PHPDeveloper.org

iBuildings Blog: Verifying out software with OWASP ASVS

Tue, 02 Apr 2013 12:20:19 -0500

On the iBuildings blog today there's a post from Boy Baukema about the use of the OWASP ASVS to help provide a framework of questions to ask about your application to help find any application security "pain points."

When a customer commissions Ibuildings for a new application, he usually has plenty of functional demands. [...] And maybe some thoughts have been given to performance metrics, but security? Well� it "needs to be secure". [...] It is said, conveniently enough mostly by software engineers, that building software is perhaps the most complex activity humans have ever undertaken.

He notes that "security is not a checkbox, it's a dropdown" and should be continuously considered continuously through out development. The OWASP ASVS provides a structure that a development group can follow to test the security of their application. It defines 4 types of testing/validation and fourteen other topics to consider.

While ASVS is a wonderful addition, it has it's issues: verification and reporting can take a significant amount of time and validation rules are not specific enough to use the tools and techniques.

WebProNews.com: Form Checking - Verifying Name Using PHP Ereg

Fri, 23 Jun 2006 07:40:01 -0500

On WebProNews.com, there's a brief tutorial on using regular expressions, specifically for filtering "names" entered by users.

One important use of Regular Expressions (Regex) is to verify fields submitted via a form. In this article, we attempt to write an expression that is able to verify the user's first name, middle name, last name or just names in general.

The expression should allow names such as "Mary", "Mr. James Smith" and "Mrs O'Shea" for example. So the challenge here is to allow spaces, periods and single quotation marks in the name field and reject any other characters.

Their examples use the preg_* functions in PHP to work, first looking for any invalid characters in the string(s), then amending it to ensure that there aren't any numbers involved either. The few lines of code it takes are included as well.

GoodPHPTutorials.com: SQL Injections in PHP with MySQL

Mon, 20 Mar 2006 07:42:59 -0600

On GoodPHPTutorials.com, there's this helpful tutorial that anyone working with any sort of website that has a database backend should look into - a brief look at SQL injections with PHP and MySQL.

SQL injections are a major security risk in many PHP applications. Injections are caused when a web developer allows the end-user to manipulate a variable that is being inserted into a database query string, generally through the $_GET, $_POST or $_SESSION superglobals. When a value isn't verified, major problems can occur. Since MySQL is the most commonly used database platform for PHP applications, it seemed appropriate to write an article specifically related to that.

They cover different topics that you'll need to protect yourself against a basic level of SQL injections - the key is the validation of your data. They have code examples to help you along and explain each step, including outputting the data to the page (where things like cross-site scripting issues can occur).