Slashdot Mirror

← Back to Stories (view on slashdot.org)

Website Security Without Breaking the Bank?

Posted by kdawson on from the man-who-is-his-own-lawyer dept.

An anonymous reader writes "I do my own Web design and have a few websites — MySQL, PHP, CSS, HTML, that kind of thing. It's simple, amateur stuff, but I would love to have some reasonable ways to assess their security myself and patch the big holes, or possibly enlist someone to do 'white hat' work to assist me. I have absolutely no idea how to proceed. I don't want to get mired in a never-ending paranoia-fueled race to patch holes before the hackers find them, but on the other hand, I don't want my websites to look like Swiss cheese. Right now, I wouldn't know what kind of cheese they look like: Swiss, Havarti, or hard as Parmesan. How can I take reasonable steps to protect these websites myself? What books has the community found useful? What groups (if any) can offer me inexpensive white-hat hacking that won't end up costing me a first-born child? Or am I better off just waiting until a problem arises and then fixing it?"

11 of 195 comments (clear)

  1. if you wait until it happens... by kamakazi · · Score: 5, Insightful

    You still need to do homework. I realized a while ago that I not only lack a good understanding of potential weaknesses in my sites, but I also lack the knowledge needed to actually do the forensic log analysis if I was to actually get exploited. Along the lines of the original post, what good introductory tools are there that relate to forensic log analysis?

    --
    "Proximity to wonder has blunted our perception and appreciation of it" --Tim Hartnell in 'Exploring ARTIFICIAL INTELLI
  2. Better tools, good process, learning from others by SSpade · · Score: 2, Insightful

    You can write insecure websites using pretty much any tools, but if you're using MySQL and PHP, especially if you're using other peoples code in your app, you're probably going to end up with a security nightmare, regardless of how hard you try.

    It's possible to write secure code in PHP, but almost nobody does, and most of the PHP code that you can acquire easily is painfully insecure. A never ending race to patch a never ending series of holes means you've already failed at security. Depending on "white-hat hacking", ditto.

    Other than that... security is something integrated process, starting with the architectural design, the implementation and the processes around it, documentation and maintenance. It's not something you can just add on the side.

    Books? No idea, but looks for stuff that talks about the entire lifecycle, and that comes from real world experience.

    Oh, and learn some real crypto, so you can avoid both the snake oil and the irrational paranoia.

  3. It's Simple Really You Pay Someone Who Knows How by phantomcircuit · · Score: 3, Insightful

    Either you spend the time to teach yourself about security.

    Or you pay someone to do it for you.

  4. Best strategy by Shadow7789 · · Score: 2, Insightful

    Keep you MySQL only accessible via localhost, put a good password on it's root account, and make separate users for each database with access restricted to each one. I know it's important. Other than that, if you close ports you don't need , keep your software up to date, and write your own PHP I really don't think you have much too worry about.

  5. Re:Better tools, good process, learning from other by Anonymous Coward · · Score: 5, Insightful

    It's possible to write secure code in PHP, but almost nobody does, and most of the PHP code that you can acquire easily is painfully insecure.

    Writing secure code with PHP is no more harder than with Perl/Java/Ruby... same rules apply. I would even say nowadays it's extremely easy - use PDO with prepared queries, and you've pretty much eliminated SQL injections. Don't reinvent the wheel - for example Zend Framework is pretty cabable and done most of the work for you which you'd probably end up doing.

    In a nutshell:
    Validate your goddamned data. Use prepared queries to prevent SQL injections. And so on. The language used itself has very, very little to do with security in the end.

  6. security through backups by H310iSe · · Score: 3, Insightful

    - very very imho -
    backups don't help your users who might be attacked by your compromised sites but the ability to wipe the bad and restart is great. requires multiple levels of backups, daily, weekly, monthly, all separate.

    You can't restart immediately, presumably you'll get nailed by the same exploit when you recover, but at least you'll know there's a specific problem - finding something specific is nearly always easier than finding something general.

    also, control your URLs. controlling what can be passed to your site controls a hell of a lot of security problems.

    lastly - make sure your logs are good and safe and verbose. if you pay attention to making the logs right, when you have a problem, you can find someone to review the logs and find the issue. if you don't have the logs, well. you're more screwed.

