On Sat, 28 Aug 2010, Bob McConnell wrote:
To: CentOS mailing list centos@centos.org From: Bob McConnell rmcconne@lightlink.com Subject: Re: [CentOS] Strange Apache log entry
The best way to attack this problem is to take a close look at the known issues and make sure your code doesn't expose any of them. Start by reading the OWASP[1] web site. Their annual Top Ten[2] list of vulnerabilities is a good place to start. They also have sample code snippets in a variety of languages to sanitize and validate input. We utilize both their recommendations and code in a number of our sites. It gives us a good start toward PCI compliance.
Another excellent resource is the "SANS-CWE Top 25 Most Dangerous Programming Errors"[3]. This applies to all applications that have network access, not just web pages. The press release[4] explains what the list contains.
Bob McConnell N2SPP
[1] http://www.owasp.org/index.php/Main_Page [2] http://www.owasp.org/index.php/OWASP_Top_Ten_Project [3] http://www.sans.org/top25-software-errors/ [4] http://www.sans.org/top25-software-errors/press-release.php
Thanks Bob, and everybody else that made suggestions. I've saved this email for further reference.
So if you are offering web hosting services, it's a fine balance between securing the server, and allowing users to write their own scripts (which may have vulnerabilities,) to host on your server?
Keith