BKPRWAWA.RVW 20060913 "Preventing Web Attacks with Apache", Ryan C. Barnett, 2006, 0-321-32128-6, U$49.99/C$66.99 %A Ryan C. Barnett %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2006 %G 0-321-32128-6 %I Addison-Wesley Publishing Co. %O U$49.99/C$66.99 416-447-5101 fax: 416-443-0948 %O http://www.amazon.com/exec/obidos/ASIN/0321321286/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0321321286/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0321321286/robsladesin03-20 %O Audience a- Tech 2 Writing 2 (see revfaq.htm for explanation) %P 582 p. %T "Preventing Web Attacks with Apache" Chapter one notes that there have been many attacks against Web servers and the applications running on them. It also lists the common excuses presented for a lack of security preparation (and assesses the weakness of those arguments). Hardening of the (UNIX) operating system, and network operating system, in order to establish a trusted computing base for the Web server application, are dealt with in chapter two. Initial installation of the Apache software is covered in chapter three. Chapter four reviews the configuration file, and properly secure settings and options. Security related modules in the Apache suite are discussed in chapter five. Chapter six reviews the Center for Internet Security Apache security benchmark tool. The Web Application Security Consortium (WASC) threat classification system is described, in chapter seven, with specific reference to Apache countermeasures against these attacks. (The material provides nice explanations and examples of a variety of exploits.) Buggy Bank, an intentionally flawed e-commerce application that provides practice in hardening a Web server, is outlined in chapter eight. Chapter nine looks at various countermeasures and controls that can be applied to Web servers and sites, noting strengths and weaknesses, and also noting which work most effectively, as well as which can be implemented via Apache functions. If you'd like to do primary research and gather information on attacks and the level of threat to Web servers, chapter ten details the settings and requirements for using Apache to set up a honeypot server. Chapter eleven finishes off with basic advice on issues such as patch management, and also broadens the discussion to some fundamental concerns in Internet security measures. A helpful guide for those using Apache. copyright Robert M. Slade, 2006 BKPRWAWA.RVW 20060913