Forgot your password?
typodupeerror
Security The Internet

Website Security Without Breaking the Bank? 195

Posted by kdawson
from the man-who-is-his-own-lawyer dept.
An anonymous reader writes "I do my own Web design and have a few websites — MySQL, PHP, CSS, HTML, that kind of thing. It's simple, amateur stuff, but I would love to have some reasonable ways to assess their security myself and patch the big holes, or possibly enlist someone to do 'white hat' work to assist me. I have absolutely no idea how to proceed. I don't want to get mired in a never-ending paranoia-fueled race to patch holes before the hackers find them, but on the other hand, I don't want my websites to look like Swiss cheese. Right now, I wouldn't know what kind of cheese they look like: Swiss, Havarti, or hard as Parmesan. How can I take reasonable steps to protect these websites myself? What books has the community found useful? What groups (if any) can offer me inexpensive white-hat hacking that won't end up costing me a first-born child? Or am I better off just waiting until a problem arises and then fixing it?"
This discussion has been archived. No new comments can be posted.

Website Security Without Breaking the Bank?

Comments Filter:
  • by Xenna (37238) on Tuesday February 10, 2009 @02:32AM (#26794213)

    What's the URL? ;)

  • by kamakazi (74641) on Tuesday February 10, 2009 @02:36AM (#26794237)

    You still need to do homework. I realized a while ago that I not only lack a good understanding of potential weaknesses in my sites, but I also lack the knowledge needed to actually do the forensic log analysis if I was to actually get exploited. Along the lines of the original post, what good introductory tools are there that relate to forensic log analysis?

    • by arogier (1250960) * on Tuesday February 10, 2009 @02:44AM (#26794279) Homepage Journal
      Better to shoot for Colby Jack for the time being. A nice blend of cheeses that get along well enough to accomplish the sites purpose and conspicuously lacking in holes. A parmesan site will generally have issues of its own related to its crumbling interfering with functionality.
      • A parmesan site will generally have issues of its own related to its crumbling interfering with functionality.

        Not to mention everybody'll think your site smells like feet....

    • exactly (Score:5, Informative)

      by an.echte.trilingue (1063180) on Tuesday February 10, 2009 @03:52AM (#26794589) Homepage
      exactly right.

      Honestly, if the OP is in the situation where he is trying to find and patch holes, it would probably be a better idea to do a little homework and start the project over again and use good security techniques when writing.

      It is not that hard, really. You just have to remember never to trust user input. That means that you filter all of it, you don't rely on cookies for access control, and you don't trust the variables that the browser sent you (such as $_SESSION['http_referer']).

      As far as filtering is concerned, remember that php has a lot of filters at your disposal [w3schools.com] (just remember to strip new lines out of email addresses yourself, the filter misses that one). Another word of warning: if you are echoing user input out onto a page, it is much easier to use bb syntax than allow html tags through strip tags: the danger is that an attacker can get javascript attributes the filter and it is better just to avoid it.
    • by liquidpele (663430) on Tuesday February 10, 2009 @01:24PM (#26799433) Journal
      No idea if there are better free alternatives, but here you go:

      log analysis: logwatch [logwatch.org]
      rootkit detection: rkhunter [sourceforge.net], chkrootkit [chkrootkit.org]
      Browser IPS: mod_security [modsecurity.org] with gotroot [gotroot.com] rullset.

      There are also several website penetration testing softwares you can try or purchase. A google search will do you well - the only one I've used and know is good was webinspect [hp.com] by SPI dynamics (bought by HP now). It was very good at finding sql injection exploits.
    • Infosec really is complex enough that it is almost impossible to do it right unless you make a career out of it. If you try to do it yourself, you will fail.

      You have to hire a security expert to analyze your systems. Trying to do infosec "on the cheap" or DIY is like trying to do surgery on yourself. You attempt that and you wouldn't ask slashdot how to do that. Don't make the same mistake about infosec.

  • by hugetoon (766694) on Tuesday February 10, 2009 @02:36AM (#26794239)
    • by jofny (540291) on Tuesday February 10, 2009 @02:54AM (#26794343) Homepage
      I second OWASP. Getting familiar with this and taking care of these issues if they exist currently and keeping them in mind when you write new code well get you a long way initially.
    • by Foofoobar (318279)
      Can't agree more. Owasps tools and their manuals are great for people looking for answers on web security.
    • by encoderer (1060616) on Tuesday February 10, 2009 @11:44AM (#26797895)

      OWASP is invaluable for learning the WHY and HOW behind security.

