Where can I find a web-project "security checklist?"

Question

I'm looking for a complete list of security guidelines for programming and deploying PHP web sites and applications on an Apache (Linux) server. Basically, a "security check list" to run through before finishing a project. I.e.,

1. Cross Site Scripting
2. Cross Site Request Forgery
3. Sanitize form data that goes into database
4. Disable register globals and error reporting in custom php.ini
5. Upload files below web root ...(the list goes on)

I did some searching on the internet and in this forum, but couldn't find a comprehensive, succinct, and complete list of guidelines.

Thanks in advance.

Answer 1

I'd say you should find plenty of informations on the OWASP website, on the matter of vulnerabilities in web applications, and informations on how to help make yours more secure.

(But there is so much to say about that subject that you might actually get "more" informations than you'd first like...)

Answer 2

I think there are two main categories, which should be considered:

Configuration & installation (for example): http://aymanh.com/checklist-for-securing-php-configuration Programming (example): http://www.jemjabella.co.uk/blog/php-security-checklist

Other ideas?

Answer 3

Take a look at OWASP’s Development Guide.

Answer 4

Check out this link "Seven habits for writing secure PHP applications":

http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/index.html

The IBM articles are always very useful, thanks.

PS: also this "Recommended PHP reading list"

http://www.ibm.com/developerworks/opensource/library/os-php-read/#security