APD Toronto
asked on
Web Application Security
Hi Experts,
I am building an application for a group of financial companies, and I am using PHP.
What security measures are considered high that I should use, either on PHP and/or the server side?
Thank you,
I am building an application for a group of financial companies, and I am using PHP.
What security measures are considered high that I should use, either on PHP and/or the server side?
Thank you,
You should review the OWASP Top 10 Most Critical Web Application Security Risks. For the OS, review the relevant Security Technical Implementation Guide (STIG) and SANS OS hardening course (Unix/Linux, Windows)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Good to baselin against PHP security checklist from OWASP (though it may be in draft)
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
For server end suggest you benchmark against online ssltest check. It review the system baseline cipher support.
https://www.ssllabs.com/ssltest/
But for a more holistic check, you can run through this list
https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet. Specifically very risk area to focus is
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
For server end suggest you benchmark against online ssltest check. It review the system baseline cipher support.
https://www.ssllabs.com/ssltest/
But for a more holistic check, you can run through this list
https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet. Specifically very risk area to focus is
Payments
Test for known vulnerabilities and configuration issues on Web Server and Web Application
Test for default or guessable password
Test for Injection vulnerabilities
Test for Buffer Overflows
Test for Insecure Cryptographic Storage
Test for Insufficient Transport Layer Protection
Test for Improper Error Handling
Test for all vulnerabilities with a CVSS v2 score > 4.0
Test for Authentication and Authorization issues
Test for CSRF
First and foremost, I've seen you mention "PHP or server-side" a couple times now. Under most / typical circumstances, PHP runs server-side. Understanding security means you have to understand how things work / run.
All the tips that people have given above so far are good. I wrote an article that dives a little bit more into the "how to do it" on the major / common vulnerabilities.
https://www.experts-exchange.com/articles/1263/5-Steps-to-Securing-Your-Web-Application.html
All the tips that people have given above so far are good. I wrote an article that dives a little bit more into the "how to do it" on the major / common vulnerabilities.
https://www.experts-exchange.com/articles/1263/5-Steps-to-Securing-Your-Web-Application.html
Attacks launched on web-based resources are categorized as either client- or server-side exploits.
Web Application Vulnerabilities and Exploits: (Examples)
OWASP provides knowledge to the software development community for several different security practices
https://www.owasp
https://www.owasp.org/index.php/Top_10-2017_Top_10
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
Web-Based Attack Tools
For vulnerability assessment, the following are examples of popular tools that can be used to discover web-based weakness:
My recommendation is to install a web application firewall (WAF). It is an application layer firewall that can apply a set of rules to HTTP traffic.
Web Application Vulnerabilities and Exploits: (Examples)
- Cross-site scripting (XSS) attack
- Cross-site request forgery (XSRF)/(CSRF) attack
- Command injection, also called code injection (the most popular types of command injection is SQL injection)
- Directory traversal
- File inclusion attack
- Remote file inclusion (RFI)
- Session fixation
- Cookie poisoning
- Malware
OWASP provides knowledge to the software development community for several different security practices
https://www.owasp
https://www.owasp.org/index.php/Top_10-2017_Top_10
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
Web-Based Attack Tools
For vulnerability assessment, the following are examples of popular tools that can be used to discover web-based weakness:
- sqlmap
- Metasploit Framework
- Burp Suite
- OWASP WebScarab
- OWASP ZAP
- w3af
- BeEF
- Nikto
- Paros Proxy
My recommendation is to install a web application firewall (WAF). It is an application layer firewall that can apply a set of rules to HTTP traffic.