Resources on web application security

Server Config
1

Hello!
The other day I was compiling a list of resources on web application security for latvian speaking PHP developer forum php.lv/f and to my surprise (unlike in other categories) I could not find compilation of resources in this huge forum. So here I share what I’ve found so far:

PHP Security Consortium - PHP Security Guide

OWASP - Web application security principles

PHP Freaks - PHP Security

Tutorialized - PHP Security Tutorials

Code Breach - PHP Security tutorials

IBM - Mashup security / Technologies and techniques for securing UI artifacts and data in a mashup

IBM - Seven habits for writing secure PHP applications

Web Application Component Toolkit - Web Application Security

Security Patterns Very, very, very useful, yet underrated resource

Google - Browser Security Handbook

Ross Anderson - Security Engineering - The Book

Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone - Handbook of Applied Cryptography - comprehensive book on cryptography.

Please share resources that you’ve found on the topic of security and hopefully this thread will get pinned so that everyone can benefit. :slight_smile:

2

http://www.scanit.be/uploads/php-file-upload.pdf is a good read on file upload security. I see so many tutorials (and advice given on these forums regularly) from people that don’t realise that there are ways to circumvent many of the simple upload tests suggested.

3

Securing PHP Web Applications - Introduction to Exploit Testing

4

I wrote few articles about security related issues:

Password hashes and salts
User login and authentication with Zend_Auth and Zend_Acl

I am also planning to write an article on session fixation and XSS in the future, and especially on how to fight them in Zend Framework applications.

5

OpenAjax Alliance - Ajax Security Resources
and their own documents:
Ajax and Mashup Security

6

SecurityTube - Presentations on security from various conferences.

7

John J. G. Savard - A Cryptographic Compendium

8

Uses ASP.NET for the examples but the concepts are language independent. (Almost a 1,000 pages of content, for free no less!)

Microsoft - Improving Web Application Security: Threats and Countermeasures ([URL=“http://www.microsoft.com/downloads/details.aspx?FamilyId=E9C4BFAA-AF88-4AA5-88D4-0DEA898C31B9&displaylang=en”]PDF here)

Another, again its focus is ASP.NET, but the concepts are independent.
Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication ([URL=“http://www.microsoft.com/downloads/details.aspx?FamilyID=055ff772-97fe-41b8-a58c-bf9c6593f25e&DisplayLang=en”]PDF here)

9

Sql Antipatterns Strike Back

10

Project Quant: Database Security Planning I
Project Quant: Database Security Planning II
Project Quant: Database Security Discovery

11

Methods of Quick Exploitation of Blind SQL Injection

12

Secure Web Application Framework Manifesto - Draft

13

[b]Weaning the Web off of Session Cookies[/b] [i]Making Digest Authentication Viable[/i] by Timothy D. Morgan

Abstract
In this paper, we compare the security weaknesses and usability limitations of both cookiebased session management and HTTP digest authentication; demonstrating how digest authentication is clearly the more secure system in practice. We propose several small changes in browser behavior and HTTP standards that will make HTTP authenti*cation schemes, such as digest authentication, a viable option in future application development.

14

Impervas glossary of data security and compliance terms

15

This thread would be greatly improved if those in the know can supply sitepoint fans a long list of reputable web security companies or programmers we may hire in order to secure or fix our sites.

All this info. is good. But if u run a business and don’t know how to program, you should have a list of security experts you can hire to secure your business’ website.

Can anyone compile this kind of list here?

16

Here is the updated link to my PHP security checklist:
http://www.sk89q.com/2009/08/definitive-php-security-checklist/
(The domain changed abruptly last November.)

(invision2 reminded me about it in one of his posts.)

17

sk89q, LOL just came here to post that very same link of yours :smiley:

phpGACL - Generic Access Control Lists

Summary:
A PHP class offering Web developers a simple, yet immensely powerful “drop in” permission system to their current Web based applications.

P.S. Thank you Admins for pinning this topic :wink:

18

WebSecurify - automatically identifies web application vulnerabilities by using advanced discovery and fuzzing technologies
Two articles about it:
Before You Go Live, Test Your Website Security With Websecurify

WebSecurify – Finds Out Your Sites’ Vulnerabilities

19

Application Security Logging

20

Qualys is offering anyone their product QualysGuard:

Thousands of web sites are infected with malware daily, propagating the infection to visitors of their web sites at an increasing speed. To combat these threats, QualysGuard® Malware Detection is a FREE service that proactively scans web sites of any size, anywhere in the world for malware infections and threats. QualysGuard Malware Detection provides businesses with automated alerts and in-depth reporting for effective remediation of identified malware to help businesses protect their web sites and web site visitors from malware.

http://qualysguard.net/forms/trials/stopmalware/
More info:
http://qualysguard.net/products/qg_suite/malware_detection/

It should give you an early warning if your website is hacked.

@pilotjourney - I think you can check out their blog: http://blog.websecurify.com/ and About page, which leads to: www.gnucitizen.org