Thursday, December 07, 2006

Ryan Barnett enters the Blogosphere

Ryan Barnett, author of Preventing Web Attacks with Apache, is Breach Security's new Director of Application Security Training. If you recall Breach acquired ModSecurity earlier this year and is a WAF product vendor. Ryan, a long time friend, is a master of web application defensive strategies and techniques. In a real world sense, he knows what it takes to keep a website from getting hacked. He's finally entered the blogging realm and it'll be interesting to see what he has to say over 2007.

1 comment:

dre said...

i liked what ryan did in the that book by combining snort signatures with mod-security. in appendix C, he put the line "include conf/snortmodsec-rules.txt" in his example httpd.conf file under the mod-security section.

this, plus what you see on gotroot.com can really make mod-security into a powerful WA-IPS. every operator should enjoy the idea behind just-in-time patching. it's layered defense-in-depth and can't be relied upon in the face of strange encodings or active evasion (e.g. VoMM), but it's better than nothing for a lot of places weak on web application security.

i especially enjoyed the web proxy honeypot chapter. personally, i believe that time should be spent protecting priority threats, not specific vulnerabilities (although patching is good). honeypots are often a an easier path to identify actual threats while IDS and IPS usually spot vulnerabilities only.

albeit an average anti-IDS/IPS proponent, I still often do find uses for snort sigatures. take http://honeyc.sf.net as an example. using http://honeyc.sourceforge.net/signatureReferences.php snort signatures provided by honeyc, in addition to some taken from the http://bleedingsnort.com/bleeding-sid-msg-map.txt bleeding snort project (SID's 2001075 to 2001115 at least), and some custom signatures could allow for fast and widespread scanning using low-interaction honeyclients.

however, this creates a lot of false-positives so it needs to be re-evaluated and validated with high-interaction honeyclients. that's where http://capture-hpc.sf.net (recently released by http://www.mcs.vuw.ac.nz/~cseifert/blog/index.php) Chris Seifert comes in as well as his methodology as described in www.mcs.vuw.ac.nz/~cseifert/blog/images/client_honeypots_-_dsrg_meeting.ppt

his blog is also at http://www.mcs.vuw.ac.nz/~cseifert/blog/index.php