Book Review: Building Secure PHP Apps
I’ve just finished reading Building Secure PHP Apps by Ben Edmunds.
A security ebook very well written it’s not a huge book, spans 5 chapters the topics are covered in details and with a wealth of information digest and research more on the topics should you choose to do so.
What I really liked about this book was the to the point of practical security issues and how to solve them. Most chapters start with a short story illustrating problems that are plausible setting the scene for each chapter.
Learn the security basics that a senior developer usually acquires over years of experience, all condensed down into one quick and easy handbook.
Chapter 1 - Never Trust Your Users. Sanitize ALL Input!
Jumping in the opening chapter covers very important topics of SQL injections, mass assignment, typecasting and sanitising output. This is brilliant and is worth buying for this chapter alone!
These topics are explained what can happen if left unchecked and how to prevent them from happening, depending on if you use a framework or not some of these topics will be taken care of for you, but you should still be aware of them.
Chapter Two - HTTPS/SSL/BCA/JWH/SHA and Other Random Letters; Some of Them Actually
the importance of securing HTTP and the rising importance of HTTPS/SSL cannot be stated enough, this chatper not only explains what they are but the different types of certificates can be used and how to install and configure them too!
Chapter 3 - Password Encryption and Storage for Everyone
Heard of MD5, SHA1? yes is likely the answer, what about Bcrypt or how to correctly deal with storing passwords and best practices? this covers that and more.
Chapter 4 - Authentication, Access Control, and Safe File Handing
Another extremely important topic and often over looks, make sure only authorised users can access authorised pages and thwarting direct access to files and control systems.
Chapter 5 - Safe Defaults, Cross Site Scripting, and Other Popular Hacks
This chapter deals with stopping attacks from forms, urls and other methods, defining safe return values as standard.
How to deal with multiple form submissions, Cross Site Request Forgery (CSRF) and XSS exploits and more.
Overall this is a great book that covers really important topics that should not be over looked, even if you’ve been writing code for a long time there is a ton of information in this book that you may not be aware of.