Sunday, January 03, 2010

Book Review: ModSecurity 2.5

As promised in November, following is a review of Magnus Mischel's ModSecurity 2.5 from Packt Publishing.

ModSecurity 2.5
covers the latest release of ModSecurity, "a web application firewall deployed to establish an external security layer that increases security, detects, and prevents attacks before they reach web applications. With over 70% of all attacks now carried out over the web application level, organizations need every help they can get in making their systems secure."
- ModSecurity makes full HTTP transaction logging possible, allowing complete requests and responses to be logged.
- ModSecurity can monitor the HTTP traffic in real time in order to detect attacks.
- ModSecurity can also act immediately to prevent attacks from reaching your web applications.
- ModSecurity includes a flexible rule engine and can be deployed embedded or as a reverse proxy.

Covering ModSecurity 2.5 comprehensively and intelligibly is no small feat, and Mischel has achieved the goal. His style is concise yet clear, technical but not overly verbose, and well organized.
As "complete guides" go ModSecurity 2.5 meets the standard.
All the expected content is present, from installation to configuration, audit logging to chroot jails, blocking and protection, Mischel is thorough and takes due care to be precise and accurate.

I have already recommended this book to a vendor in dire need of improved protection for their web application. I'll give you one guess regarding why they said "We can't use ModSecurity." Yep, performance. To which I said, "Yeah, but how's your performance with the terrible code you've written and the resulting SQL injection attack that took your site apart?"
All of which takes us to my favored highlight of ModSecurity 2.5; specifically an entire chapter dedicated to performance. This was a great decision of Mischel's part. Performance is an important variable when utilizing ModSecurity and Mischel covers the fundamentals. He recommends using httperf and establishing a baseline without rules loaded. Response time, memory usage, and CPU usage are key. Once you've gathered necessary metrics, the same testing pattern with rules loaded will give you all the data you need to optimize. Mischel offers optimization concepts including memory consumption, bypassing static content inspection (think image files, JavaScript, and binary downloads), and using the @pm and @pmFromFile phrase matching operators (new in ModSecurity 2.5) to significantly speed up tasks normally left to regex matching (think 200 times faster).

My criticisms of this book are editorial in nature; there is one truly egregious editing flaw and another odd decision.
First, the page heading for the entirety of Chapter 5 (Virtual Patching) reads as Chapter 9. That's an error that a high school newspaper editor would catch and is simply unforgivable.
Additionally, where Mischel discusses writing rules at great length in Chapter 2, I would have chosen to immediately follow with the REMO (Rule Editor for ModSecurity) content as Chapter 3 rather than sticking it in Chapter 8.

Magnus Mischel's ModSecurity 2.5 is a worthy read and a recommended purchase, and earns 3.5 stars out of 5 (very good).
As the Web Application Security Consortium releases WASC Threat Classification v2.0, there is much to consider in the way of web application threats; ModSecurity 2.5 will certainly contribute to your protection arsenal. | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

1 comment:

Chris Conrey said...

Great points on the performance benefits of actually being up and running as opposed to being down. Yes security may cost you a bit of performance, but you'll be up and running. I hear this a bunch from our clients who care about performance.

Moving blog to

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...