The prevalence of accidents, like that of vulnerabilities, tells us there is no perfect thing. And even if any given vulnerability is unexpected, we know from experience that the existence of vulnerabilities is inevitable. Hackers know this too, of course, and a determined hacker will use whatever tools are available to him to find vulnerabilities to exploit. One of the most obvious tools for a hacker is research, and simply inspecting the data your application publishes about itself can yield helpful information to a hacker. But how much data your application makes available to hacker research is within your control. It is feasible to mitigate the risk of hacker research by implementing policy compliance best practices. As a Policy Compliance signature developer, I will take Apache HTTP Server as an example to illustrate how applications can leak data that is helpful to hackers, and how you can prevent it.

Continue reading …