4 reasons not to use mod-security
Published Jul 23, 2008
Version 1.0Was this article helpful?
Any security is better than no security, and mod_security can certainly be used to provide security. I'm just saying there are better options out there in terms of management, performance, and configuration, not that mod_security should never be used in any situation.
"I would argue that a fundamental problem with current web apps is the fact that security is often shunted to people other than the ones building the application.
So, in fact, developers *have* to understand attacks and code to mitigate them. The developers are the ones that should be accountable for any breach."
I like this statement, and in a utopian IT department it might even work, but in the real world developers don't understand the attacks that might be launched against them. If they did, they would develop applications that were able to defend themselves, mitigating the need for any external web application security, a la mod_security or web application firewalls.