      But for an amateur, I think the first best thing he could do is apply the Suhosin patch for PHP: http://www.hardened-php.net/ [hardened-php.net]

      This lets him worry about the why and how AFTER he's already closed many of the attack vectors a default PHP install leaves open. Especially if he's running below 5.2.x.

      Furthermore, PHP has been more security focused since 5.01. You can learn a lot about security just by reading the release notes, even if you don't think you're learning about security!

      For example, the filter_input() function. Instead of doing this:

      $phone_number = $_POST['phone_number'];

      do this:

      $phone_number = filter_input(INPUT_POST, 'phone_number', FILTER_SANITIZE_STRING);

      That simple change applied to all of your $_POST, $_GET (and/or $_REQUEST) look-ups will shut down most of your application-level attacks.

      Any PHP developer should learn and ALWAYS use the new Filter features: http://us2.php.net/manual/en/ref.filter.php [php.net]

      • $phone_number = filter_input(INPUT_POST, 'phone_number', FILTER_SANITIZE_STRING);

        I'm glad I've always used a wrapper function of some capacity for the $_POST, $_GET and $_FILE input methods.

        When I learned of filter_input all I had to do was slap it in the wrapper functions... versus going and changing every call to a much larger, more complicated function call.

  • You can write insecure websites using pretty much any tools, but if you're using MySQL and PHP, especially if you're using other peoples code in your app, you're probably going to end up with a security nightmare, regardless of how hard you try.

    It's possible to write secure code in PHP, but almost nobody does, and most of the PHP code that you can acquire easily is painfully insecure. A never ending race to patch a never ending series of holes means you've already failed at security. Depending on "white-hat

    • by Anonymous Coward on Tuesday February 10, 2009 @03:11AM (#26794413)

      It's possible to write secure code in PHP, but almost nobody does, and most of the PHP code that you can acquire easily is painfully insecure.

      Writing secure code with PHP is no more harder than with Perl/Java/Ruby... same rules apply. I would even say nowadays it's extremely easy - use PDO with prepared queries, and you've pretty much eliminated SQL injections. Don't reinvent the wheel - for example Zend Framework is pretty cabable and done most of the work for you which you'd probably end up doing.

      In a nutshell:
      Validate your goddamned data. Use prepared queries to prevent SQL injections. And so on. The language used itself has very, very little to do with security in the end.

      • Re: (Score:2, Informative)

        by Banacek (994201)
        Agreed with everything you said. You could write your own classes to turn PHP into acting strongly typed, then sanitize your data after it's been type checked, but that might be beyond the scope of this project. Save yourself some hassle and read this too: http://devzone.zend.com/node/view/id/168 [zend.com] It will help validating those inputs.
        • Re: (Score:3, Informative)

          Another useful read (albeit not focused on PHP per-se) is David Wheelers Secure Programming (http://www.dwheeler.com/secure-programs/)

          I have a simple guide when I write code, it's not flawless but it covers a lot of bases - every time I load a variable that has anything to do with generated content (i.e. from a user) I sanitise it - I don't report errors, I just strip out invalid characters (as a rule). It's not the best way to do it, but combined with a good site design it helps a lot.
      • In a nutshell: Validate your goddamned data. Use prepared queries to prevent SQL injections. And so on. The language used itself has very, very little to do with security in the end.

        Stored procedures are also good ways to avoid injection attacks...

        • by rho (6063)

          He said MySQL, so no stored procedures unless he's running > v5. I don't know what the penetration is for MySQL 5 in the hosting market.

          With PHP and most PHP-based Web sites stored procedures are overkill. Use ADOdb [sourceforge.net] or PDO and you'll get similar protection with less hassle.

    • Re: (Score:3, Funny)

      by arogier (1250960) *

      You can write insecure websites using pretty much any tools, but if you're using MySQL and PHP, especially if you're using other peoples code in your app, you're probably going to end up with a security nightmare, regardless of how hard you try.

      Taken to the extreme you could prepare you own active page servlet using FORTRAN and obfuscate the binaries, randomize query url generation, and run everything on your server through a microkernel operating system where you change all of the system calls and commands to things only you know.

      Then operate your website entirely anonymously with tenneling through tor between your actual webserver and the server putting up your domain.

