I haven’t posted here in a while so here is a presentation that I did at a local security meeting about the Snort IDS. Not much on its own but gives an introduction on Snort with a few slides about IDS’s a few on writing Snort Rules. On the demonstration slide is where I did a demonstration that didn’t exactly go as planned. I swear it worked at home using Nikto, but its all good since I had a friendly crowd. The additional resources slide shows some great resources for learning about the Snort IDS. So hit my document on scribd!
As a somewhat seasoned PHP developer, I’m always looking for ways to improve code and keep up with the latest happenings. When I saw the book, “Securing PHP Web Applications” by Addison-Wesley, I thought I’d give it a look. PHP is known for its wide deployment and rapid development. Unfortunately, with such a large user base, it is not uncommon to see mistakes within development. Often developers are unaware that what they are doing is insecure. This book addresses important security concerns every developer should be aware of.
The first ten chapters are on programming practices of which, if you’re a system administrator, may not interest you. If you are a developer you should know, understand, be able to fix and, of course (the fun part), exploit for demonstration.
Chapters 11, 12 and 13 are essential reading to any system administrator who will be supporting a LAMP or WAMP stack.
The IIS chapter may not apply to those reading this blog since we all know that securing IIS is not necessary when you’re running Linux. The chapters on securing PHP, MySQL, and Apache outline the basic concepts and give some important pointers that may not be obvious to everyone.
Chapter 14 (Introduction to Automated Testing) and Chapter 15 (Introduction to Exploit Testing) have really opened my eyes to methods I have not used before. We’ve all heard of Selenium and PHPUnit but what about CAL9000 and PowerFuzzer? I’ll be off to try them soon. I can always appreciate applications designed to help secure applications. Nessus, Nikto and MetaSploit lack any mention in this book but now that you’ve read this review, you’ll know to look into those as well.
Chapter 16 is on designing secure applications and 17 is on patching, which would have been useful for me to explain to someone as to why they shouldn’t be working on their production site (to make things worse with no version control.)
There are so many products out there that are vulnerable to some of the attacks. We see them everyday in the security lists. I think that any company and developer of PHP based Web Applications should have a keen grasp on the concepts outlined within the pages of this book.
I do not think, however, that “Securing PHP Web Applications” is a book that is necessarily intended for every developer out there. I think its a great book for anyone with an active interest in security that has been developing for a while but would like some pointers on how to secure their web apps or a reference for developers in need.
For more information and a sample chapter, please visit the publisher page: http://www.informit.com/title/0321534344 or if you subscribe to Safari Books Online you can access the complete book here: http://techbus.safaribooksonline.com/9780321534347