Hello Stackers,
Right now I'm learning about the CakePHP framework, and I just wanted to know what makes CakePHP secure. How secure are its components like for example how secure is the authentication component. Also, what can we do as developers to increase the security of our CakePHP base web application?
Also do you guys recommend any books or sites to learn more about CakePHP security?
Hope to hear from you guys soon. Thanks
The CakePHP framework has been around for quite some time (since 2005) and is open source software. This means its code is available for review by any developer, or non-developer, who wishes to do so. Both the CakePHP community and security communities have had ample time to review the code base and find/correct potential security issues. That doesn't mean that the software is perfect but with CakePHP being so popular you can bet it's been reviewed quite thoroughly and if there are any flaws in it they are deep and very difficult to find/identify.
But keep in mind, just because the code in the framework is secure doesn't mean using it makes your code secure. You still need to follow secure coding practices because your code base can be vulnerable regardless of the security level of the framework you use.
I agree with John. I guess you would like also to read about data sanitization and Security component in CakePHP.
Cake security is pretty good, but everything has holes. For an ultra secure site, I'd be researching known security holes and blunders and testing the site against those cases. It simply isn't enough to rely on someone else's statement of a degree of security.
Some sites don't need high levels of security and they can give a performance hit. Others must be inviolable.
All said, I'm impressed with Cake's inbuilt security and haven't had to modify it yet.
Leo: Some sites don't need high levels of security and they can give a performance hit. Others must be inviolable.
Sorry Leo, but i disagree. Every site you build, you do so with the utmost care of security in mind. Regardless of what type of site it is. Suppose for example you've built this very tight superduper hackersafe site. You host it on a shared server, and guess what.. Someone got access to your safe site via a hole in your less safe site. Or even the entire server.
I know, its a doom theory but i believe stuff like this happens on a daily bases.
Cake follows best practices in many areas, and has pretty secure tools built-in. You won't need to worry about SQL injection for example, since Cake's database abstraction properly escapes all input. Where it doesn't, the manual warns you appropriately:
updateAll(array $fields, array $conditions)
!The $fields array accepts SQL expressions. Literal values should be quoted manually.
Using the SecurityComponent you get automatic form spoofing protection.
Data validation is a big integrated part of models.
The AuthComponent hashes and salts passwords properly.
There's a handy h() shortcut for htmlentities that you should use to escape output to avoid XSS problems.
Et cetera perge perge...
You will still have to use all the components correctly though and be careful not to open any "custom" holes. Cake is only a toolbox, it's still perfectly possible to build a horrendously insecure application using it. You can still shoot yourself in the foot, no matter how good the gun. The link provided by John is indeed a good starting point.