Steps to become web security savvy

Question

Hi, I've been coding in C++, Matlab, and similar languages for scientific purposes for quite some time now, but I recently wanted to get into web programming. I've taught myself HTML and CSS and I've dabbled in Javascript, PHP, and mySQL. I would really like to start making more advanced, user-driven websites (if that makes sense - ultimately sites similar to twitter and facebook in functionality), but I am worried that I don't know enough about internet security and vulnerabilities to make sure that the programming decisions I make are secure/safe.

What suggestions do you have or information can you offer me that will help me be confident in the security of the code that I produce.

If none of this makes sense or you would like some clarification, just ask.

Answer 1

Check out Writing Secure Code by Michael Howard and David LeBlanc from Microsoft Press. It's got a lot of good information on secure coding in general as well as a chapter or two specific to web programming. It's a Microsoft book but most of the ideas translate to whatever language you are working in.

Link to Amazon.

Answer 2

1. Validate all user input, never use it verbatim in other text-based protocols (SQL, HTML, XML, JS). Try to think about any imaginable way to crash you software via specially crafted input and prevent it.

2. Verify user identity. Think about any imaginable way someone can intercept user's identification information and do something bad on his behalf. Prevent it.

This is basically it.

Answer 3

I'd say to start off with looking into SQL Injection, Cross site scripting and Cross site request forgery. Those should give you an idea of the kind of things to watch out for and get you into the right mindset (never trust user input to be what you think it will be or what it "should" be)

Answer 4

You'll want to learn about SQL injection attacks, cross-site-scripting attacks, and you'll have to develop a healthy paranoia regarding how you manage input to your system. This includes learning how to sanitize user input, how to properly use sessions to save state across pages, and how and when to use SSL.

You will also want to be aware of the prevalence of FTP account hacking, the dangers of shared hosting environments, and general ways that web servers can be exploited.

There are a few books that cover PHP/MySQL security issues specifically that you might find useful.

Answer 5

I recommend The Art of Software Security Assessment by Mark Dowd, John McDonald and Justin Schuh. It is big, but worth ploughing through.

Answer 6

Input (and output) validation are very important, as pointed out above, and so is identity management. But there is definitely more to writing a secure web application.

Start by getting familiar with the free tools and resources at OWASP http://www.owasp.org and subscribe to their news feed.

Get some kind of foundational training in web security: I recommend the online Advanced Software Security program at Stanford University http://scpd.stanford.edu/computerSecurity/, at least take the Foundations course it is worth it if you need someplace to start.

Check out the training programs and other resources at the SANS Institute http://www.sans.org, get on their vulnerability email list and other email lists. SANS offers a course in secure PHP programming http://www.sans.org/securitywest09/description.php?tid=2142.