      • FORTRAN: The RealUltimatePower?

        Seriously, though, if you're really, really intent on obfuscating the code, why not C-Intercal through CGI? Link! [muppetlabs.com]

        Sure, there are some minor performance hits, but it's hard to get more obfuscated.

    • by commanderfoxtrot (115784) on Tuesday February 10, 2009 @04:43AM (#26794749) Homepage

      You can write insecure websites using pretty much any tools, but if you're using MySQL and PHP, especially if you're using other peoples code in your app, you're probably going to end up with a security nightmare, regardless of how hard you try.

      That's the problem.

      Most of the pros on here can write good-quality, secure code, in PHP, RoR, whatever.

      It's the external libraries which are the gap. For example, look at phplist, which is used in many places [softpedia.com]. Now, every installation of it needs to be upgraded. Now. Right now.

      Unless you're a 100% fulltime sysadmin, you haven't got the time to be reading the security lists hourly and upgrading phplist etc when required.

      The OP is really asking: how do I make sure phplist and the other hundred Ruby gems or PHP add-ins are up-to-date and safe? And keep them that way?

    • by Yvanhoe (564877)
      Seconded. Doing MySQL/PHP websites is indeed easy, but doing them secure is where the real challenge is. Without any knowledge of common flaws, your current architecture is probably already unpatchable and would require a rewrite to secure. I may be overly pessimistic but there are so many ways to botch it when you don't know much that it would a miracle that you don't rely on a flawed feature.
    • by Lumpy (12016) on Tuesday February 10, 2009 @09:35AM (#26796337) Homepage

      The problem is that MOST sites that get 0wn3d are running phpbb or other very common and popular packages. They are getting better but they are still the most hacked because it's easy to identify what your site is using and then go and find the exploits for that site.

      the SAFEST is typically custom code. and go NUTS on everything that comes from a user treating it like it's a bomb every time. It causes the kiddie to take a LOT of time to crack you, they typically move along for easier fields quite quickly. Back in the early 2000's I used to taunt the "crackers" and "kiddies" if you tried banging on my telnet or ssh door, you were actually banging on my taunt the L0ser door. It would insult the hell out of them and make them think their bot got in because it would give a successful login every time and then taunt the hell out of them and "logoff" I had a single little turd in chicago banging on me for a month until he got his buddies involved and they DDOS attacked my box with all of them trying to attack 120 bored kiddies can bring down a T1 fast, it lasted for 3 days. Funny part was 4 of them was doing it from home and when I personally called their parents all the attacks stopped. (They were on Comcast cable modems and I worked for Comcast at the time so I got the customer contact info quite easily.)

      You more than likely do not have the resources I did, so dont provoke them. Taunting the lions is fun, but they now have an army of robots.

      Step 1 look through you logs DAILY. 99.999782% of all website admins do not do this. Sorry but you cant spot strange things without going through logs. get a parser that makes it easier, but do it.

      Step 2 learn to write secure php code and then write your sites scripts custom. Got a mailer for a contact us page? HARD CODE the to: address and get ready for the never ending fight to filter out spam.

      Step 3 Backups.. never TRUST a backup you make from the site, your only real backup is the files you created and uploaded.

      Step 4 review everything monthly go over stuff, look for broken or strange, go over all of it.. Look there's a wierd file in your ftp area.. how did that get there?

      If you are running phpbb or drupal or other "popular" scripts you needto update them weekly. phpbb has patches all the time and MOST dont get applied by sites that get cracked.

  • by mlgm (61962) on Tuesday February 10, 2009 @02:42AM (#26794271) Homepage

    The Open Web Application Security Project (OWASP) has a Top 10 list, which lists the most serious web application vulnerabilities, discusses how to protect against them, and provides links to more information (http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project [owasp.org]). This might be a good start.

  • A book couldn't hurt (Score:5, Informative)

    by Firehed (942385) on Tuesday February 10, 2009 @02:43AM (#26794275) Homepage

    I learned a decent amount from Essential PHP Security [is.gd]*. It doesn't cover everything, but should cover most of the crazy-stupid errors that crop up in a lot of novice php/mysql stuff. Not that the information isn't out there in plenty of places (just like every other topic humanity has ever thought up), but for twenty bucks it's nice to have a hard copy of the essentials in one place.

    *Yes, that's a referral link to amazon. But I'd recommend it either way for people getting started with securing their basic LAMP sites.

