What Is Security
- Security is a measurement. Not a characteristic, quality or feature:
– It is unfortunate that many software projects list security as a simple requirement to be met. - Security must be balanced with expense:
– It is easy and relatively inexpensive to provide a sufficient level of security for most applications. However, if your security needs are very demanding because you’re protecting information that is very valuable, then you must achieve a higher level of security at an increased cost.
– This expense must be included in the budget of the project. - Security must be balanced with usability:
– It is not uncommon that steps are taken to increase the security of a web application also decrease the usability.
– Like Passwords, session timeouts, and access control all create obstacles for a legitimate user.
– Sometimes these are necessary to provide adequate security, but there isn’t one solution that is appropriate for every application.
– It is wise to be mindful of your legitimate users as you implement security measures. - Security must be part of the design:
– If you do not design your application with security in mind, you are doomed to be constantly addressing new security vulnerabilities.
– Careful programming cannot make up for a poor design
– After all hard work you put in to make your site look good and responsive to your users, the last thing you want is for a malicious hacker to come along, perform a PHP hack and break it somehow.
Why security
- Damage to users
– It can include the exposure of emails, passwords, personal identity data and credit card details, business secrets, family and friend contacts, transaction history such information damages the user (person or business).
– Damage can also arise from the web application misusing such data or by playing host to anything that takes advantage of user trust in the application. - Damage to Company
– Due to user damage, loss of good reputation, the need to compensate victims and partners, the cost of any business data loss, infrastructure and other costs to improve security and clean up the aftermath, travel costs for when employees end up in front of regulators and so on.
Basic Steps to Prevent Security issues
- Consider illegitimate uses of your application
– A secure design is only part of the solution during development when the code is being written, it is important to consider illegitimate uses of your application.
– Often, the focus is on making the application work as intended, and while this is necessary to deliver a properly functioning application, it does nothing to help make the application secure. - Educate yourself
– The fact that you are here is evidence that you care about security, and as ordinary as it may sound, this is the most important step.
– There are numerous resources available on the web and in print, and several resources are listed in the PHP Security Consortium’s Library at http://phpsec.org/library/. - If nothing else, Filter all external data
– Data filtering is an essential part of web application security in any language and on any platform.
– By initializing your variables and filtering all data that comes from an external source, you will address a majority of security vulnerabilities with very little effort.
– A whitelist approach is better than a blacklist approach.
– This means that you should consider all data invalid unless it can be proven valid (rather than considering all data valid unless it can be proven invalid).
How to Check for PHP Vulnerabilities
- Best way to check whether your applications are vulnerable to PHP hack attacks is by using a Web Vulnerability Scanner.
- A Web Vulnerability Scanner crawls your entire website and automatically checks for vulnerabilities to PHP attacks.
- It will indicate which scripts are vulnerable so that you can fix the vulnerability easily.
- Besides PHP security vulnerabilities, a web application scanner will also check for SQL injection, Cross site scripting & other web vulnerabilities.