Introducing mod_security
Subject:   bad application design shouldn't drive new development
Date:   2003-12-01 01:02:04
From:   anonymous2
While this seems like a nice tool which might have some good uses, the example that is given in the beginning is a very bad one. It is based on the fact that an application has a way to tunnel SQL statements to the DB. It is badly designed. One should fix/redesign the app instead of building something around it.


Bart van der Ouderaa

Full Threads Newest First

Showing messages 1 through 2 of 2.

  • bad application design shouldn't drive new development
    2003-12-01 02:00:43  Ivan Ristic | O'Reilly Author [View]

    I agree completely. One should always try to fix/enhance the application and not rely on other security layers, such as mod_security, for protection. I see mod_security as a protection layer operated by people other than original software developers. From their point of view, software is a black box. Their task is to do everything they can to minimize the risk of a security breach. The example you mentioned is, unfortunate as that may be, a representative of a quality of the code widely available today.
    • bad application design shouldn't drive new development
      2003-12-08 06:08:02  anonymous2 [View]

      I'd rather dump an app that passes SQL queries as GET/POST parameters rather than try to protect exploiting that... who knows how many other bugs are in it.

      As for canonizing paths a better approach would be to reject these with HTTP 500. I actually do that in the apps in a more user friendly way but if I don't have the source for something I'd rather show my visitors a HTTP 500 page.