  • by syousef (465911) on Tuesday February 10, 2009 @02:47AM (#26794303) Journal

    It doesn't matter what you do after the fact to secure your web sites, if your scripting is full of holes, trying to plug them up after the fact isn't going to work. For example, you mention MySQL so I gather your code accesses one or more databases? If so do you know what a SQL injection bug is and have you reviewed your code for them? Nothing you do at the point of deployment is going to help fix a SQL injection bug.

    I'm afraid that if you're using MySQL and PHP you've moved from the realm of the very basic to something more advanced. You're no longer just talking about slapping static content on the web. People spend years learning how to do these things really well. You should find yourself a good book and get started. Start with a Google. It costs nothing. If you have friends who do web development with similar tools talk to them and see if they'll help point you in the right direction.

    Here are some things to get you started. Note that these are language independent things you should do no matter what dev tools you use. You might want to look at something more targetted for PHP as well.

    https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices [cert.org]

    Here's the main site.
    https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards [cert.org]

    The other way to go would be to make your web files more static. However getting rid of everything dynamic may not be a reasonable option in 2009.

  • Good read (Score:2, Informative)

    by youcantwin (1459567)
    Here's a good read with a checklist of things to do to secure your website from page 80
    http://www.ipa.go.jp/security/vuln/documents/website_security_en.pdf [ipa.go.jp]

    It's quite easy to understand and if you follow all the recommendations your website should be more secure than average.
    • by Hyppy (74366)

      http://www.ipa.go.jp/security/vuln/documents/website_security_en.pdf

      This looks like a very good tutorial on the basics of web security. I think I'll forward it to some of my *ahem* Less-than-brilliant web admin friends.

  • mod_security (Score:5, Informative)

    by 'Aikanaka (581446) <dvictor@@@aikanaka...com> on Tuesday February 10, 2009 @02:50AM (#26794317) Homepage
    I recommend mod_security and mod_evasive. A reverse proxy would help as well. The DoD and NSA have configuration guides that provide tips on securing Apache (as well as IIS).
    • by zobier (585066)

      Yep and also look up SELinux.

      If you use other peoples apps, stick with popular open source ones and keep the patches up to date. Be wary of using copypasta code.

      If you write your own, escape your inputs. Better yet to validate them with regex and use place-holders in your SQL.

    • Re:mod_security (Score:4, Informative)

      by TheSpoom (715771) * <slashdotNO@SPAMuberm00.net> on Tuesday February 10, 2009 @06:48AM (#26795317) Homepage Journal

      Also, take a look at installing Suhosin [hardened-php.net], if you have root access to your server. It's a PHP patch that adds more security on the binary level to combat certain common attack vectors like SQL injection (though that said, you should never simply rely on its protection without knowing how these attacks work and how to program defensively).

      Speaking of which, PHP itself has a page on SQL injection and how to avoid it [php.net], which I recommend that you read and commit to memory if you don't already know about it. Especially for new developers in the PHP world, SQL injection is the number one security pitfall, and if you're uneducated about it, it's very easy to create insecure applications.

      If you would like, I am a very experienced developer with about eight years of PHP experience. I can go through your code with you and tell you where you might be able to improve security. My rate is $30 / hour, but it probably won't take too long to give recommendations. If you're interested, please contact me at my first name at jamiearseneault.com.

    • Re: (Score:3, Informative)

      by tcopeland (32225)

      > I recommend mod_security

      One thing to watch for with mod_security is that it will block certain requests even when it's in 'logging only' mode [blogs.com]. Still a useful tool, but keep a close eye on it.

  • by phantomcircuit (938963) on Tuesday February 10, 2009 @02:50AM (#26794323) Homepage

    Either you spend the time to teach yourself about security.

    Or you pay someone to do it for you.

    • by spinkham (56603)

      +1 to the above. Like anything else, you pay for someone else's expertise, or you learn yourself.

      The best and most through guide to web testing and security out there is to the Web Application Hackers Handbook [amazon.com], but the OWASP Testing Guide is a good intro and a free download you can start working with today.

      PDF version [owasp.org]
      Main page [owasp.org]

      The best way to learn is by doing, and OWASP WebGoat is a good interactive learning environment. It's also quite easy to try out using the OWASP Live cd [owasp.org], which has many of t

    • by mooingyak (720677)

      This in response to a question that could be summarized as "Where can I learn more about security or find someone to teach me at a decent rate?"

