Monthly Archive for February, 2007

Do less, Not More

Published
by
admin
on February 7, 2007
in Books and Informative
. Comments

Getting Real, a book by 37signals.

It’s something that I have been thinking about for a while now… Will doing more work move projects like DeveloperSide.NET and DynamicSide.NET ahead?

Over time, with lots of mistakes, I have come to the conclusion that the answer to that question is “no”.

Doing more work will only make things more complicated, and will not increase the user-base. It’s all about ease-of-use, simplicity, and getting the end-users involved in the process [of working on the project] — that makes a project truly successful these days. [a hint of whats to come for devside.net]

80%-90% of the project time is spent working on 10-20% of the features. And it’s just not worth it, it makes the project too complicated, and does not particularly give you any returns.

Do the basics, and forget the rest. You do not need to match a competing project’s feature set. Just make it easy to use for the client, and let your competition self-destruct in complexity…

Here is an example… Take a look at the other dynamic dns providers. Setup an account, and try to figure out what that mess on your screen is. Now look at the DNS menu of dynside.net, pretty simple, right?

Apache vs. IIS

Published
by
admin
on February 6, 2007
in Apache, IIS and Web Server
. Comments

Recently, a few choice diagrams from the past of the mapped system calls that Apache and IIS perform have been making another round on the internet. So I thought I would add my 2 cents worth on the matter…

Why Windows is less secure than Linux

“Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture.”

Diagram of Apache’s internal system calls…
Apache System Calls

Diagram of IIS’s internal system calls…
IIS System Calls

I’ll let the images speak for them selfs, and comment on not the above, or the interpretation, but rather on the following…

“Apache cannot be compared to IIS. Apples and oranges!”

What… Why not? They have the same function, right?

“Apache, out-of-the-box, only serves static pages! It needs modules to add functionality. IIS, on the other hand, has all sorts of functionality built into it, such as running .NET applications and ASP.NET scripts. IIS is tied into Active Directory and many other Windows Server-specific technologies. It integrates with the OS!”

You say that like it’s a good thing.

“When you add enough extensions to Apache to provide it with abilities equivalent to IIS’s base functionality, it will make just as many system calls and be just as complex.”

We only have the baseline of what happens on one static HTML page and one image request. Anything else is a guess.

“Apache has 33 reported vulnerabilities. IIS has only 3 advisories!”

Apache? Meant to say “Apache modules”, didn’t you? As far as I know, having someone actually looking at the source, working out the bugs, *is* a good thing. The matter of people being sued and/or having their carriers ruined by reporting vulnerabilities of proprietary products also plays into this, don’t you think so?

“IIS has come quite a long way since the days of Windows NT/2000. IIS6 is a major improvement and IIS7 is a thing of beauty. When I show people how IIS 6 works, they become impressed.”

Maybe so.

Just to be fair, I will say this in defense of IIS…

Apache is written in C, while IIS is more of an OO C++ product — which can translate into more calls.

Taking another page from Apache’s playbook [good things get copied, right?]:

  • Microsoft has switched to a completely modular setup design with IIS7.
  • IIS 7 can now be configured from a text file (web.config).
  • IIS 7 can be administered from the command line with the Windows PowerShell administration environment.

“First they ignore you, then they laugh at you, then they fight you, then you win.” - Mahatma Gandhi.

Suhosin Extension for PHP

Published
by
admin
on February 6, 2007
in PHP
. Comments

Suhosin is a security patch/extension for PHP.

Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core.

Here is a recent SecurityFocus talk/article with the author of this package, that goes into the details of the project and what is ahead…
PHP Security From The Inside

While this patch [or extension] is simple to setup under Linux, the Windows side is a bit more difficult: as no binaries are provided, which necessitates a build of PHP w/extension from source…

And anyone thats ever tried to build win32 PHP knows what a headache that can be. What PHP.net provides in source is about 20% of whats needed, and contains extension libs that are from year 2000.

_Though I will say_ that some extensions/dlls CAN be built, that do not depend on anything else.

What is Web 2.0?

Published
by
admin
on February 5, 2007
in Informative and Web 2.0
. Comments

I’m still trying to figure that one out myself.

Securing Your Server and Web Applications

Published
by
admin
on February 5, 2007
in Web Server
. Comments

There is no shortage of bad, incomplete, and outdated information on the Internet and in print. And if that was not bad enough, there is also the problem of information overload.

Here are a few resources that can get you up to speed…

  • Chapter 3: PHP from book “Apache Security”, by Ivan Ristic [of mod_security fame].
    A good overview of some security issues with PHP. Most of the mentioned measures will be most useful in a hosting environment.
  • Center for Internet Security (CIS) Benchmarks for the Apache Web Server.

    CIS is the only distributor of consensus best practice standards for security configuration. The Benchmarks are widely accepted by U.S. government agencies for FISMA compliance, and by auditors for compliance with the ISO standard as well as GLB, SOx, HIPAA, FIRPA and other the regulatory requirements for information security.

    I recommend CIS Level-1 security for the Apache Web-Server. A number of the steps are OS-independent, and have been implemented under the Web-Developer Server Suite.

  • The OWASP Guide to Building Secure Web Applications

    The Guide is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure web applications.

  • Web Application Security Consortium
  • SANS Information and Computer Security Resources [with emphasis on the Reading Room]