PHP Application Security Checklist

September 10, 2012 Leave a comment

Similarly to the OWASP Cheat Sheet on PHP security, there is another great checklist to be shared – PHP Application Security Checklist.

Structured in a way for you to be able to revise all aspects of an existing PHP application. Print a couple of times and perform a security audit of your website until full completion of the list.

General topics covered:

  • Basic
  • Input
  • File Uploads
  • Database
  • Serving Files
  • Authentication
  • Sessions
  • 3rd Party
  • Misc
  • Shared Hosting
Categories: PHP Tags: ,

Basic mobile security practices

September 7, 2012 Leave a comment

Traveling with a smartphone, tablet and a netbook is a common thing for an IT or business expert. Unfortunately keeping your highly intelligent device connected online to a number of services that you’ve been using could lead to a serious breach in case a device is stolen or lost.

You can prevent or slow down the data leakage by following several simple steps:

  1. Protect your device with a security software such as Cerebro or Where’s My Droid.  A device could be tracked and found with a modern software, some of them have an extra feature to wipe your phone data or send SMS from/to it.
  2. Report your device to the nearest police department. You need some verification documents and the IMEI (or another unique device number) in order to make it work.
  3. Don’t auto-login to your services. Use a password verification every time you use a service (email, reader, blog, twitter etc)
  4. If your service requires a constant login, create a separate account if possible. For instance, create an author account for your blog, an email that pulls only the most important data while you’re out and so on.
  5. Some email vendors such as Gmail add an extra security layer. You could check the ‘Last account activity’ feature at the bottom right corner and see the last login and IP address, as well as to conduct a remote logout of your missing device for security reasons.
  6. If a second-level account has been active on the device, delete it at home. First-level devices require at least a password change and monitoring for some time (some applications don’t verify the password after the first login for some amount of time).
  7. Monitor the online markets for second-hand devices. You could report your IMEI to some of the forums/markets so that no device could be added for sale should it be stolen.

 

 

Categories: Security Tags: , ,

Latest Security Podcasts by Getmon

August 29, 2012 Leave a comment

Podcasts are the new information distribution engine in the media world, after the great success of the radio technology. Being able to download radio shows directly to your computer, tablet or smartphone is very handy, however different podcast vendors use different approaches to distribute their recorded podcasts (iTunes, some online radio stations, personal/company sites/blogs etc).

Getmon offers a one-page listing of all popular and useful security podcasts free to listen and download as MP3 files. Some of my favorite ones like Risky Business, Network Security Podcast, PaulDotCom, Security Wire Weekly, Security Now! are listed there, in addition to about 20 more. One of the MUST HAVE podcasts missing is the OWASP podcast, everything else is set and ready to download (and refresh regularly for new shows uploaded).

Categories: Security Tags: ,

WordPress and the Settings API

August 27, 2012 Leave a comment

The Settings API is a WordPress interface for a centralized control over your forms. Built on the top of the Options API, the Settings API provides a local mechanism for validation and control management over your settings groups. It creates a settings group stored in the database that includes a number of settings in a form. On submit you could define a validation function that escapes everything for the settings group.

It doesn’t do any automagic work (as other APIs and frameworks do) but having a user input to be stored in the database could be centralized in an elegant and easy to control way. Building the form and registering the fields follows an additional abstraction layer.

Check out the quick 9-steps guide on DevWP listing several tutorials and complete references as well.

OWASP on PHP: Security Cheat Sheet

August 27, 2012 1 comment

If you are into security and eager to learn more, the OWASP project is the right place for you.

With a large variety of tutorials, tools, videos and articles, the PHP Securty Cheat Sheet is a must covering pretty much everything that has to be covered on PHP, database layer and network server side. Get acquainted with escaping, database queries and code injections, session and global variables management, filters and regular expressions. Research the available security modules for PHP, hashing functions, ID storage and cryptography specifics.

Categories: PHP Tags: , ,