  • Best strategy (Score:2, Insightful)

    by Shadow7789 (1000101)
    Keep you MySQL only accessible via localhost, put a good password on it's root account, and make separate users for each database with access restricted to each one. I know it's important. Other than that, if you close ports you don't need , keep your software up to date, and write your own PHP I really don't think you have much too worry about.
  • by Jane Q. Public (1010737) on Tuesday February 10, 2009 @03:07AM (#26794399)
    but you asked about our applications, not your server setup. So my answer presumes that you are in a hosted environment and are trusting to your host to handle that end.

    In that case, the biggest exploits that you are probably easily vulnerable to are SQL injection and JavaScript injection. I highly recommend that you research those two things, they will go a long way toward securing your website.

    The Kaspersky anti-virus website fell victim to SQL injection just yesterday... but it is an easy thing to prevent with a little knowledge and diligence.
    • by Xenna (37238) on Tuesday February 10, 2009 @03:53AM (#26794591)

      The easiest way to prevent SQL injection is to use a library like MBD2 ( http://pear.php.net/package/MDB2 [php.net] ) and use placeholders.

      That way any data you use in SQL statements is automatically quoted.

      Perl users have had this for ages with the DBI module, so SQL injection is much less likely in Perl than in PHP. Hackers like PHP ;)

      Also AFAIK PHP has no convenient way of stripping Javascript from user input which also creates a risk.

      X.

      • That does present a problem. I am used to working in Ruby and Rails, and eliminating both SQL injection and JS injection is pretty easy. But you still have to take the trouble to do it.
      • by Eil (82413)

        Also AFAIK PHP has no convenient way of stripping Javascript from user input which also creates a risk.

        Developers starting a new application would do well to begin with a PHP framework [wikipedia.org]. No, frameworks don't solve every problem. Yes, some of them suck or are only suitable for certain kinds of sites or applications. But with all of the options out there, there's bound to be at least one that suits your needs and gets you started on the interesting parts of the code sooner. (I like CodeIgniter, for instance.)

        T

        • by Xenna (37238)

          I'll look into that sometime. I've built enough PHP stuff already without a framework to be comfortable without one, but I recently got into the jquery javascript framework and that was a very pleasant experience compared to plain javascript.

          Maybe CodeIgniter would provide a similar experience to plain old PHP.

          X.
           

  • by H310iSe (249662) on Tuesday February 10, 2009 @03:13AM (#26794431)

    - very very imho -
    backups don't help your users who might be attacked by your compromised sites but the ability to wipe the bad and restart is great. requires multiple levels of backups, daily, weekly, monthly, all separate.

    You can't restart immediately, presumably you'll get nailed by the same exploit when you recover, but at least you'll know there's a specific problem - finding something specific is nearly always easier than finding something general.

    also, control your URLs. controlling what can be passed to your site controls a hell of a lot of security problems.

    lastly - make sure your logs are good and safe and verbose. if you pay attention to making the logs right, when you have a problem, you can find someone to review the logs and find the issue. if you don't have the logs, well. you're more screwed.

    Do those three things and some common sense when coding and you'll be better off than most. Security is always where you draw the line, personally I like it a bit ahead of the curve but no where near perfect.

  • I'd do the following. Put your code in Subversion or some other version control system. Find someone (maybe in your environment, maybe on Elance [elance.com]) who does this sort of stuff for a living.

    Pay him to check out the code of your sites and your databases. Let him save his changes in your version control system, then go look for yourself to see what he changed. Reserve an extra hour of face or phone time with the guy to walk through all changes.

  • Automate it (Score:2, Interesting)

    by jrozzi (1279772)
    There are some good automated security scanners out there. For instance: Nesses/Nikto, WebScarab with proxmon, portswigger, and you can even go as far as using 3rd party companies such as HackerSafe.com or SecurityMetrics.com. Even though this doesn't give you a 100% fail-safe security scenario (*cough* nothing does and probably never will), it at least helps decrease the chances of common and even some more uncommon attacks such as SQL injections, overflows, man-in-the-middle attacks, etc. You also obvi
  • Some Ideas (Score:5, Informative)

    by maz2331 (1104901) on Tuesday February 10, 2009 @03:24AM (#26794471)

    First and foremost, check and sanitize EVERY input passed via a $_POST or $_GET (and to be safe, check cookie inputs too).

