Link to home
Start Free TrialLog in
Avatar of APD Toronto
APD TorontoFlag for Canada

asked on

Web Application Security

Hi Experts,

I am building an application for a group of financial companies, and I am using PHP.

What security measures are considered high that I should use, either on PHP and/or the server side?

Thank you,
Avatar of Giovanni
Giovanni
Flag of United States of America image

You should review the OWASP Top 10 Most Critical Web Application Security Risks.  For the OS, review the relevant Security Technical Implementation Guide (STIG) and SANS OS hardening course (Unix/Linux, Windows)
ASKER CERTIFIED SOLUTION
Avatar of Prabhin MP
Prabhin MP
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of btan
btan

Good to baselin against PHP security checklist from OWASP (though it may be in draft)
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
For server end suggest you benchmark against online ssltest check. It review the system baseline cipher support.
https://www.ssllabs.com/ssltest/

But for a more holistic check, you can run through this list
https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet. Specifically very risk area to focus is

Payments

Test for known vulnerabilities and configuration issues on Web Server and Web Application
Test for default or guessable password
Test for Injection vulnerabilities
Test for Buffer Overflows
Test for Insecure Cryptographic Storage
Test for Insufficient Transport Layer Protection
Test for Improper Error Handling
Test for all vulnerabilities with a CVSS v2 score > 4.0
Test for Authentication and Authorization issues
Test for CSRF
First and foremost, I've seen you mention "PHP or server-side" a couple times now. Under most / typical circumstances, PHP runs server-side. Understanding security means you have to understand how things work / run.

All the tips that people have given above so far are good. I wrote an article that dives a little bit more into the "how to do it" on the major / common vulnerabilities.

https://www.experts-exchange.com/articles/1263/5-Steps-to-Securing-Your-Web-Application.html
Attacks launched on web-based resources are categorized as either client- or server-side exploits.
Web Application Vulnerabilities and Exploits: (Examples)
  • Cross-site scripting (XSS) attack
  • Cross-site request forgery (XSRF)/(CSRF) attack
  • Command injection, also called code injection (the most popular types of command injection is SQL injection)
  • Directory traversal
  • File inclusion attack
  • Remote file inclusion (RFI)
  • Session fixation
  • Cookie poisoning
  • Malware

OWASP provides knowledge to the software development community for several different security practices
https://www.owasp
https://www.owasp.org/index.php/Top_10-2017_Top_10
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf



Web-Based Attack Tools
For vulnerability assessment, the following are examples of popular tools that can be used to discover web-based weakness:
  • sqlmap
  • Metasploit Framework
  • Burp Suite
  • OWASP WebScarab
  • OWASP ZAP
  • w3af
  • BeEF
  • Nikto
  • Paros Proxy
Keep in mind, it would be _ILLEGAL_ if attempted on machines that you do not have explicit permission to test and attack.

My recommendation is to install a web application firewall (WAF). It  is an application layer firewall that can apply a set of rules to HTTP traffic.