There is one thing that stands out to me when testing Apache-based applications though. It's that accompanying
software such as OpenSSL, PHP, MySQL and so on, are often out of date. This speaks more to a system patching and change management problem within the organization than it does to the security of the platform itself. However, it's a problem nonetheless which can create pretty big issues if it's not managed properly.
Case in point, in my Web security assessments I often come across the OpenSSL ASN.1 vulnerability on Apache systems which dates back to 2003. I often get push back from developers regarding the relevance of this flaw. However, the source code to exploit this flaw is readily-accessible on the Internet that anyone can download, compile and run to bring your Apache-based systems down. Numerous other similar vulnerabilities exist as well. The bottom line: Apache is as good as the administrators and developers who configure and maintain the system.
Dig deeper on Internet Application Security
Related Q&A from Kevin Beaver
Although there are many tools and best practices for password policies across remote offices, it's important to remember the basics for Windows ...continue reading
Companies without security expertise in-house may consider outsourcing security testing. Security expert Kevin Beaver suggests this is the wrong path.continue reading
Denial-of-service attacks may be impossible to prevent, but that doesn't mean there aren't ways to protect Web applications from them.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.