The Paragon Initiative has posted a new tutorial giving you a pocket guide version to securing your PHP application in 2016.
Please set aside most of what you've heard over the years; chances are, most of it just muddies the water. Security is not a product. Security is not a checklist. Security is not an absolute.
Security is a process. Security is an emergent property of a mature mindset in the face of risk.
Perfect security is not possible, but attackers do have budgets. If you raise the cost of attacking a system (your application or the networking infrastructure it depends on) so high that the entities that would be interested in defeating your security are incredibly unlikely to succeed, you'll be incredibly unlikely to be compromised.
The post talks about the "essence of security" and how most prevention methods don't even add much processing overhead or overall development time. He makes four recommendations of things to do in current and future development to help secure your applications:
- Use PHP 7 in All New Development
- Use HTTPS Everywhere
- Use Security Headers
- Use Trustworthy Reference Material
The post ends with a few other things to think about when building secure applications including raising the "cost" of attacking your system and keeping in mind that your platform may not be the attacker's "end game".