    Do those three things and some common sense when coding and you'll be better off than most. Security is always where you draw the line, personally I like it a bit ahead of the curve but no where near perfect.

    --
    closed minded is as closed minded does
  7. Re:Attack with all your might .. by Anonymous Coward · · Score: 2, Insightful

    Ha ha! Your comment was not ranked as "funny" :P

  8. tight security only slows 'em down by petes_PoV · · Score: 2, Insightful
    Have a way to restore the site quickly, reliably and with the minimum of fuss.

    Apart from speeding the recovery in case of a breaking/defacement it will also assist you if your hosting service goes bust, stops serving or you find someone else who's better / cheaper / has more facilities.

    I'm not saying you shouldn't apply sensible security precautions, but don't treat them as if they'll make your sites impregnable. The ability to quickly restore a site means you don't have to go around checking each link on every page to see if it's been messed with.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  9. Re:Suhosin, etc... by Anonymous Coward · · Score: 1, Insightful

    A built in validation class for what input?

    Name? Ok, I guess that one might be a possibility. Letters and punctuation, but no numbers, right. That's easy. Oh wait, then there's someone named "Henry the 5th". So basically everything goes.

    How about the zip code? Let's write a built in validation class for a zip code. That's always five numbers, right? Not if you don't live in the US. So, it's just numbers, no letters? Too bad for those living in the UK. They have numbers, letters and a even a space.

    The comment field... What's valid in a comment field? Letters and numbers? Sure. Punctuation and quotes? Absolutely. ';DROP TABLE STUDENTS --? That too, how else would we be able to discuss SQL injection?

  10. Re:Better tools, good process, learning from other by Lumpy · · Score: 5, Insightful

    The problem is that MOST sites that get 0wn3d are running phpbb or other very common and popular packages. They are getting better but they are still the most hacked because it's easy to identify what your site is using and then go and find the exploits for that site.

    the SAFEST is typically custom code. and go NUTS on everything that comes from a user treating it like it's a bomb every time. It causes the kiddie to take a LOT of time to crack you, they typically move along for easier fields quite quickly. Back in the early 2000's I used to taunt the "crackers" and "kiddies" if you tried banging on my telnet or ssh door, you were actually banging on my taunt the L0ser door. It would insult the hell out of them and make them think their bot got in because it would give a successful login every time and then taunt the hell out of them and "logoff" I had a single little turd in chicago banging on me for a month until he got his buddies involved and they DDOS attacked my box with all of them trying to attack 120 bored kiddies can bring down a T1 fast, it lasted for 3 days. Funny part was 4 of them was doing it from home and when I personally called their parents all the attacks stopped. (They were on Comcast cable modems and I worked for Comcast at the time so I got the customer contact info quite easily.)

    You more than likely do not have the resources I did, so dont provoke them. Taunting the lions is fun, but they now have an army of robots.

    Step 1 look through you logs DAILY. 99.999782% of all website admins do not do this. Sorry but you cant spot strange things without going through logs. get a parser that makes it easier, but do it.

    Step 2 learn to write secure php code and then write your sites scripts custom. Got a mailer for a contact us page? HARD CODE the to: address and get ready for the never ending fight to filter out spam.

    Step 3 Backups.. never TRUST a backup you make from the site, your only real backup is the files you created and uploaded.

    Step 4 review everything monthly go over stuff, look for broken or strange, go over all of it.. Look there's a wierd file in your ftp area.. how did that get there?

    If you are running phpbb or drupal or other "popular" scripts you needto update them weekly. phpbb has patches all the time and MOST dont get applied by sites that get cracked.

    --
    Do not look at laser with remaining good eye.
  11. Re:take a tour at OWASP site by ahsile · · Score: 4, Insightful

    Um, no. Parameterized queries are much safer.

    --


    Find Nearby Indie Events