PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sun Jun 07, 2020 3:12 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Sun Sep 04, 2011 2:44 pm 
Offline
Forum Newbie

Joined: Mon Feb 07, 2011 4:36 am
Posts: 20
I'm working on a custom CMS app. To keep a long story short, this is the first app that I've built, my experience is limited, and this is a learning process for sure. Having said that, I'm really proud of it, and I'm getting a very positive response from the few that are using it. I would like to start sharing it with more people, and marketing it along with my design services. Here's the thing... I'm comfortable taking on the challenges that this project presents, and I'm comfortable answering for bugs and glitches that result from my inexperience. I'm not comfortable with user's data being unnecessarily vulnerable due to my inexperience. I hope this doesn't appear lazy. I've spent a ridiculous amount of time on this app and it's been a great experience so far. I'm just trying to be responsible and face my limitations. The more I learn about security, the more I realize I need to know and I would simply rather put my time into other areas of the app.

I'm considering posting the project on a website like elance or something similar but I'm having trust issues with this. I have a working login system and I don't need someone to put their name on a login script and sell it to me. My problem is I don't know how to expose vulnerabilities or audit the security. If I did, obviously I would be more comfortable with my own script. So I would be at the mercy of the developer I hire. Is outsourcing security like this common practice?

The other solution I was hoping to find is a third party app that manages authentication etc... Maybe something that I could just hook into with my application? I've done some poking around but I haven't really found anything like this. If something like this exists, I think it would be ideal. Though it may sound silly, I have this feeling like if I was paying for something on a regular basis, there would be a certain level of accountability that goes along with that. Also, if the third party app was specifically built for that purpose, I would expect more quality and reliability.

I know this question is a little broad, but any advice or direction that anyone could offer would be greatly appreciated!! Thanks to you all for your time!!


Top
 Profile  
 
PostPosted: Mon Sep 05, 2011 5:49 pm 
Offline
Forum Regular
User avatar

Joined: Wed Mar 05, 2008 11:23 pm
Posts: 732
Location: Sunriver, OR
You can farm out a security audit on your app in the end, but security is not an add-on object that can be added when the project is finished. You really need to follow best security practices before you write your first line of code.

If you want a good resouce, pick up the book "php|architects Guide to PHP Security" by Ilia Alshanetsky. It's small enough to not be intimidating, but is jam packed with good practice.

Other good websites to visit are owasp and phpappsec.

Good Luck!


Top
 Profile  
 
PostPosted: Mon Sep 05, 2011 8:27 pm 
Offline
Forum Newbie

Joined: Mon Feb 07, 2011 4:36 am
Posts: 20
Thanks for the advice and the resources! I guess I just need to suck it up and figure it out. Every time I look for shortcuts in development I end up regretting it anyway, so it's probably better I take the time and get it right. Thanks!!


Top
 Profile  
 
PostPosted: Wed Sep 07, 2011 3:07 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria


Top
 Profile  
 
PostPosted: Sat Sep 10, 2011 8:04 pm 
Offline
Forum Contributor

Joined: Sun Apr 27, 2008 1:22 am
Posts: 169
I agree with the advice flying_circus gave you. You want security stuff to be part of your mindset for long term development. Otherwise, if you outsource it and have someone fix it for you, as soon as you start feature development again, you'll probably introduce new security issues. That said, I'll give a plug for Mordred here as maybe a good jumpstart for you. I've lurked on the forums for a few years now, and I've always agreed with the advice that he has given folks on security topics.


Top
 Profile  
 
PostPosted: Wed Sep 28, 2011 11:17 pm 
Offline
Forum Newbie

Joined: Mon Feb 07, 2011 4:36 am
Posts: 20
That looks like a great offer Mordred and I'll probably contact you in the future. I think I'll probably do some learning and do what I can to fix issues that I know of before I contact you in an effort to not waste your time with silliness. Thanks!!


Top
 Profile  
 
PostPosted: Thu Sep 29, 2011 5:05 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
A shorter alternative would be to just post your security problems/questions here, this is the purpose of this subforum.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group