Ivan Ristić

Apache Security was originally published by O'Reilly in 2005, and it was very well received. Soon after publication, it was heralded as the best Apache security resource, according to many. Contrary to my expectations, it also aged very gracefully, which is probably why it continues to be popular. As much as I wanted to release an update, I struggled for years to justify a second edition. When I finally could, it turned out that O'Reilly was not too keen on the idea.

[Note: This blog post contains the entire preface to the digital reprint edition of Apache Security. More information on the book is available from the Feisty Duck's web site.]

That was an opportunity for me to do things differently. As much as I enjoyed working on Apache Security a few years ago, the process was traditional and slow. It was a new digital age and we had all the advanced technology at our fingertips, yet we were still producing books the old-fashioned way. I wanted more. Above all, I wanted the ability to update my books whenever I felt the need. Unable to find a publisher that supported the process I wanted, I started my own publishing company. Feisty Duck, as my wife and I named it, is a publisher of computer books, with special focus on continuous publishing and digital delivery.

We are now releasing what is pretty much the original Apache Security, in digital format only, in order to establish a starting point for the second edition, which will be published by Feisty Duck at some point in the future. The known errors in the book have been fixed. If further errors are discovered, they will be fixed, too, and the digital version will be updated.

You may wonder whether the first edition of Apache Security is still worth paying for. After all, it has been five years since the first edition. Here's what I think:

• The only part of the book that is completely obsolete is the ModSecurity chapter. I have only myself to blame for that, because I completely rewrote ModSecurity itself in 2006. If ModSecurity is what you're after, you should look at my other book, ModSecurity Handbook (Feisty Duck, 2010). You will find more information about it at https://www.feistyduck.com.
• Chapter 10, "Web Application Security," was the best introduction to the topic at the time of the original publication. It remains a good introduction, but there have been many advances and discoveries since it was written. These days, you actually have to read several books to get decent coverage of web application security, and complete coverage is virtually impossible.
• The same can be said for Chapter 11, "Web Security Assessment": it's still good, but it's just not enough any more.
• The rest of the book remains pretty solid. Five years later, some aspects are not entirely accurate, but what is in the book is still very useful. You will find that the general principles of web server security haven't changed at all.

To conclude, Apache Security is still a good book, although it will no longer serve all audiences equally well. To paraphrase a recent Amazon.com reviewer, if you are at the beginner or intermediate levels, it will work for you. If you are an advanced user, it may not. If you are not sure, the best thing to do is decide by looking at the table of contents.

Lua Programming Gems is a collection of articles recording some of the existing wisdom and practice on how to program well in Lua. As of a couple of days ago, the PDF version is available from the Feisty Duck store.

Here's the complete blurb:

This collection of articles records some of the existing wisdom and practice on how to program well in Lua. In well-written articles that go much beyond the brief informal exchange of tips in the mailing list or the wiki, the authors share their mastery of all aspects of Lua programming, elementary and advanced. The articles cover a wide spectrum of areas and approaches, with authors from both the industry and academia and titles about game programming, programming techniques, embedding and extending, algorithms and data structures, and design techniques.

It's been an adventurous journey, but we are nearing a major milestone: the official publication of the first book published by our publishing company, Feisty Duck! We've just received a batch of ModSecurity Handbook paperbacks and we're enjoying them in all their glory. Two further batches are on their way to our warehouses (one in the US and one in the UK), from where they will be shipped to early adopters. (If you're one of the early adopters, you will soon get an email from us with more information.)

Our work is nowhere near the end, however, because now we need to focus on reaching out to the book's audience to inform them that the book exists.

If you haven't purchased the book yet, now would be a very good time: because the official publication date is the 15th, we'll be maintaining the pre-order discount for a little while longer. You only have about 4-5 days to take advantage of the 25% discount. Buy now!

The Feisty Duck book store yesterday increased the number of titles on offer by 100%, adding the digital version of Programming in Lua 2ed, written by Roberto Ierusalimschy.

If you don't know about Lua, it's a very nice embeddable scripting language, with low memory consumption, very fast interpreter, and even faster just-in-time compiler. I loved it so much I added it to ModSecurity, and it is now possible to write rules in a proper programming language. It's great for those times when you have complex requirements. I am seeing Lua slowly but surely taking over the open source world (when embedding and fast and reliable operation is required). It's already in ModSecurity, Snort 3.x is using it, and in the future it will be part of Apache too.

The book itself is very good too, with a 5-star score in Amazon.com reviews.

ModSecurity Handbook, which I announced a couple of days ago, is now available for pre-order and early digital access. We managed to meet our self-imposed deadline and have everything ready for November 24th, actually.

This book is a big deal, in more ways than one:

1. It took me more than 5 years to gather courage to start writing another book (after Apache Security, which I started writing in 2004).
2. This book is about ModSecurity, a project that is very dear to my heart. It makes me very happy that I will document everything I know about it.
3. I am releasing the book early because I want to interact with the readers while the content is still not finalised. With Apache Security I ended up being terribly unhappy because I was writing in isolation and because I couldn't seek feedback from the readers prior to publication.
4. To publish this book (and all my subsequent books), my wife and I started a publishing company and dealt with all the stuff that publishers have to deal with. The learning curve wasn't very difficult because of my previous experience in publishing, but there was a lot of things to do.
5. This book will be a living book. I intend to keep it up to date at all times, keeping up with the changes in ModSecurity. We've invested a significant amount of time into polishing a single-source publishing system, where the manuscript is kept as XML (DocBook, stored in a Subversion repository) and automatically converted to any of the supported formats (only PDF at the moment, but several forms of PDF, HTML and ePub in the near future). The system allows me to make changes and push updates instantly to all the readers!

The work is far from done, of course. First, I need to finish the book, first of all. Second, we'll have to figure out how to promote it effectively, and I somehow suspect that will be the hardest part. Perhaps, when it's all done, I'll write a blog post called "Adventures in Computer Book Publishing".

Update: The official Reference Manual and Data Formats Guide guide have been added to the book. There's about 230 pages of material right now, with the final count expected to be close to or over 300.

It is a pleasure to announce my next book, ModSecurity Handbook, which features an in-depth coverage of ModSecurity, an open source web application firewall. I am very happy because, finally, ModSecurity will have the documentation it deserves.

The main highlights are the following:

• Step-by-step instructions for those just starting out
• Detailed explanations of the internals, and advanced techniques for seasoned users
• Includes the official ModSecurity Reference Manual and Data Formats Guide
• Available in digital format (PDF, HTML and ePub, although not all straight away) and as paperback (once the first edition is complete)
• Continually updated as ModSecurity evolves (with the updates included with purchase)
• Readers can talk to me to shape the book to work better for them

I estimate that the book is about 75% complete. In a week's time (on November 24th) it will be available for early access and pre-order. The idea with the early access is to avoid the problem I experienced with Apache Security -- writing in isolation. This time, I want to engage with my readers before my book is published.

Also, it is pretty important that this book is (and will be) continually updated. I have the entire publishing workflow automated so whenever I make a change to the book, the update is automatically made available to the readers. With this feature, again, I want to avoid the painful experience that I had with Apache Security, where for years I wanted to provide updates but I couldn't. (Apache Security readers, fear not, the second edition is being worked on.) In the future, I hope to evolve the publishing toolchain to enable readers to make comments straight to the HTML version of the book that is kept online.