On the front page of ONLamp.com, this article has the tag line “Protect your applications without recoding them.” In principle and practice, I strongly disagree with this statement.
I love mod_security. It’s a fabulous tool. But it should never be used as your only line of defense against malicious input. It’s a bad, bad, bad idea to put all your security eggs in one basket, simply because if we’ve learned anything in the past 50 years of computing, it’s that everything is flawed, and people can and will find and exploit that flaw.
Proper security is a multilayered, multi-approach thing. And I think the author is doing a real disservice to those who are trying to educate the development community about secure practices with statements like:
Solutions can take many different forms, ranging from secure coding practices to proper input validation. One approach is to perform content validation for each incoming request and compare it with predefined rules.
No, no, no! Solutions (plural) is just plain wrong. The solution (singular) is to implement all of these approaches. To not do so is either naive (if you’re relying on something someone else developed), arrogant (if you’re relying on something you developed), and in either case very dangerous.