    Make SURE that none of them are in a format or contain data that you don't expect.

    It is easier said than done, and it sucks major ass to do, but it's really the only way to be sure of what you are doing.

    I just spent most of the last week tracking down an XSS exploit for a client, and it was a mother to find where to filter the input AND what to look for. SOME inputs needed SOME HTML tags to pass through, others required binary data, and still others needed integers.

    My advice on new code is to check your inputs like crazy before assigning any submitted data to a variable. Then check the variables themselves.

    Watch for hex encodings of HTML characters, and then watch for it again.

    Then, after all that work, hope it works, then drink heavily.

    • Make SURE that none of them are in a format or contain data that you don't expect

      Step one: Make sure you know exactly what data/format you DO expect. The tighter you specify the accepted format and data structure, the easier it will be to test the data. (E.g., if the client is designed to submit a phone number as an integer with 10 to 15 places, and you get a 40 character string with alphabetic characters, spaces, and punctuation you know something is up). Obviously don't rely on client scripts to validate the data before submission.

      • by deraj123 (1225722)

        Obviously don't rely on client scripts to validate the data before submission.

        This is, in my mind, one of the most important things. To go a bit further, don't rely on the client to do anything. Just because you restrict a certain field on a form doesn't mean that's all a client can submit. I would suggest learning the http protocol (the basic concepts are really not that complicated) and keeping that in mind every time you accept input from a user. (Along with everything else others have said - sanitize/validate input, use parameterized/prepared queries, and properly escape any

      • by Sloppy (14984)

        Step one: Make sure you know exactly what data/format you DO expect.

        Amen. Don't block bad things; instead, allow known-to-be-good things. Anything not allowed, is prohibited by default.

  • by Anonymous Coward
    Kaspersky [kaspersky.com]
  • How is PHP/MySQL so insecure? I write asp.net for a living (I'd rather write in python or C, but such is life), and I find it hard to imagine where these pages are so vulnerable. Is PHP vulnerable to buffer overflows the way old C code is? Does MySQL not support parameterized queries? If that's not the case, then what kind of attacks are people using to hack these sites?
    • by IBBoard (1128019)

      PHP and MySQL aren't insecure per-se, it's just that people hack things together quickly with it that are insecure.

      AFAIK PHP isn't vulnerable to buffer overflows directly. You have no control over pointers, so any stack overflows vulnerabilities have been in libraries, but exploited via PHP.

      Standard MySQL functions in PHP don't support parameterized queries, but the MySQLi methods do, and MySQLi is installed on a lot of hosts these days. If it's not on a server then it's generally easy enough to add it.

      The

    • by Almahtar (991773)
      As far as I can tell the problem doesn't lie in the language itself as much as the common practices and culture.

      For example PHP supports prepared queries and the like, but it also supports the execution of bare strings as queries. In my experience most PHP programmers started back before prepared queries and just use the strings.

      Another example: register_globals [wordpress.com] -- a short read, but a good one.

      So it's not like any of these things are inherently security breaches, but they do lead to them without jud
  • Suhosin, etc... (Score:5, Informative)

    by dchamp (89216) on Tuesday February 10, 2009 @03:41AM (#26794545)

    I just got back from a PHP security class, here's a quick overview of what was covered:

    - register_globals = off

    - Use the Suhosin PHP hardening patch.

    - Always filter all of your input for injection attempts. Write a validation class to handle this.

    - Use prepared SQL statements, or stored procedures to help avoid sql injections

    There are some pretty good articles out there that cover most of these points and more, just google for "PHP security". Take the time to read the articles, they're worth it.

    It's really sad that more people don't pay attention to PHP security. The class I took was, as far as I know, the only commercial PHP security class offered in the US this year, and there were only 4 students in attendance.

    • - Always filter all of your input for injection attempts. Write a validation class to handle this.

      Why isn't there one built in to the language? Seems like something that damn well ought to be there.

  • by kabrakan (13409)

    Ensure your users pick good passwords [darkreading.com], by preventing them from entering passwords described here (e.g. their firstname, "password", "qwerty", etc).

