Security Auditing

Discussion in 'General' started by zoom, Mar 24, 2008.

  1. zoom

    zoom Well-Known Member

    I'm in the process of trying to convince the powers that be to move to LiteSpeed. The biggest question is of course is security. I know from playing with Litespeed that it supports a number of nice features which allow securing the webserver quite easy. Not to mention the performance benefit using the LiteSpeed LSAPI vs SuEXEC or SuPHP.

    All that aside can you tell me if LiteSpeed is independently audited for security?
  2. [QT]bender

    [QT]bender Member

    If you mean PCI compliance audits, then yes, it's not so hard to configure LiteSpeed in the way, PCI tests require(SSLv3, ciphers, TRACE/TRACK, HTTPS authentication form)... Much easier than configuring Plesk to be secure...
  3. brrr

    brrr Well-Known Member

    I think the original poster means if the source code of Litespeed has been independently audited for compliance with secure coding best practice.
  4. [QT]bender

    [QT]bender Member

    As far as I know there is no official certifications on code compliance. I mean, there should be a standards written by someone like VISA and additionally there should be a companies which implements such certifications. There a kind of service on VISA compliance, which evaluate if your server is secure and services of checking your company infrastructure(you are not secure if a guy from the street can stole your server from the data center :) )

    I know only two remote services of checking server for PCI compliance - HackerGuardian and Comodo. And don't know if someone has already made a standards of secure code writing. There is a project OWASP(The Open Web Application Security Project), but currently they are not doing any third-party code audits or certifications.
  5. brrr

    brrr Well-Known Member

    There are two parts to the issue, if you like - the security of the code internally, and the security of the code (and the platform) against external threats.

    VISA compliance is just about the external threat, although they do make some suggestions (eg about data encryption etc) that relate to the internals. PCI compliance scans like Comodo are useful but are not a rigorous check of your external security or internal code.

    Secure software coding has no 'official' certifications but there are standards and practices, and interesting directions evolving - eg from CERT - - around specific languages like C++ - and there a slew of broader standards around software development and security management more generally - eg the ISO/IEC 15408 security evaluation framework and of course the ISO/IEC 17799 information security standard.

    There are people who you can ask to do audits against such standards or best practice guidelines - just look in the Yellow Pages or Google. The big consulting and IT houses can do these as well as a slew of security specialists.

    Even without any adopting 'official' ISO standards or external audits, you can have your own strong internal procedures for ensuring secure coding - MS has evolved a whole set of them ( the Trustworthy Computing Security Development Lifecycle or SDL) and is using them when they write code that faces external threats (and products like IIS have benefited greatly from that), Google has done the same around the production of it's own code.

    That is in fact the best way to do it, because code changes so fast in most modern 'software factories' you need an on-going system in place to constantly help ensure secure code is being produced day in day out.

    When you do a software audit you really are only able to effectively do it on a frozen-in-time 'snapshot' of a particular build of a product. Meanwhile in the real-world the codebase may have moved on. So you need something in place all the time.
  6. [QT]bender

    [QT]bender Member

    MS must be writing a secure code? :)

    So, then additionally third-party software(OpenLDAP, OpenSSL, PHP), which are used by LiteSpeed must be certified too as far as I understand. :)
  7. brrr

    brrr Well-Known Member

    Yeah, that's the problem. LSWS runs atop and alongside a whole heap of third-party code, and depends on much of it, in some ways critically. So they would also need to meet a certain level of trust. It can be done, but it's harder to get all the boxes ticked.

    At least when MS are cooking up a solution, they write and own everything right up from the networking code to the OS to the web server etc, so they can tighten it all up together and audit it all as a package.

    Oh, and yes, MS can write secure code. IIS is now extremely secure and stable. I get all the security vulnerability newsletters and you could count the publicly identified vulns on any version of IIS since about 2003 on one hand, if that, in marked contrast to just about every other web server out there, esp. stuff like Apache 1x or 2x. They did a good job with IIS. Credit where credit is due.
  8. mistwang

    mistwang LiteSpeed Staff

    IIS is getting better for sure.
    Maybe it is just a perception, generally, Unix/Linux is secure than windows, especially for multi-user environment. The permissions can be set to prevent one user from peaking another user's file, even when scripts running on the server are vulnerable.

    Another factor need to be considered is what kind of platform user need. IIS+ASP? or Apache+PHP? If you need some Apache interchangeable solution, LSWS should be on top of your list. :)
  9. brrr

    brrr Well-Known Member

    Absolutely. LSWS seems the best Linux /Apache compatible commercial web server, in terms of bang for buck, which takes into account performance, stability and responsive support.

    LSWS security track record also seems OK, since there haven't been that many reported vulns in the product over the years.

    But then again if LSWS was perhaps more popular the number of discovered vulns could be expected to increase. That's the way it goes, usually. Most hackers just won't bother with products that have low market share. So the absence of reported vulns may not necessarily mean LSWS is more secure than any other web server. I guess that's why people like the idea of some sort of audit.

Share This Page