[TYPO3-waf] [TYPO3-project-waf] WAF project: brainstorming
Dmitry Dulepov
dmitry.dulepov+t3ml at gmail.com
Wed Jan 27 09:33:54 CET 2010
Hi!
On 2010-01-27 09:13:34 +0200, Xavier Perseguers said:
>> - rule set will be updated as often as necessary
>
> I thought of a way to automate this for users that are aware of
> security, want to do something against attacks but "trust" the updates
> or are not able to really review updates before applying changes.
>
> I thought that some kind of "control panel" in TYPO3 (optional) may be
> great too, for instance to read some comments about latest update or to
> gather some statistics.
I thought more of rsync–like updates (or wget updates). We could also
have rss of latest changes.
Most of the rules should go to Apache config not to .htaccess because
of the performance reasons. So automated updates are preferable.
>> - WAF is NOT a replacement for TYPO3 security updates, it is a
>> prevention and rescue solution, not a tool to use instead of security
>> updates
>
> I agree here as well.
>
> I would add Suhosin as well (optional) as it provides some interesting
> features too.
This requires PHP recompilation, right? But we can provide settings for
Suhosin any way.
I think there is also another project like Suhosin: "Hardened PHP" or
something. I did not look into it but it is worth doing so...
--
Dmitry Dulepov
"Trust me, I am a doctor!" (c) Gregory House, M.D.
More information about the TYPO3-project-waf
mailing list