Resources on web application security

**Aleksejs** · Aug 27, 2009 00:58

Hello!
The other day I was compiling a list of resources on web application security for latvian speaking PHP developer forum php.lv/f and to my surprise (unlike in other categories) I could not find compilation of resources in this huge forum. So here I share what I've found so far:

PHP Security Consortium - PHP Security Guide

OWASP - Web application security principles

PHP Freaks - PHP Security

Tutorialized - PHP Security Tutorials

Code Breach - PHP Security tutorials

IBM - Mashup security / Technologies and techniques for securing UI artifacts and data in a mashup

IBM - Seven habits for writing secure PHP applications

Web Application Component Toolkit - Web Application Security

Security Patterns Very, very, very useful, yet underrated resource

Google - Browser Security Handbook

Ross Anderson - Security Engineering - The Book

Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone - Handbook of Applied Cryptography - comprehensive book on cryptography.

Please share resources that you've found on the topic of security and hopefully this thread will get pinned so that everyone can benefit.

**EastCoast** · Aug 27, 2009 10:50

http://www.scanit.be/uploads/php-file-upload.pdf is a good read on file upload security. I see so many tutorials (and advice given on these forums regularly) from people that don't realise that there are ways to circumvent many of the simple upload tests suggested.

**Aleksejs** · Aug 31, 2009 04:20

Securing PHP Web Applications - Introduction to Exploit Testing

**risoknop** · Aug 31, 2009 08:00

I wrote few articles about security related issues:

Password hashes and salts
User login and authentication with Zend_Auth and Zend_Acl

I am also planning to write an article on session fixation and XSS in the future, and especially on how to fight them in Zend Framework applications.

**Aleksejs** · Sep 2, 2009 23:32

OpenAjax Alliance - Ajax Security Resources
and their own documents:
Ajax and Mashup Security

**Aleksejs** · Sep 16, 2009 03:47

SecurityTube - Presentations on security from various conferences.

**Aleksejs** · Sep 29, 2009 01:04

John J. G. Savard - A Cryptographic Compendium

**logic_earth** · Sep 29, 2009 04:33

Uses ASP.NET for the examples but the concepts are language independent. (Almost a 1,000 pages of content, for free no less!)

Microsoft - Improving Web Application Security: Threats and Countermeasures (PDF here)

Another, again its focus is ASP.NET, but the concepts are independent.
Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication (PDF here)

**Aleksejs** · Jan 4, 2010 09:04

Sql Antipatterns Strike Back

**Aleksejs** · Jan 6, 2010 02:50

Project Quant: Database Security Planning I
Project Quant: Database Security Planning II
Project Quant: Database Security Discovery

**Aleksejs** · Jan 11, 2010 08:11

Methods of Quick Exploitation of Blind SQL Injection

**Aleksejs** · Jan 14, 2010 02:22

Secure Web Application Framework Manifesto - Draft

**Aleksejs** · Jan 27, 2010 05:40

Weaning the Web off of Session Cookies Making Digest Authentication Viable by Timothy D. Morgan

Abstract
In this paper, we compare the security weaknesses and usability limitations of both cookiebased session management and HTTP digest authentication; demonstrating how digest authentication is clearly the more secure system in practice. We propose several small changes in browser behavior and HTTP standards that will make HTTP authenti*cation schemes, such as digest authentication, a viable option in future application development.

**Aleksejs** · Feb 10, 2010 16:48

Impervas glossary of data security and compliance terms

**whitebelt** · Feb 16, 2010 20:30

This thread would be greatly improved if those in the know can supply sitepoint fans a long list of reputable web security companies or programmers we may hire in order to secure or fix our sites.

All this info. is good. But if u run a business and don't know how to program, you should have a list of security experts you can hire to secure your business' website.

Can anyone compile this kind of list here?

**sk89q** · Apr 9, 2010 00:24

Here is the updated link to my PHP security checklist:
http://www.sk89q.com/2009/08/definit...ity-checklist/
(The domain changed abruptly last November.)

(invision2 reminded me about it in one of his posts.)

**Aleksejs** · Apr 13, 2010 00:55

sk89q, LOL just came here to post that very same link of yours

phpGACL - Generic Access Control Lists

Summary:
A PHP class offering Web developers a simple, yet immensely powerful "drop in" permission system to their current Web based applications.

P.S. Thank you Admins for pinning this topic

**Aleksejs** · Apr 13, 2010 02:36

WebSecurify - automatically identifies web application vulnerabilities by using advanced discovery and fuzzing technologies
Two articles about it:
Before You Go Live, Test Your Website Security With Websecurify

WebSecurify – Finds Out Your Sites' Vulnerabilities

**Aleksejs** · Aug 17, 2010 23:03

Application Security Logging

**Aleksejs** · Aug 31, 2010 00:27

Qualys is offering anyone their product QualysGuard:

Thousands of web sites are infected with malware daily, propagating the infection to visitors of their web sites at an increasing speed. To combat these threats, QualysGuard® Malware Detection is a FREE service that proactively scans web sites of any size, anywhere in the world for malware infections and threats. QualysGuard Malware Detection provides businesses with automated alerts and in-depth reporting for effective remediation of identified malware to help businesses protect their web sites and web site visitors from malware.

http://qualysguard.net/forms/trials/stopmalware/
More info:
http://qualysguard.net/products/qg_s...are_detection/

It should give you an early warning if your website is hacked.

@pilotjourney - I think you can check out their blog: http://blog.websecurify.com/ and About page, which leads to: www.gnucitizen.org

**Aleksejs** · Sep 9, 2010 07:01

PHP Security Poster - Sektion Eins (German version available as well)

**Aleksejs** · Oct 1, 2010 06:20

HTML5 Security Cheatsheet

**Aleksejs** · Oct 23, 2010 14:17

NSDECODER

NSDECODER is an automated website malware detection tool. It can decode and analyze a website and detect malware. Also, NSDECODER will report which vulnerabilities have been exploited, and will show the original source address of the malware.

**Aleksejs** · Jul 3, 2011 23:27

Top 10 Open Source Web Application Firewalls (WAF) for WebApp Security

Web application firewalls provide security at the application layer. Essentially, WAF provides all your web applications a secure solution which ensures the data and web applications are safe.

A web application firewall applies a set of rules to HTTP conversation to identify and restrict the attacks of cross site scripting, SQL injections etc. You can also get web application framework and web based commercial tools, for providing security to web applications. Web Application Firewalls allows you to customize the rules by identifying and blocking malicious content.