DRX

√app«drx

Web Developer Resource Index: Security

Internet Security encompasses both Internet protocols and the encryption of sensitive data before and after transport over the network, and programming methods and pragmatic solutions that developers can use to keep their visitors, Web applications, and the servers they are hosted on safe from intrusion or downtime.

Encryption standards such as DES and RSA designed for computer and information security (at least here in the US) are maintained by such government bodies as the NIST, FIPS, and the NSA.

Most Web developers are at least familiar with tools such as SSH and secure Web servers such as the Apache HTTP Server Project’s mod_ssl. But I suspect developers are probably more interested in techniques to secure their Web application data.

In general, applications are vulnerable to two types of attack vectors. These can be either database inputs (e.g. SQL injection) or output to a browser (or other user-agent) that usually involves XSS in the form of embedded JavaScript code. CSRF is another exploit that is rare and more difficult to combat.

In all cases it is important to never trust data that is coming from external sources such as Http GET, POST, FILES and COOKIE variables. Your best line of defense is to validate, filter, and sanitize user input.

Updated: Tuesday, December 30th, 2008 @ 4:36 PM EST

Internet:Security {0}(28)[74]

Visit Category:

Navigation

§ Title Index

§ Tag Cloud

§ Related Categories

§ Other Indexes

§ Search and RSS

Resources

1.Open Web Application Security Project

OWASP is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. [1740]
★★★★☆
URI:http://www.owasp.org/index.php/Main_Page
Author:
OWASP Foundation
[1]
Reviewed:Thursday, October 16th, 2008 @ 2:02 PM EDT
by:
Douglas Clifton

Open Web Application Security Project developer internet owasp programming web
2.Seahorse

A Gnome frontend to GnuPG. It integrates with Nautilus, Gedit and other places for encryption operations. You can create and manage PGP and SSH keys, publish and retrive keys from key servers, cache your passphrase, backup your keys and keyring, and more. [1873]
★★★★★
URI:http://projects.gnome.org/seahorse/
Author:
The Seahorse Team
[1]
Reviewed:Tuesday, December 30th, 2008 @ 4:36 PM EST
by:
Douglas Clifton

Seahorse encryption gnu gui pgp security ssh
3.FireGPG

A Firefox extension that adds an interface to encrypt, decrypt, sign or verify the signature of text in any Web page using GnuPG. FireGPG supports Gmail and detects PGP blocks in any page (for example a publickey), and lets you easily manage these blocks. [1872]
★★★★☆
URI:http://getfiregpg.org/
Author:
The FireGPG Team
[1]
Reviewed:Tuesday, December 30th, 2008 @ 4:14 PM EST
by:
Douglas Clifton

FireGPG email encryption extension firefox gnu security
4.GnuPG

Gnu Privacy Guard is a free command-line implementation of the OpenPGP standard. GnuPG allows you to encrypt and sign your email and data files, it features a versatile key managment system as well as access modules for all kinds of publickey directories. [1871]
★★★★☆
URI:http://gnupg.org/
Author:
GNU Contributors
[4]
Reviewed:Tuesday, December 30th, 2008 @ 3:58 PM EST
by:
Douglas Clifton

GnuPG email encryption gnu pgp security
5.OpenPGP

OpenPGP is the most widely used email encryption standard in the world. It is defined by the OpenPGP Working Group of the IETF Proposed Standard RFC 4880. It was originally derived from PGP (Pretty Good Privacy), first created by Phil Zimmermann in 1991. [1870]
★★★★☆
URI:http://openpgp.org/
Author:
OpenPGP Alliance
[1]
Reviewed:Tuesday, December 30th, 2008 @ 3:45 PM EST
by:
Douglas Clifton

OpenPGP email encryption pgp security
6.ONLamp: Security DevCenter

This O'Reilly property targets the security-conscious developer and system administrator. It features articles covering such diverse topics as database and scripting vulnerabilities, OS, network and application flaws, and intrusion detection and recovery. [1776]
★★★★☆
URI:http://www.onlamp.com/security/
Author:
O'Reilly Network
[13]
Reviewed:Sunday, October 26th, 2008 @ 1:15 AM EDT
by:
Douglas Clifton

ONLamp: Security DevCenter database developer network onlamp oreilly os security sysadmin
7.PHP Manual: SQL Injection

This section of the PHP manual discusses database security, and SQL injection in particular. Attack techniques are covered and real-world examples for both MySQL and PostgreSQL are provided. Topics include validation, expected data types, and escaping. [1762]
★★★★☆
URI:http://php.net/manual/security.database.sql-injection.php
Author:
PHP Staff
[3]
Reviewed:Sunday, October 19th, 2008 @ 1:18 AM EDT
by:
Douglas Clifton

PHP Manual: SQL Injection database filter injection mysql php postgresql security sql validate
8.PHP Programming/SQL Injection

This chapter of the PHP Programming Wikibook focuses on SQL Injection, what it is (with examples) and how to safeguard your application from attack. Validating and filtering user-input, and the PHP/MySQL mysql_real_escape_string() function are discussed. [1761]
★★★★☆
URI:http://wikibooks.org/wiki/Programming:PHP:SQL_Injection
Author:
Wikibooks Contributors
[2]
Reviewed:Sunday, October 19th, 2008 @ 12:49 AM EDT
by:
Douglas Clifton

PHP Programming/SQL Injection ebook filter injection mysql php programming security sql validate wiki
9.OWASP PHP Filters

Because data originating from an end-user is highly insecure, it should be treated with the utmost care. In the Perl world, this is referred to as "taint checking." PHP Filters is a collection of functions for doing just this: sanitizing user inputs. [1760]
★★★★☆
URI:http://www.owasp.org/index.php/OWASP_PHP_Filters
Author:
Gavin Zuchlinski
[1]
Reviewed:Sunday, October 19th, 2008 @ 12:22 AM EDT
by:
Douglas Clifton

OWASP PHP Filters filter owasp php programming sanitize security web
10.SafeHTML

If you're planning on rolling your own commenting system that accepts markup from a form, then you had best be careful about XSS and similar security issues. SafeHTML is a parser that will strip all potentially dangerous content from any untrusted source. [1759]
★★★★☆
URI:http://pixel-apes.com/safehtml/
Author:
Roman Ivanov
[1]
Reviewed:Sunday, October 19th, 2008 @ 12:19 AM EDT
by:
Douglas Clifton

SafeHTML html markup php security xhtml xss
11.HTML Purifier

An open-source, standards-compliant HTML filter library written in PHP. HTML Purifier will remove all malicious XSS (cross site scripting) injection attacks with a thoroughly audited, secure yet permissive whitelist. Output is well-formed, valid HTML. [1758]
★★★★☆
URI:http://htmlpurifier.org/
Author:
Edward Z. Yang
[2]
Reviewed:Sunday, October 19th, 2008 @ 12:17 AM EDT
by:
Douglas Clifton

HTML Purifier html injection php programming security standards xss
12.PHP Security Guide

A detailed guide to securing your PHP applications. Topics include register globals, data filtering, error reporting, forms processing, securing database connections and SQL injection attacks, and session data and shared hosting environments. [1757]
★★★★☆
URI:http://phpsec.org/projects/guide/
Author:
Chris Shiflett
[2]
Reviewed:Sunday, October 19th, 2008 @ 12:05 AM EDT
by:
Douglas Clifton

PHP Security Guide database filter injection php security sql
13.Shiflett.org

Security for Web-based applications is an important issue, and Chris is a recognized expert in the field, as well as an accomplished programmer and author. This is his professional blog (see also his consultancy: Brain Bulb). [1756]
★★★★☆
URI:http://shiflett.org/
Author:
Chris Shiflett
[2]
Reviewed:Sunday, October 19th, 2008 @ 12:00 AM EDT
by:
Douglas Clifton

Shiflett.org blog php programming security
14.sqlmap: SQL Injection Tool

If you're more interesting in testing your Web applications for SQL injection vulnerabilities, this command-line tool written in Python might just be what the doctor ordered. The feature list is way beyond the limited space I have available here. [1755]
★★★★☆
URI:http://sqlmap.sourceforge.net/
Author:
Bernardo Damele
[1]
Reviewed:Saturday, October 18th, 2008 @ 1:16 AM EDT
by:
Douglas Clifton

sqlmap: SQL Injection Tool injection python security sql tools
15.Python Database API Specification

As with the Perl DBI module, the Python DB API expects driver authors to implement safe value quoting methods when bound queries are executed with variables. Drivers for MySQL and PostgreSQL are available, and as of Python 2.5 SQLite support is built-in. [1754]
★★★★☆
URI:http://python.org/dev/peps/pep-0249/
Author:
Marc-André Lemburg
[1]
Reviewed:Saturday, October 18th, 2008 @ 12:06 AM EDT
by:
Douglas Clifton

Python Database API Specification api database mysql postgresql programming python sql sqlite
16.MySQL for Python

Similar to the pyPgSQL PostgreSQL driver, MySQLdb consists of two parts. The first, _mysql, is a low-level module built from the MySQL C API. The second, MySQLdb, is the DB-API 2.0 compliant interface that is imported for use in your Python scripts. [1753]
★★★★☆
URI:http://mysql-python.sourceforge.net/
Author:
Andy Dustman
[1]
Reviewed:Saturday, October 18th, 2008 @ 12:02 AM EDT
by:
Douglas Clifton

MySQL for Python api c database module mysql programming python
17.pyPgSQL

A package of two modules that provide a Python DB-API 2.0 compliant interface to PostgreSQL databases. The first, libpq, exports the PostgreSQL API and is written in C. The second, PgSQL, supports various PostgreSQL data types and is written in Python. [1752]
★★★★☆
URI:http://pypgsql.sourceforge.net/
Author:
Billy G. Allie
[1]
Reviewed:Friday, October 17th, 2008 @ 11:33 PM EDT
by:
Douglas Clifton

pyPgSQL api c database module postgresql programming python
18.Cross-site scripting (XSS) defense

A Python module which filters potentially dangerous HTML or scripting code that can be used to launch cross-site scripting (XSS) attacks, or run other harmful or annoying code. It relies on standard Python libraries only and includes sample input/output. [1751]
★★★★☆
URI:http://code.activestate.com/recipes/496942/
Author:
Josh Goldfoot
[1]
Reviewed:Friday, October 17th, 2008 @ 10:37 PM EDT
by:
Douglas Clifton

Cross-site scripting (XSS) defense code filter html javascript module programming python security xss
19.Using taint mode to prevent XSS holes

A proof-of-concept implementation which works with Template::Toolkit by adding an additional layer between Web applications and its clients assuring that tainted data cannot pass into the application's output. Includes Template package code and examples. [1750]
★★★★☆
URI:http://perlmonks.org/?node_id=224782
Author:
Ilya Martynov
[1]
Reviewed:Friday, October 17th, 2008 @ 6:10 PM EDT
by:
Douglas Clifton

Using taint mode to prevent XSS holes code module perl programming security template validate xss
20.Perl DBI: Placeholders and Bind Values

If you're not using the DBI API to interact with databases you should rethink your approach. Not only do prepared statements improve efficiency, the automatic quoting of data by the DB driver (typically MySQL) prevents almost all SQL injection attacks. [1749]
★★★★☆
URI:http://search.cpan.org/~timb/DBI/DBI.pm#Placeholders_and_Bind_Values
Author:
Tim Bunce
[3]
Reviewed:Friday, October 17th, 2008 @ 12:41 PM EDT
by:
Douglas Clifton

Perl DBI: Placeholders and Bind Values api database injection module mysql perl programming security sql
21.Perl Security

Perl already has a built-in mechanism for dealing with untrustworthy data that could come from any number of sources. While in taint mode, your scripts automatically isolate data from external sources if it will affect some other external source. [1748]
★★★★☆
URI:http://perldoc.perl.org/perlsec.html
Author:
Larry Wall
[3]
Reviewed:Friday, October 17th, 2008 @ 11:35 AM EDT
by:
Douglas Clifton

Perl Security filter perl programming security
22.OpenSSH

A free version of the SSH tools that technical users of the Internet rely on. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Includes ssh, sshd, sftp and other utilities. [1747]
★★★★☆
URI:http://www.openssh.org/
Author:
OpenBSD Foundation
[1]
Reviewed:Friday, October 17th, 2008 @ 12:02 AM EDT
by:
Douglas Clifton

OpenSSH bsd encryption internet open-source security sftp shell software ssh
23.Secure Programming

From the O'Reilly Cookbook of the same name, the Web site provides C and C++ code examples from the book, plus additional recipes for cryptography, authentication, networking, input validation and more. Also includes links to articles on the same topics. [1746]
★★★★☆
URI:http://www.secureprogramming.com/
Author:
John Viega
[1]
Reviewed:Thursday, October 16th, 2008 @ 11:03 PM EDT
by:
Douglas Clifton

Secure Programming authentication c code encryption programming security
24.GNU Transport Layer Security Library

GnuTLS is a project that aims to develop a library which provides a secure layer, over a reliable transport layer (HTTP). Currently the GnuTLS library implements the proposed standards by the IETF's TLS working group. [1745]
★★★★☆
URI:http://www.gnu.org/software/gnutls/
Author:
GNU Contributors
[4]
Reviewed:Thursday, October 16th, 2008 @ 3:54 PM EDT
by:
Douglas Clifton

GNU Transport Layer Security Library gnu http https open-source protocol security tls
25.Apache mod_ssl

This module provides SSL v2/v3 and TLS v1 support for the Apache HTTP Server. It was contributed by Ralf S. Engeschall based on his mod_ssl project originally derived from work by Ben Laurie. mod_ssl relies on OpenSSL to provide the cryptography engine. [1744]
★★★★☆
URI:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
Author:
Ralf Engelschall
[4]
Reviewed:Thursday, October 16th, 2008 @ 3:45 PM EDT
by:
Douglas Clifton

Apache mod_ssl apache encryption http https internet module protocol security ssl tls
26.Apache SSL/TLS Encryption

The Apache HTTP Server module mod_ssl provides an interface to the OpenSSL library, which provides strong encryption using the SSL and TLS protocols. The module and this documentation are based on Ralf S. Engelschall's mod_ssl project. [1743]
★★★★☆
URI:http://httpd.apache.org/docs/2.2/ssl/
Author:
Apache Project Members
[6]
Reviewed:Thursday, October 16th, 2008 @ 3:35 PM EDT
by:
Douglas Clifton

Apache SSL/TLS Encryption apache encryption http https internet module protocol security ssl tls
27.OpenSSL Project

A collaborative effort to develop a robust, commercial-grade, full-featured, and open-source toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols as well as a full-strength general purpose cryptography library. [1742]
★★★★☆
URI:http://www.openssl.org/
Author:
Ralf Engelschall
[4]
Reviewed:Thursday, October 16th, 2008 @ 3:18 PM EDT
by:
Douglas Clifton

OpenSSL Project internet open-source programming protocol security ssl tls
28.HTTP Over TLS

A RFC describing how to use TLS to secure HTTP connections over the Internet (https). Current practice is to layer HTTP over SSL (the predecessor to TLS), distinguishing secured traffic from insecure traffic by the use of a different server port. [1741]
★★★★☆
URI:http://rfc.sunsite.dk/rfc/rfc2818.html
Author:
Eric Rescorla
[1]
Reviewed:Thursday, October 16th, 2008 @ 2:33 PM EDT
by:
Douglas Clifton

HTTP Over TLS http https internet protocol rfc security ssl tls