Apache Security - Ivan Ristic [2]
A.2.1. Online Tools at TechnicalInfo
A.2.2. Netcraft
A.2.3. Sam Spade
A.2.4. SiteDigger
A.2.5. SSLDigger
A.2.6. Httprint
A.3. Network-Level Tools
A.3.1. Netcat
A.3.2. Stunnel
A.3.3. Curl
A.3.4. Network-Sniffing Tools
A.3.5. SSLDump
A.4. Web Security Scanners
A.4.1. Nikto
A.4.2. Nessus
A.5. Web Application Security Tools
A.5.1. Paros
A.5.2. Commercial Web Security Tools
A.6. HTTP Programming Libraries
Index
Apache Security
Ivan Ristic
Editor
Tatiana Apandi
Editor
Allison Randal
Copyright © 2009 O'Reilly Media, Inc.
O'Reilly Media
* * *
Dedication
To my dear wife Jelena, who makes my life worth living.
Preface
There is something about books that makes them one of the most precious things in the world. I've always admired people who write them, and I have always wanted to write one myself. The book you are now holding is a result of many years of work with the referenced Internet technologies and almost a year of hard work putting the words on paper. The preface may be the first thing you are reading, but it is the last thing I am writing. And I can tell you it has been quite a ride.
Aside from my great wish to be a writer in the first place, which only helped me in my effort to make the book as good as possible, there is a valid reason for its existence: a book of this profile is greatly needed by all those who are involved with web security. I, and many of the people I know, need it. I've come to depend on it in my day-to-day work, even though at the time of this writing it is not yet published. The reason this book is needed is that web security is affected by some diverse factors, which interact with each other in web systems and affect their security in varied, often subtle ways. Ultimately, what I tried to do was create one book to contain all the information one needs to secure an Apache-based system. My goal was to write a book I could safely recommend to anyone who is about to deploy on Apache, so I would be confident they would succeed provided they followed the advice in the book. You have, in your hands, the result of that effort.
Audience
This book aims to be a comprehensive Apache security resource. As such, it contains a lot of content on the intermediate and advanced levels. If you have previous experience with Apache, I expect you will have no trouble jumping to any part of the book straight away. If you are completely new to Apache, you will probably need to spend a little time learning the basics first, perhaps reading an Apache administration book or taking one of the many tutorials available online. Since Apache Security covers many diverse topics, it's likely that no matter what level of experience you have you are likely to have a solid starting point.
This book does not assume previous knowledge of security. Security concepts relevant for discussion are introduced and described wherever necessary. This is especially true for web application security, which has its own chapter.
The main thing you should need to do your job in addition to this book, is the Apache web server's excellent reference documentation (http://httpd.apache.org/docs/).
The book should be especially useful for the following groups:
System administrators
Their job is to make web systems secure. This book presents detailed guidance that enables system administrators to make informed decisions about which measures to take to enhance security.
Programmers
They need to understand how the environment in which their applications are deployed works. In addition, this book shows how certain programming errors lead to vulnerabilities and tells what to do to avoid such problems.
System architects
They need to know what system administrators and programmers do, and also need to understand how system design decisions affect overall security.
Web security professionals
They need to understand how the Apache platform works in order to assess the security of systems deployed on it.
Scope
At the time