  • 80-20 rule (Score:4, Informative)

    by SethJohnson (112166) on Tuesday February 10, 2009 @04:09AM (#26794649) Homepage Journal


    I'm not suggesting this is rock-solid security. It's a few easy steps that keeps most of the knuckleheads at bay.
    • Set up your site on a hosting service with automated backups. Dreamhost has a great backup system that can restore your entire site with DB in minutes once it's been compromised. This will satisfy your client while you figure out how the defacer did his trick. It also puts the burden of OS-level security on them, so any intrusion will be incredibly unlikely to escalate priveleges and purge the logs.
    • Minimize use of web software packages (forums, blogs, photo galleries, etc.). This will limit your site's exposure to known exploits when you fail to keep these packages updated. If you must use such a package, edit the paths so that it won't fall prey to automated script attacks spidering for these packages. This makes upgrades more complex, but it will repel the dumb script kids.
    • Use .htaccess to ban foreign IPs. Most small-time sites have no need to be visited from overseas IPs. The site you build for a dentist doesn't need to be accessible to a kid sitting behind a computer in Brazil.
    • Check your form inputs. Plain and simple.

    Seth

    • Use .htaccess to ban foreign IPs.

      This seems like a really good idea, and a no-brainer if it works well. But how do you ensure that you make no errors of type 1 (a fellow national can't view the site)? I'll want ALL of the residents of a few countries to be able to access the site, even if that means that a few others can access it as well.

      Furthermore I have no idea what IPs hotels, mobile phone providers, offshore workers, restaurant chains and probably many more I haven't though of will give their custo

  • Especially since you seem to want to patch holes when you find them instead of designing your code with security in mind. If you do not learn about security and secure programming, you will run into problems again and again. Even the "best" outside help will not be able to completely overhaul your insecure system if you regard security as something to be "patched in" instead of something to be designed for.

    If you are going to wait for your sites to be compromised to figure out if anything went wrong (and le

  • by dltaylor (7510) on Tuesday February 10, 2009 @04:44AM (#26794753)
  • by petes_PoV (912422) on Tuesday February 10, 2009 @04:45AM (#26794757)
    Have a way to restore the site quickly, reliably and with the minimum of fuss.

    Apart from speeding the recovery in case of a breaking/defacement it will also assist you if your hosting service goes bust, stops serving or you find someone else who's better / cheaper / has more facilities.

    I'm not saying you shouldn't apply sensible security precautions, but don't treat them as if they'll make your sites impregnable. The ability to quickly restore a site means you don't have to go around checking each link on every page to see if it's been messed with.

  • by jez9999 (618189) on Tuesday February 10, 2009 @05:02AM (#26794843) Homepage Journal

    The banks are already broken. Too late.

  • I know Java has a lot of different security frameworks like JSecurity or AcegiSecurity, but I'm not so sure about PHP.

  • I have read most messages in this thread so far and the only thing I find is vague recommendations but nothing solid.

    What we could all benefit from is:

    - Specific book titles.

    - Specific websites.

    - Specific training (go on, if you are providing such training people want to hear from you).

    The amount of vaguery posted so far tells me that people with a clue about security may not frequent this site or that simply there is no material out there.

    I may have a business plan there somewhere ...

    • Everyone with an opinion is able to wade in and represent it as fact (yes, including this one). The fundemental problem with the whole idea of asking question in a forum is that it's very hard to tell the bullshit from the pearls, as every spotty-faced 13 year-old looks exactly the same as an industry icon (except the real talent is far too busy performing paid-for work to bother posting for free).

      Even taking the posts that get voted up is dodgy, as people tend to vote up things they agree with rather tha

  • by Tom (822)

    If you're on a budget (either time or money), use a framework that handles most of the problems for you. Why reinvent the wheel?

    For PHP, there's CodeIgniter, Cake, and some others in the MVC area, and probably some outside. Google is your friend.

    Why a framework? Because stuff like escaping your data before handing it to the database (to prevent SQL injection attacks), or sanitizing your input (to prevent XSS and other attacks) and so on are fairly simple things to do, you just have to remember to do them ev

  • by Bearhouse (1034238) on Tuesday February 10, 2009 @07:47AM (#26795639)

    You can start here:

    https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/358-BSI.html [us-cert.gov]

    And for specifically for web apps:

    https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/assembly/639-BSI.html [us-cert.gov]

    Then you frighten yourself by playing with the toys here:

    http://insecure.org/ [insecure.org]

  • You should probably check out some of the open source static analysis tools:
    http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis [wikipedia.org]

    I wrote one that deals mostly with web applications:
    http://www.yasca.org/ [yasca.org]

    You should also get your hands on Acunetix Free Edition, which scans for XSS:
    http://www.acunetix.com/cross-site-scripting/scanner.htm [acunetix.com]

    Also grab yourself a copy of Software Security [amazon.com] by Gary McGraw and Secure Programming with Static Analyis [amazon.com] by Brian Chess and Jacob West.

