There is one thing that stands out to me when testing Apache-based applications though. It's that accompanying software such as OpenSSL, PHP, MySQL and so on, are often out of date. This speaks more to a system patching and change management problem within the organization than it does to the security of the platform itself. However, it's a problem nonetheless which can create pretty big issues if it's not managed properly.
Case in point, in my Web security assessments I often come across the OpenSSL ASN.1 vulnerability on Apache systems which dates back to 2003. I often get push back from developers regarding the relevance of this flaw. However, the source code to exploit this flaw is readily-accessible on the Internet that anyone can download, compile and run to bring your Apache-based systems down. Numerous other similar vulnerabilities exist as well. The bottom line: Apache is as good as the administrators and developers who configure and maintain the system.
Dig Deeper on Internet Application Security
Related Q&A from Kevin Beaver
Many organizations are still vulnerable to the Heartbleed flaw. Expert Kevin Beaver explores the merits of an OpenSSL-specific risk assessment.continue reading
Expert Kevin Beaver explains how behavioral detection and traffic analysis helps combat advanced malware, as well as whether it is a more effective ...continue reading
Monitoring VPN traffic is a critical task. Expert Kevin Beaver explains what to look for in a VPN traffic monitoring tool and offers a few free and ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.