4 reasons not to use mod-security
Apache is a great web server if for no other reason than it offers more flexibility through modules than just about any other web server. You can plug-in all sorts of modules to enhance the functiona...
Published Jul 23, 2008
Version 1.0
Lori_MacVittie
Employee
EmployeeLori_MacVittieEmployee
Employee
Lori_MacVittieEmployee
EmployeeNot bashing at all. In fact, if you aren't into running a web app firewall and think mod_security is a good idea, then DO IT.
Any security is better than no security, and mod_security can certainly be used to provide security. I'm just saying there are better options out there in terms of management, performance, and configuration, not that mod_security should never be used in any situation.
"I would argue that a fundamental problem with current web apps is the fact that security is often shunted to people other than the ones building the application.
So, in fact, developers *have* to understand attacks and code to mitigate them. The developers are the ones that should be accountable for any breach."
I like this statement, and in a utopian IT department it might even work, but in the real world developers don't understand the attacks that might be launched against them. If they did, they would develop applications that were able to defend themselves, mitigating the need for any external web application security, a la mod_security or web application firewalls.