There is a new book released that should be in the libraries of web application developers everywhere. The title? ModSecurity Handbook:The Complete Guide to the Popular Open Source Web Application Firewall by Ivan Ristic. What is ModSecurity in the first place? Why does it matter to you? What makes this book important to the practice of web application design?

ModSecurity is a web application firewall. It can live in and out of the Apache web server environment, one of the most popular web servers around. ModSecurity is infinitely customizable and extremely powerful. The philosophy of ModSecurity can be summed up in a few words. Look, and only modify if I tell you to. It sports a custom rule engine that makes it extremely powerful. The syntax takes a little bit of work to wrap your head around, but the learning curve is not terrible. It’s an efficient system that aims  to cut out unnecessary logic and expressions and focus solely on the job of security. That being said, the rule language is rich and extensible. It is quite possible to make use of external scripts (such as php) to do specific security tasks. Additionally, the use of Lua is extremely useful. According to the author, the rule system will cover about 80% of the needs for most tasks. The last 20% or so where you need a ‘real’ programming language is covered by Lua and its tight integration with ModSecurity. Now, as a disclaimer, ModSecurity is not an excuse to make you a lazy programmer.  You still need to use good, secure programming practices to make your clients’ applications secure as well as useful.

Now, the book. Why is this book so important? It is THE source for ModSecurity if you care at all about the application. This book covers everything from download and install to configuration and to creating your own rule sets. Additionally, this book was written by the author  that created ModSecurity, Ivan Ristic. The book reads like your best programmer friend sitting right next to you guiding you as to what to do step by step. I am going to be extremely honest with you though, ModSecurity isn’t the easiest thing in the  world to implement at first glance, but the rewards are  well worth it. This book teaches you step by step how to reap those rewards and build a reasonably secure system for your clients. Seeing the steps on how to block basic attacks such as XSS attacks, and brute force attacks were intriguing and educational. It made me think about how I could implement these same techniques into my programming. Additionally, the comprehensive reference manual was a great touch and welcome addition. A lot of books just give tutorials, but sometimes a simple paragraph or bullet point is needed to explain a component.

The book itself takes some time and digestion. I am convinced that this book needs more than one read to get all the benefits from it. That being said, the additional reads will make you a better programmer and put you ahead the pack.  Feisty Duck publishes a hardcopy of the book and a digital version.