Page 1 of 1

Good security resources

Posted: Sun Dec 14, 2008 4:56 am
by matthijs
What websites (news and blogs) do people follow to keep up to date on web security issues in general and/or PHP security specifically?

When I check out the regular news sites, even the technical oriented ones, there seems to be so much nonsense being spread around. Some company sends out a report on the Top-10 most vulnerable programs and all the news sites just publish it without checking out the source and possible bias. For example, a nice news worthy publication is a list with Firefox at no1 as piece of software with the most vulnerabilities. With the name of being "safer" then for example IE, that's guaranteed to generate some traffic and discussion. But without knowing, for example, if the report issued is one made by a Microsoft company, or without knowing what exactly is being measured, what possible consequences there are, etc, I still know nothing.

This internet thing and freedom and availability of information is nice and all, but some times I have a feeling that the real valuable information is harder and harder to find with all the noise being around.

Re: Good security resources

Posted: Mon Dec 15, 2008 2:25 pm
by volomike
I visit secunia.com and cert.org. However, Slashdot is faster at getting the news out on the more prominent things -- but you have to take it with a grain of salt and check with secunia.com (even emailing them if you have to) to get the real scoop.

I also worked along side a former data security lecturer in 2007, and he taught me a lot of things, making me realize that so many things can be hacked and need to be protected. Sometimes even opening an email can give you a virus, although this usually only happens on Windows and usually with Outlook and Outlook Express.

Re: Good security resources

Posted: Mon Dec 15, 2008 2:40 pm
by Eran
That link you put to Ilia Alshanetsky's presentations contained plenty of great security material.

In my bookmarks I found:
PHP Security Consortium - http://phpsec.org/
Chris Shiflett - http://shiflett.org/
Codex Securitatis (of our very own mordred)- http://www.logris.org/security/
Wikipedia's constantly updating page of web exploits - http://en.wikipedia.org/wiki/Category:W ... y_exploits

Re: Good security resources

Posted: Mon Dec 15, 2008 2:44 pm
by volomike
Oh yeah, I forgot. Chris Shiflett. Definitely.

Re: Good security resources

Posted: Tue Dec 16, 2008 2:30 am
by matthijs
Good links, thanks. One blog I also follow is from Stefan Esser, http://blog.php-security.org

With security it's so important to be very critical what you pick up on blogs and sites. For example, a resource like
http://www.owasp.org/index.php/OWASP_Va ... Repository
might seem very valuable and trustworthy (and it is). But if you check those regex patterns, all of them end with the $, something which Stefan pointed out is not as secure as it seems:
http://blog.php-security.org/archives/7 ... lters.html

Or take the article about sql injection by Mordred
http://www.webappsec.org/projects/articles/091007.shtml
it shows how sql injection and prevention is so much more complex as you would think at first.

Re: Good security resources

Posted: Tue Dec 16, 2008 4:08 am
by alex.barylski
I personally find secunia to be an excellent resource for keeping on top of applications which are ridden with security holes. :P

Other than that, I follow forum discussions, read occassional articles, etc.

Re: Good security resources

Posted: Thu Dec 18, 2008 4:30 am
by matthijs
I was just looking around some more and am surprised to find out that the whole PHP security topic doesn't get a lot attention at all, lately.

For example: the three most well know books (are there others?) are
Essential PHP security, Chris Shifflet. 2005
PHP Architects Guide to PHP security. Alshanetsky. 2005
Pro PHP Security. Chris Snyder. 2005
All three books are almost 4 years old! Is there so little market for an updated or new book about this (already broad) topic?

Or take a look at some of the initiatives.

Sohusin project Stefan Esser
http://www.hardened-php.net/news.12.html
last news item march 2007

OWASP guide
http://www.owasp.org/index.php/Category ... de_Project
last version, july 2005