Slashdot Mirror

← Back to Stories (view on slashdot.org)

Website Security Without Breaking the Bank?

Posted by kdawson on from the man-who-is-his-own-lawyer dept.

An anonymous reader writes "I do my own Web design and have a few websites — MySQL, PHP, CSS, HTML, that kind of thing. It's simple, amateur stuff, but I would love to have some reasonable ways to assess their security myself and patch the big holes, or possibly enlist someone to do 'white hat' work to assist me. I have absolutely no idea how to proceed. I don't want to get mired in a never-ending paranoia-fueled race to patch holes before the hackers find them, but on the other hand, I don't want my websites to look like Swiss cheese. Right now, I wouldn't know what kind of cheese they look like: Swiss, Havarti, or hard as Parmesan. How can I take reasonable steps to protect these websites myself? What books has the community found useful? What groups (if any) can offer me inexpensive white-hat hacking that won't end up costing me a first-born child? Or am I better off just waiting until a problem arises and then fixing it?"

6 of 195 comments (clear)

  1. take a tour at OWASP site by hugetoon · · Score: 5, Informative

    http://www.owasp.org/index.php/Main_Page

  2. Look at OWASP for Top 10 security vulnerabilities by mlgm · · Score: 5, Informative

    The Open Web Application Security Project (OWASP) has a Top 10 list, which lists the most serious web application vulnerabilities, discusses how to protect against them, and provides links to more information (http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project). This might be a good start.

  3. Learn good coding practice by syousef · · Score: 5, Informative

    It doesn't matter what you do after the fact to secure your web sites, if your scripting is full of holes, trying to plug them up after the fact isn't going to work. For example, you mention MySQL so I gather your code accesses one or more databases? If so do you know what a SQL injection bug is and have you reviewed your code for them? Nothing you do at the point of deployment is going to help fix a SQL injection bug.

    I'm afraid that if you're using MySQL and PHP you've moved from the realm of the very basic to something more advanced. You're no longer just talking about slapping static content on the web. People spend years learning how to do these things really well. You should find yourself a good book and get started. Start with a Google. It costs nothing. If you have friends who do web development with similar tools talk to them and see if they'll help point you in the right direction.

    Here are some things to get you started. Note that these are language independent things you should do no matter what dev tools you use. You might want to look at something more targetted for PHP as well.

    https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices

    Here's the main site.
    https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards

    The other way to go would be to make your web files more static. However getting rid of everything dynamic may not be a reasonable option in 2009.

    --
    These posts express my own personal views, not those of my employer
  4. mod_security by 'Aikanaka · · Score: 5, Informative

    I recommend mod_security and mod_evasive. A reverse proxy would help as well. The DoD and NSA have configuration guides that provide tips on securing Apache (as well as IIS).

  5. Some Ideas by maz2331 · · Score: 5, Informative

    First and foremost, check and sanitize EVERY input passed via a $_POST or $_GET (and to be safe, check cookie inputs too).

    Make SURE that none of them are in a format or contain data that you don't expect.

    It is easier said than done, and it sucks major ass to do, but it's really the only way to be sure of what you are doing.

    I just spent most of the last week tracking down an XSS exploit for a client, and it was a mother to find where to filter the input AND what to look for. SOME inputs needed SOME HTML tags to pass through, others required binary data, and still others needed integers.

    My advice on new code is to check your inputs like crazy before assigning any submitted data to a variable. Then check the variables themselves.

    Watch for hex encodings of HTML characters, and then watch for it again.

    Then, after all that work, hope it works, then drink heavily.

  6. Suhosin, etc... by dchamp · · Score: 5, Informative

    I just got back from a PHP security class, here's a quick overview of what was covered:

    - register_globals = off

    - Use the Suhosin PHP hardening patch.

    - Always filter all of your input for injection attempts. Write a validation class to handle this.

    - Use prepared SQL statements, or stored procedures to help avoid sql injections

    There are some pretty good articles out there that cover most of these points and more, just google for "PHP security". Take the time to read the articles, they're worth it.

    It's really sad that more people don't pay attention to PHP security. The class I took was, as far as I know, the only commercial PHP security class offered in the US this year, and there were only 4 students in attendance.