views:

60

answers:

3

Hi guys, I've been looking into PHP security for over a month, after all the posts, tutorials, comments, replies to comments, making fun of comments, and then some more comments, I'm left pulling out my hair, while I admit I have really thick hair at this rate I'll be bald in no time.

It seems that there is NO GOOD GUIDE to security, plain and simple! All you find is bits and pieces that contradict each other most of the time and are very hard to put together, specially for aspiring developers.

In an effort to end this once and for all, I propose a community project, where we start a moderately complex site, and go through it bit by bit discussing how / best methods to secure and optimize it, that way once it is done:

  1. It can be examined by people to see how to secure a common application,
  2. Can be easily modified and updated as needed to cope with new security and
  3. PROVIDE A GOOD GUIDE ON PHP SECURITY.

If anyone has a better idea, I am open to suggestions, the alternative would be to actually create a comprehensive but understandable guide which takes you from a-z of security (as best as we can ofcourse).

Sorry for the ranting, but I'm sure many many people would appreciate the effort.

+5  A: 

I think there are already some very useful resources that tell us about security issues, any found vulnerabilities with up-to-date content.

And finally, here is good official security guide:

And of course you can find any possible bugs/vulnerability fixes at PHP's bugs section:

Sarfraz
+1  A: 

The reason there is no such guide is that security is not something you can describe in one guide. Im following a 2year master program only focused on security, and you cannot put that into one guide, even not if it is specific to php.

Having said that, if you're concerned with the programming bugs which lead to security vulnerabilities (xss, csrf, sqli, hpp, etc, etc, etc), you should study the subject software security (for php). However, this does only give you insight in the basics.

However, if you want to make a descent access control layer, you cannot do that solely based on your guide about software security for php. If you want to prevent sidechannel attacks (timing attacks etc), you should study that topic.

The point is, it is so broad that it cannot be covered in a guide.

Henri
I'd say the biggest threat in the wild is the way sessions and validation cookies are managed/generated, after that you fall into variable injection, then problems like server passwords and sloppy code.
I dont agree user, according to almost all statistics, cross site scripting and (sql) injection are exploited (and present in software) than session inssues.
Henri
+1  A: 

A lot can go wrong with web applications. The OWASP top 10 tries to address this large problem. At end of the day there are programmers that just don't get it and vast majority will never get it. I recommend getting the preservative of a hacker, and for that I like A Study In Scarlet. The most important part of this paper is "Language Vs Programmer".

Rook