Before beginning any project, I start by researching the topic and pulling documents. I do have my favorite spots to look, such as O’Reilly, NIST, the Center for Internet Security Benchmarks, Safari Books Online, ISACA, SANS, OWASP, Build Security In, a few choice blogs, etc. While preparing to write an upcoming post on setting up a secure Apache web server, I found several great references. Now, you do not need to read all these documents to implement a secure web server. But, considering how a web server is the gateway from which the outside world connects to your organization, you might want to. Here are a few documents of interest:
- Apache Security by Ivan Ristic
- Securing Apache 2: Step-by-Step by Ivan Ristic
- Apache HTTP Server Version 2.2: Compiling and Installing
- Apache HTTP Server Version 2.2: Security Tips
- Center for Internet Security Benchmarks for Apache Web Server v2.1 by Ryan Barnett
- Securing Apache Step by Step by Ryan C. Barnett
- ModSecurity Reference Manual
- NIST SP 800-44 v2: Guidelines on Securing Public Web Server by Miles Tracy, Wayne Jansen, Karen Scarfone, and Theodore Winograd
- NIST SP 800-95: Guide to Secure Web Services by Anoop Singhal, Theodore Winograd, and Karen Scarfone
- OWASP WeBekci Project, a web based ModSecurity 2.x management tool.
- REMO, a project to build a graphical rule editor for ModSecurity with a positive/whitelist approach.
- Got Root, the Internets largest source of intrusion prevention signatures and comment spam blacklists for webservers, over 13,000 signatures.
There are two freely available tools for helping with the security of your Apache configuration:
A coworker was complaining that the majority of information he was finding in blogs was junk. I asked him how was he finding his information. He was doing a regular Google search; not even a Google Blog Search. I understood his pain. George Siemens makes a very interesting distinction between collective intelligence and connective intelligence. Collective intelligence is “a form of intelligence that emerges from the collaboration and competition of many individuals“. George defines connective intelligence as “individual creation of information, ideas, and concepts which are then shared with others, connected, and re-created and extended based on the interaction.”
George goes on to state, “simply, collective means blending together. Connective means connecting while retaining the original (though others may build on it in their own spaces).” Put another way, “the collective presents a melting pot of ideas. The connective represents a mosaic of ideas.” People are surprised when I tell them that I do not read blogs. I read Ivan Ristic, Jeremiah Grossman, Gunnar Peterson, Ryan Barnett, Dafydd Stuttard, etc. My coworker’s problem is that he’s drowning in the melting pot of information provided by collective intelligence. When I read an author I like or come across software I find really useful, I look to see if the authors have a blog. I will then subscribe to their RSS feed, allowing me to make use of connective intelligence.
A few blogs of interest for web application security:
- Ivan Ristic, author of “Apache Security” and principal author of ModSecurity, the open source web application firewall.
- Jeremiah Grossman, author of the CIS Scoring Tool for Apache and founder and Chief Technology Officer of WhiteHat Security.
- Ryan Barnett, author of “Preventing Web Attacks With Apache“, and Director of Application Security Training for Breach Security.
- Dafydd “PortSwigger” Stuttard, co-authof of “The Web Application Hacker’s Handbook” and Principal Security Consultant at NGS Software.
- Gunnar Peterson, Software Security Architect and CTO at Arctec Group.
- Robert “RSnake” Hansen, CEO SecTheory.
- Shreeraj Shah, founder of Blueinfy, a company that provides application security services.
- Billy Hoffman, co-author of “Ajax Security” and lead research engineer with Atlanta-based SPI Dynamics Inc.
- Bryan Sullivan, co-author of “Ajax Security” and developer and security researcher at SPI Dynamics, Microsoft.
- Chris Shiflett, author and speaker who leads the web application security practice at OmniTI.
- Ory Segal, Security Products Architect, Rational, Application Security (Watchfire), IBM.
- Anurag Agarwal, is a senior application security consultant providing expertise on secure development lifecycle and vulnerability assessment. He also manages www.attacklabs.com and www.myappsecurity.com.
I wanted to mention that I started off with the names of several web application professionals. I wanted to include links to their names in this post. As I searched out their names to add a little background blurb, I kept coming across postings from Anurag Agarwal. He has done a great job profiling many of the leaders in web application security. The above list is missing many people and that is entirely my fault. As I stated, the list is of people that I am familiar with and is not meant to be a complete list of web application security professionals.
With these resources at our disposal, we are well positioned to start our quest to secure Apache.
[...] I am with Rich and Nick, Ivan’s work with ModSecurity is extremely interesting and we will build towards implementing it. First, we need to start simple for there are many steps in the process. This post will provide references for setting up an Apache server, followed by a simple implementation. For additional information, particularly in the area of security, see my previous post “Securing Apache: References.” [...]