Good security resources

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Good security resources

Post by matthijs »

What websites (news and blogs) do people follow to keep up to date on web security issues in general and/or PHP security specifically?

When I check out the regular news sites, even the technical oriented ones, there seems to be so much nonsense being spread around. Some company sends out a report on the Top-10 most vulnerable programs and all the news sites just publish it without checking out the source and possible bias. For example, a nice news worthy publication is a list with Firefox at no1 as piece of software with the most vulnerabilities. With the name of being "safer" then for example IE, that's guaranteed to generate some traffic and discussion. But without knowing, for example, if the report issued is one made by a Microsoft company, or without knowing what exactly is being measured, what possible consequences there are, etc, I still know nothing.

This internet thing and freedom and availability of information is nice and all, but some times I have a feeling that the real valuable information is harder and harder to find with all the noise being around.
User avatar
volomike
Forum Regular
Posts: 633
Joined: Wed Jan 16, 2008 9:04 am
Location: Myrtle Beach, South Carolina, USA

Re: Good security resources

Post by volomike »

I visit secunia.com and cert.org. However, Slashdot is faster at getting the news out on the more prominent things -- but you have to take it with a grain of salt and check with secunia.com (even emailing them if you have to) to get the real scoop.

I also worked along side a former data security lecturer in 2007, and he taught me a lot of things, making me realize that so many things can be hacked and need to be protected. Sometimes even opening an email can give you a virus, although this usually only happens on Windows and usually with Outlook and Outlook Express.
Last edited by volomike on Mon Dec 15, 2008 2:45 pm, edited 1 time in total.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Good security resources

Post by Eran »

That link you put to Ilia Alshanetsky's presentations contained plenty of great security material.

In my bookmarks I found:
PHP Security Consortium - http://phpsec.org/
Chris Shiflett - http://shiflett.org/
Codex Securitatis (of our very own mordred)- http://www.logris.org/security/
Wikipedia's constantly updating page of web exploits - http://en.wikipedia.org/wiki/Category:W ... y_exploits
User avatar
volomike
Forum Regular
Posts: 633
Joined: Wed Jan 16, 2008 9:04 am
Location: Myrtle Beach, South Carolina, USA

Re: Good security resources

Post by volomike »

Oh yeah, I forgot. Chris Shiflett. Definitely.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Good security resources

Post by matthijs »

Good links, thanks. One blog I also follow is from Stefan Esser, http://blog.php-security.org

With security it's so important to be very critical what you pick up on blogs and sites. For example, a resource like
http://www.owasp.org/index.php/OWASP_Va ... Repository
might seem very valuable and trustworthy (and it is). But if you check those regex patterns, all of them end with the $, something which Stefan pointed out is not as secure as it seems:
http://blog.php-security.org/archives/7 ... lters.html

Or take the article about sql injection by Mordred
http://www.webappsec.org/projects/articles/091007.shtml
it shows how sql injection and prevention is so much more complex as you would think at first.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Good security resources

Post by alex.barylski »

I personally find secunia to be an excellent resource for keeping on top of applications which are ridden with security holes. :P

Other than that, I follow forum discussions, read occassional articles, etc.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Good security resources

Post by matthijs »

I was just looking around some more and am surprised to find out that the whole PHP security topic doesn't get a lot attention at all, lately.

For example: the three most well know books (are there others?) are
Essential PHP security, Chris Shifflet. 2005
PHP Architects Guide to PHP security. Alshanetsky. 2005
Pro PHP Security. Chris Snyder. 2005
All three books are almost 4 years old! Is there so little market for an updated or new book about this (already broad) topic?

Or take a look at some of the initiatives.

Sohusin project Stefan Esser
http://www.hardened-php.net/news.12.html
last news item march 2007

OWASP guide
http://www.owasp.org/index.php/Category ... de_Project
last version, july 2005
Post Reply