Mitigating the WASC Web Security Threat Classification with Apache
In the previous chapter, we discussed the steps necessary to properly secure a standard Apache installation. Although the updated configurations applied to Apache will certainly result in a more secure web server, the resulting web server's functionality is significantly diminished. On today's World Wide Web, most organizations have a requirement to add in some form of dynamic web application. After applying all of the security settings to a default Apache install, you are now choosing to install some form of complex application that very well may open up different vulnerabilities. Once you implement applications that need to track user sessions and allow interaction with databases, then you open up a whole new can of worms.
Do you know what threats exist for web applications? Do you have an accurate definition of the attack scenarios? The Web Application Security Consortium created the Web Security Threat Classification document for exactly this purpose. The goals of this chapter are twofold. The first goal is to arm the reader with practical information regarding the threats that are associated with running web applications and to present the corresponding Apache mitigation strategies. Second is to highlight the limits of control that Apache can inflict on the overall security of web applications. There are limits to what can be accomplished with Apache—a few issues are highlighted in this chapter that are outside the scope of Apache's control.
The most up-to-date document can be found at the WASC web site: http://www.webappsec.org. Please keep in mind that the WASC Threat Classification was a cooperative effort created by the brilliant, dedicated members who generously donated their time and expertise to create this resource. I was merely one of the contributing members for this project. My thanks extend to the individuals listed in the following section.
Robert Auger—SPI Dynamics
Ryan Barnett—EDS & The Center for Internet Security (Apache Project Lead)
Erik Caso—NT OBJECTives
Cesar Cerrudo—Application Security Inc.
Sacha Faust—SPI Dynamics
JD Glaser—NT OBJECTives
Jeremiah Grossman—WhiteHat Security
Sverre H. Huseby—Individual
Mitja Kolsek—Acros Security
Aaron C. Newman—Application Security Inc.
Bill Pennington—WhiteHat Security
Ray Pompon—Conjungi Networks
Mike Shema—NT OBJECTives
Caleb Sima—SPI Dynamics