You've toiled for hours crafting your firewall rules and hardening your email and DNS services. You believe that no evil force could breach your fortress walls. But now you blast a hole straight through those walls to a port on your server. Then you let anyone in the world run programs on your server at that port, using their own input. These are signs of an unbalanced mind ? or of a web administrator.
The Web has many moving parts and is a frequent source of security problems. In this chapter, I assume that you are hosting web servers and are responsible for their security. I dwell on servers exposed to the Internet, but most of the discussion applies to intranets and extranets as well. The platform is LAMP: Linux, Apache, MySQL, PHP (and Perl). I'll talk about A, M, and P here (with no slight intended to Java, Python, or other good tools). Protect your whole web environment ? server, content, applications ? and keep the weasels out of your web house.
For other views and details on web security, see Lincoln Stein's World Wide Web Security FAQ (http://www.w3.org/Security/Faq/) and the book Web Security, Privacy and Commerce by Simson Garfinkel with Gene Spafford (O'Reilly).