Remember the first time you setup your website. You quickly built it without any bugs, and everything looked exactly as you wanted. As soon as you published your site you were swarmed with visitors who absolutely loved it! In fact, security experts starting calling you up to get your advice, because of how great your site is, and in no time you became a millionaire. Yeah, I had that same dream too, but in the real world programmers make mistakes, and security vulnerabilities find their way into the code.
In fact, in today’s world, it isn’t a matter of if you get hacked, but when, with hackers getting smarter and more sophisticated every day. This is why it is so important to build a multi-layered system of security within your application- that way if a hacker manages to breach one layer of security they are still stopped from causing havoc by your other layers of security.
When developing your application, keep in mind what I call the “Prison Theory of Web Development Security”, or in other words, build your website as if you were running a jail, and you don’t want anyone breaking in, or out. Remember, while every layer is intended to stop an intruder, they are also designed to contain them. Do not rely on any one layer by itself as a cure-all for your application, because if you only set up one wall, that’s all they have to bypass. This is a mistake I see all too often in web development.
That brings us to the first step in making your application secure: Planning. A lot of applications are built with developers shooting from the hip, and security becomes a second thought. Instead, focus on what the purpose of your application is, and what security vulnerabilities may exist because of it. Then setup a plan to develop the layers of security as you go, or utilize a framework (such as Zend Framework 2) that when used correctly implements many of these layers for you. Like building a house, the foundation of your application determines how strong of a storm it can stand. And while it’s nice to build things from the ground-up, widely used frameworks do offer the advantage of being battle tested and supported by a large community of talented developers.
Speaking of foundations, it is vital to ensure your server environment is secure by staying up to date and applying the latest security patches for your server OS and applications. This is one of the easiest things to forget as many servers get setup and then are left unmaintained, leaving them running without the proper patches and leaving the operating system or Apache/ PHP vulnerable to security hacks. One of the great things about security updates is that they often alert you to what the patch fixes, but they also alert black hat hackers. So regardless of whether or not you’re not staying up to date, you can be sure that they are.
Also be sure to watch the forums and community channels anytime a new version or patch is released, as on rare occasions the patch may introduce different and more dangerous issues, and should be held off until a new patch is released (such was the case with the PHP 5.3.7 and 5.3.9 releases).
THIS IS A PREVIEW. DOWNLOAD ISSUE 7 TO READ THE FULL ARTICLE.