Seven principles for preventing vulnerabilities in PHP programming

Inviting the Uninvited

Article from Issue 145/2012
Author(s):

Many web attacks are the result of programmer error. Sloppy code testing leaves a door open for the uninvited.

Today, attacks on web-based systems hardly target weaknesses in network protocols anymore but rather flaws in applications. Many of the spectacular security breaches in recent years, such as the one on the Sony Play-Station Network, took advantage of programming defects in web applications. The defects are rarely exotic and can be grouped into just a few categories; for example, the Sony hack succeeded with an SQL injection.

Modern operating systems do provide elaborate protective measures against vulnerabilities, such as address space layout randomization, but savvy attackers can circumvent these protections with a few tricks. The only real solution is to develop web applications without security vulnerabilities. Systematically avoiding programming defects is therefore the noble aim of any serious software quality management.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Perl: Cucumber

    The Cucumber test framework helps developers and product departments jointly formulate test cases, not as program code, but in plain English. The initially skeptical Perlmeister has acquired a taste for this.

  • Password Tools

    Create secure passwords with the help of a password generator and check for quality at the same time.

  • Perl: Travis CI

    A new service on travis-ci.org picks up GitHub projects, runs new code through test suites, and notifies the owners if the build fails. Its API enables Perl scripts to gather historical build data, including who-broke-the-build tabulations.

  • ESAPI 1.4: Security Methods for the Web

    The Enterprise Security API (ESAPI), a set of documentation focusing on application software security, has released a new version 1.4. Javadocs were updated and old interfaces were replaced.

  • Open-Xchange and Zarafa

    The Open-Xchange and Zarafa groupware systems can tap into the APIs of Facebook, Twitter, and Xing, but you need different tactics for each service – keep in mind that the information yield is sometimes quite meager.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News