Best practices for secure coding: PHP and programming language Security

Enterprises should not use PHP to develop applications. Some people think that PHP is too insecure compared to other options. This statement is not objective.

Enterprises should not use PHP to develop applications. Some people think that PHP is too insecure compared to other options. This statement is not objective.

WhiteHat Security (White Hat Security) recently released a study that uses automated tools to view 1700 web sites, check whether there is any association between the number of security bugs and the programming language used to establish the site. The general conclusion is that no language is "the safest ". Research shows that some languages are indeed useful for structured writing, easy to manage code, and some frameworks provide security control enabled by default. PHP may get worse because it is not only widely used, but also spammers use a lot of insecure PHP forms to send spam (via email injection ).

Even the most loyal PHP fans agree that it is easier for an untrained programmer to write insecure code in the same language as PHP. There are thousands of examples and tutorials on the Internet to explain how to use PHP to add a fancy feature to development applications, but most of them do not cover how to ensure the security of these features, this prevents applications from being vulnerable to attacks. Therefore, PHP applications with rich functions are generally not developed in a secure way.

Train your developers to write code with secure thinking, which is more important than the choice of language. CERT (Computer Emergency Response Team, Computer Emergency Response Team) found that vulnerabilities in most applications come from common programming errors that developers repeatedly make. By eliminating insecure coding and focusing on security coding training, your software developers can quickly reduce or eliminate the number of vulnerabilities until the software is finally launched. You can use many excellent and free resources and tutorials on the Internet to develop their (developer) skills in this field. One of the leaders in this field is the OWASP site (Open Web Application Security Project, Open Web Application Security Project), which provides many examples of how to secure coding.

The starting point of CERT Secure coding is to establish secure coding standards for common programming languages and promote the best practices of secure coding. Another good resource that improves your developer's security coding skills is the security code section of Microsoft's MSDN security community and programming. There are a lot of books written by Microsoft software security expert Michael Howard, among which you may be interested in: "Writing Secure Code (Writing Secure Code) "," 24 critical faults of Software Security (24 Deadly Sins of Software Security) "and" The Security Development Lifecycle )". Many topics can be applied to any programming language and help you understand how to encode with security thinking: that is, correctly use security features and write code that can withstand attacks.

If you begin to integrate these resources and embed security into the entire application lifecycle, no matter which language you choose to use, I hope your next application will be more robust and able to withstand attacks.