Protect your applications without recoding them??? Securing Web Services with mod_security

On the front page of, this article has the tag line “Protect your applications without recoding them.” In principle and practice, I strongly disagree with this statement.

I love mod_security. It’s a fabulous tool. But it should never be used as your only line of defense against malicious input. It’s a bad, bad, bad idea to put all your security eggs in one basket, simply because if we’ve learned anything in the past 50 years of computing, it’s that everything is flawed, and people can and will find and exploit that flaw.

Proper security is a multilayered, multi-approach thing. And I think the author is doing a real disservice to those who are trying to educate the development community about secure practices with statements like:

Solutions can take many different forms, ranging from secure coding practices to proper input validation. One approach is to perform content validation for each incoming request and compare it with predefined rules.

No, no, no! Solutions (plural) is just plain wrong. The solution (singular) is to implement all of these approaches. To not do so is either naive (if you’re relying on something someone else developed), arrogant (if you’re relying on something you developed), and in either case very dangerous.

  • Ben Ramsey
    06/13/2005 11:11:36 AM

    I’ve spoken about mod_security in a couple of PHP talks now, and everytime I mention it, I always make it a point to say that it provides a great stopgap to plug up security holes in your existing applications at the Web server level but that this doesn’t mean you shouldn’t get rid of those those holes by making the time to find them and recode accordingly.

    So, I agree with you here.