Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

[Book Review] ModSecurity Handbook

“ModSecurity Handbook is the definitive guide to ModSecurity, a popular open source web application firewall. Written by Ivan Ristic, who designed and wrote much of ModSecurity, this book will teach you everything you need to know to monitor the activity on your web sites and protect them from attack.”

I think I can safely say that the ModSecurity Handbook isn’t like most computer security books you’ve might have read. Sure, it looks normal, but behind that modest exterior, it’s breaks new ground. For once I actually see the benefits of the ebook era. Before I even start talking about the book’s content, there’s a few things you need to know about this book, and this review.

The book you read, may very well be different to the one I’m reviewing here. I know that sounds odd (then again doesn’t everything I say on my blog), and no, I’m not saying that a second edition is on its way. Feisty Duck (the publisher behind the ModSecurity Handbook) have an interesting and exiting premise that takes traditional publishing and makes it look as stale and outdated. When it comes to ebooks, most publishers have taken the standard book format and simply moved it to the digital realm without adding anything to the mix. That’s nice. It’s handy to be able to download a book you need right now, and the ability to have a single device for reading and transporting thousands of books appeals to somebody like me (bad neck and all). Still for the most part, once the book is released, it’s all over… time for the author and editor to grab a cup of tea and relax in the garden for a while. After all, they’ve been slaving over this for a while… the deserve it. For Feisty Duck and Ivan Ristic however, the game isn’t over yet. Between receiving my copy of the book (in PDF and physical form) the book has changed, and it will continue to change from what I can see. Alongside the cost of the book and (Hallelujah) DRM FREE digital version, you also get a years worth of updates to the book.

Now, I know what you’re thinking here. It’s a gimmick, they’ll only ever fix some spelling mistakes and maybe correct the formatting if they’re feeling really adventurous. If you’re thinking that though, you’d be wrong… at least I hope.  The author (Ivan Ristic) has already begun adding new content, and will continue to update things that get replaced/changed, and generally keep the book at the cutting edge of what ModSecurity is. How many books can claim that? even in this supposed digital age.

Anyway, enough of the fanboi comments about the direction that Feisty Duck are taking (even though other so-called digitally aware publishers should pay attention to this), and onto the real meat of the review.

Surprisingly, the ModSecurity handbook covers ModSecurity. Obvious really, but it needed to be said. The author does a great job of bringing to light the bits you never knew where there, and really drilling deeply into why they’re important and how they can make your life easier. This isn’t just a review of the last stable version either. A lot of what’s covered is the new stuff, some of it still only found in the SVN version of ModSecurity. I think it’s safe to say that the author likes to keep the information as close to bleeding edge as possible, and that’s a welcome change. I know personally I’m more than tired of picking up a so-called “experts handbook” to find they’re talking about the previous version.

So what can you expect from this book. Well, if you thought ModSecurity was just a few rules to look for some simply XSS and SQLi attacks, then you’re in for a real treat. This book really takes everything into account and gives even beginners to WAF solutions a great overview of how ModSecurity can really improve the security of your environment. For those more advanced readers, there’s enough meat here to really start expanding and streamlining how you’re running ModSecurity, so you can get the most out of your install.

* Installation and configuration of ModSecurity
* Logging of complete HTTP traffic
* Rule writing, in detail
* IP address, session, and user tracking
* Session management hardening
* Whitelisting, blacklisting, and IP reputation management
* Advanced blocking strategies
* Integration with other Apache modules
* Working with rule sets
* Virtual patching
* Performance considerations
* Content injection
* XML inspection
* Writing rules in Lua
* Extending ModSecurity in C

As you can see, there’s a lot more to ModSecurity than just a simple rule set. Alongside all this information, the book also includes a bonus copy of the official ModSecurity Reference Manual, for those times when you just need to know what rule options to use where.

Considering I’m a newcomer to ModSecurity, I found this book a surprisingly easy read. It’s also not often that I take the time to sit and really read a book cover to cover. With this book however that was more than easy, it was a pleasure. The writing style is fluid, very readable and surprisingly personal. Even the highly technical information was well explained, well thought out, and accompanied by just enough examples to hammer the point home without being overwhelming or ruining the flow. With that said, newcomers to the ModSecurity field may have to reread a few paragraphs to really let the information sink in, I know I did at times. As simple as the premise of ModSecurity is, it can get very complex when you start playing around with rule inheritance, advanced logging, and interaction with other Apache modules. Still, all the information you need is here, it’s just about taking the time to understand.If there was one negative I could say about this book it’s the brief handling of a few points. In particular I found the chapter on LUA rules a little to rushed for my liking. There wasn’t as much discussion about what could really be achieved with LUA, and left me wondering if what I wanted to do would even be possible. There may be a good reason for this, as LUA support is still in early/experimental stages. Hopefully this is something the author will be expanding upon in later revisions as LUA support grows and become better defined. Another thing to note, is that the book is 324 pages in length. This does however include the bonus content (ModSecurity Reference Manual) that makes up the final 94 pages. That’s not to say this is a bad thing, after all, we want quality and not quantity. Especially when we’re all reading so much to keep ourselves up to date.

I don’t tend to stray away from the offensive side of things that often. It’s hard sometimes to squeeze in enough time to really take a hard look at defense. That’s a shame to be honest, as without knowing about defense, you can’t come up with a good offense, and vice versa. I think Sun Tzu said it best “If you know the enemy and know yourself, you need not fear the result of a hundred battles”.

One surprising outcome of reading this book is the number of ideas that formed while reading it. I have a range of future projects going round in my head now… and that’s a good thing. Something about this book just seemed to spur my creative juices to really think about things that I might have previously thought impossible, or never really considered. I know this isn’t the last time you’ll be reading about ModSecurity on this blog that’s for sure!


Comments are closed.

%d bloggers like this: