Securing 3rd Party Website Applications

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Securing 3rd Party Website Applications

Post by Benjamin »

What are some best practices for securing 3rd party website applications? e.g. Besides using strong passwords, ensuring you have the latest version.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Securing 3rd Party Website Applications

Post by kaisellgren »

Benjamin wrote:What are some best practices for securing 3rd party website applications?
It would be quite simple to run a couple of vulnerability scanners against these software. You could also check online vulnerability databases (and google) for known vulnerabilities of your web applications. If you want to be sure, you would need to get someone to evaluate the actual code, but that will take time and money, though. Also, taking a look at the history of these applications in terms of security will likely give you an idea of the overall security and what to expect in the future.

Some developers also offer a feed to get informed of the latest security problems of their software.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Securing 3rd Party Website Applications

Post by Benjamin »

What are your thoughts on ModSecurity?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Securing 3rd Party Website Applications

Post by kaisellgren »

Well, think of having a software desktop firewall. While it blocks some attacks that would have been successful otherwise, it is not a guarantee of a secure system mostly because certain attacks rely on business logic failure or are just new. I think it is a good idea to use it if you are on Apache HTTPD and you do not notice any performance impact.
Post Reply