tremendous work on the backend stuff. DocBook appears to be well-designed and well-documented. You will even find two complete DocBook books, containing everything you need to know, freely available online. The problematic area is authoring, because the support for DocBook in text processors is very limited. Until recently your choice was to write XML by hand or, at best, write with the help of an XML editor. But it is insane to write anything but the simplest documents this way. As if writing is not difficult enough and you need your tools to make it more difficult.

Book publishers are trying to get round this problem by customising the text processors, using special templates and macros. (Publishers also have a much bigger problem as they need to support collaboration between people involved in book writing too.) This approach generally works but it is an one way street. Toward the end of the process the manuscript is converted into something more suitable for use in production. (I don't know what happens when you need to write the second edition, I haven't tried that with my book yet.)

Authoring

For me, discovery of the XMLmind XML editor was a glimpse of hope. Here we have a tool that allows you to write DocBook in a way that is similar to that of writing using a normal text processor. Naturally, the feature set of this young tool cannot be compared with those of the mature text writing tools. Still, XMLmind editor is quite usable in its current state. What's even better, the Standard edition is completely free. We appear have finally sorted the authoring part of the problem. All you now need is a little patience to learn the DocBook ways (you can start with DocBook 5.0: The Definitive Guide).

Publishing

After having written the documentation in DocBook you need to figure out how to convert it into one of the supported formats. You will need the following resources for that:

To produce PDF:

fop.sh -xsl $DOCBOOK_XSL_HOME/fo/docbook.xsl -xml input.xml -pdf output.pdf

To produce singe-page HTML:

xalan.sh -xsl $DOCBOOK_XSL_HOME/html/docbook.xsl -in input.xml -out output.html

To produce multi-page HTML:

xalan.sh -xsl $DOCBOOK_XSL_HOME/html/chunked.xsl -in input.xml -param base.dir ./output/

Although it is possible to use XSL to publish DocBook to text format I did not find the option very useful. You can get much better results creating text output from a single-page HTML using Lynx:

lynx -dump input.html > output.txt

FOP does not support RTF output at this time (although there is some talk of it being supported shortly), but you can produce it with the XSL utility. From the command line:

xslutil -out rtf output.rtf input.xml $DOCBOOK_XSL_HOME/fo/docbook.xsl

EuroFoo Impressions

You know you are too busy when you have to wait a week to find time to write about an event you really enjoyed. I've spent the weekend before last in Holland, attending EuroFoo together with 138+ other geeks (more details in the EuroFoo Wiki, which BTW appears to be broken at the moment). Needless to say, it's been a great fun - a big thank you to O'Reilly who have invited us all. Judging from the comments made by others, we liked the conference because it was not a conference - it was merely a gathering of similar-minded people. We were free to do whatever we wanted. So we did. The most interesting thing for me was being able to watch other people, and learn what they do for fun. I am not alone in this it seems, Jono did the same. I also got to meet Nathan Torkington, who was responsible for me signing with O'Reilly in the first place. Thanks Nat! In fact, so many things happened that weekend that I have trouble remembering it all.

I did give a talk about web security at the conference, but it was not very well attended (I was not alone in the room, mind you, but I would have appreciated more attendees). That's no wonder since I was one of few people there who had security listed in their interests. The first part of the talk was probably boring as I tried to cover too much ground. It didn't help that I didn't plan for the talk to happen (it was an impulse I had after seeing an empty space in the schedule). Fortunately, towards the end the talk turned into a discussion with the people present, and that was a much more interesting thing to do. What I learned? Do not give talks unless you came prepared!

Going to Foo Camp Europe in August

I will be at the Foo Camp Europe (also known as EFoo) this year - August 20-22 in the Netherlands. After organizing the camp in the US last year (here's the CNN report), I am glad O'Reilly decided to organize an equivalent in Europe. The difference this time is that EFoo is not a camp at all, we get to stay at hotels after all. Which is good as far as I am concerned, since I don't like camping that much.