I’ve just download a preview of Ivan Ristic’s latest work: a handbook for mod_security. Readers will recollect that Ivan is both the original developer of mod_security, and author of the most comprehensive existing book on Apache security (reviewed here), so his handbook should be worth a look. He was also tech reviewer for my apache modules book, so I guess I owe him any feedback I can find time for!
As befits a handbook, it’s a lot shorter than his previous book: currently about 100 pages, though that’s with gaps that’ll grow the page count quite a lot when filled. It comes with the promise that it will be continually updated, which clearly favours electronic distribution, though paper will also be available.
The first question I usually ask about a techie book is: what does it add to the documentation available online? A glance at this book suggests, quite a lot. My impression of mod_security hitherto has been that it’s interesting (especially after seeing Ivan’s talk at ApacheCon 2008) but under-documented compared to httpd itself: this book fills a gap. It could become the One True reference work on the subject for anyone deploying the module.
For my part, I’ll be looking with particular interest at how he deals with rulesets. They’re the aspect of mod_security that’s outside my core competence as developer and in the realm of the sysop. I don’t believe I have a use for mod_security myself, but a new insight into how he maps use cases to rulesets might provoke me to re-evaluate that.
I have one reservation about reading this: I have several ideas for the apache core that very probably duplicate things mod_security offers. No, they wouldn’t be in competition with it, they’d just be offering comparatively minor features: for example, extending the “RequestHeader edit” feature of mod_headers (apply a regexp search-and-replace to incoming request headers) to a security feature. Reading the book runs the risk of my ideas becoming ripoffs of mod_security.