    Finally, if you want to outs

  • There are a number of web app security sites that will teach you how to test your website for security vulnerabilities. Even providing sample inputs for trying XSS and SQL-Injection attacks on your own site. Try these for starters:

    http://www.owasp.org/ [owasp.org]
    http://ha.ckers.org/xss.html [ckers.org]

  • by Arancaytar (966377) <arancaytar.ilyaran@gmail.com> on Tuesday February 10, 2009 @09:52AM (#26796533) Homepage

    Or rather, the input your user gives you.

    Let's leave aside non-web vulnerabilities for now - of course you'll want to use SFTP and SSH instead of unsecured FTP or Telnet to connect to your server, and HTTPS for your web admin panel, but these are outside the scope of the actual website - they're for your host to deal with.

    When you write any kind of dynamic website, user input is the threat. Your website communicates via text with other layers such as the database (SQL) or the users' browser (HTML). Your two biggest risks are SQL injection (where user input breaks out of SQL quotes) and Cross Site Scripting/Request Forgery (where one user's input is executed as Javascript in another user's browser).

    Another threat is performing actions (such as deleting/editing content) via GET requests, which will allow search spiders or content prefetchers to wreak havoc.

  • Smoked cheddar.
  • Any of the great LAMP books should have sections devoted to security. Each of the components has a part to play. The obvious vectors are PHP and MySQL so pay particular attention to those. If that's not enough, get a book for each... I'm certain there are "Security for MySQL" , etc.

    They should all be available used on amazon for $10- $15 each... if $100 is out of your budget, then you'll need to start googling and doc diving.

  • SethJohnson brings up two excellent points:
    a) back up regularly. If you back up nightly then the most you can lose is a days worth of data. If you sync the backup directory (mysqldump cron job) to your local machine (I use lftp) then it's quicker than having to contact your hosting support. I disagree with H310iSe, just daily backups are fine.
    b) don't install anything you don't have to. Disable all plug-ins you aren't using. If using somebody else's code Google it to see what problems other people are havin

  • Your choice -- Zend, Drupal, whatever. Active frameworks are constantly being reviewed and patched for security holes. Building your sites on top of a framework will insure that those issues are taken care of for your sites as well.
  • by Sloppy (14984)

    I don't want to get mired in a never-ending paranoia-fueled race to patch holes..

    How can I take reasonable steps to protect these websites myself?

    The list of things you need to protect against is actually pretty short, provided that your list is high-level and general enough. ;-)

    Look at this [ibm.com]. Most of that boils down to instances of trusting inputs, which is always a bad idea when the internet is involved.

    Then audit your code and look for the mistakes. It is impossible to achieve your goal without d

  • If you're interested in the actual hacking (err ... cracking) side of things ... Web Application Hacker's Handbook came highly recommended by my SANS instructor. http://www.bestwebbuys.com/The_Web_Application_Hacker's_Handbook-ISBN_9780470170779.html?isrc=b-search [bestwebbuys.com]
  • by bugi (8479)

    Brag about how awesome your site security is. Somebody's bound to take you up on the offer.

  • Simple (Score:4, Informative)

    by psydeshow (154300) on Tuesday February 10, 2009 @03:29PM (#26801787) Homepage

    0) Use a version control system
    1) Validate input, escape output
    2) Turn off unused services
    3) Regular, automatic backups to another location

    Ok, the OWASP list is more comprehensive, but these four things are fundamental to preventing, and recovering from, security breaches.

    • by psydeshow (154300)

      0) Use a version control system
      1) Validate input, escape output
      2) Turn off unused services
      3) Regular, automatic backups to another location

      Ok, the OWASP list is more comprehensive, but these four things are fundamental to preventing, and recovering from, security breaches.

      In particular, #1 means make sure that for any input your program receives (even HTTP vars like REQUEST_URI) the input is generally what you were expecting -- size, variable type, no unprintable characters.

      And for every value your program sends out, whether to the server as an html response or to the database as an sql query or to the shell as a command line argument, use the proper means of escaping it so that special characters can't cause unintended consequences.

A holding company is a thing where you hand an accomplice the goods while the policeman searches you.

Working...