http://www.scanit.be/uploads/php-file-upload.pdf is a good read on file upload security. I see so many tutorials (and advice given on these forums regularly) from people that don't realise that there are ways to circumvent many of the simple upload tests suggested.
I wrote few articles about security related issues:
Password hashes and salts
User login and authentication with Zend_Auth and Zend_Acl
I am also planning to write an article on session fixation and XSS in the future, and especially on how to fight them in Zend Framework applications.
SecurityTube - Presentations on security from various conferences.
Uses ASP.NET for the examples but the concepts are language independent. (Almost a 1,000 pages of content, for free no less!)
Microsoft - [Improving Web Application Security: Threats and Countermeasures ([URL="http://www.microsoft.com/downloads/details.aspx?FamilyId=E9C4BFAA-AF88-4AA5-88D4-0DEA898C31B9&displaylang=en"]PDF here](http://msdn.microsoft.com/en-us/library/ms994921.aspx))
Another, again its focus is ASP.NET, but the concepts are independent.
[Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication ([URL="http://www.microsoft.com/downloads/details.aspx?FamilyID=055ff772-97fe-41b8-a58c-bf9c6593f25e&DisplayLang=en"]PDF here](http://msdn.microsoft.com/en-us/library/aa302415.aspx))
Weaning the Web off of Session Cookies Making Digest Authentication Viable by Timothy D. Morgan
In this paper, we compare the security weaknesses and usability limitations of both cookiebased session management and HTTP digest authentication; demonstrating how digest authentication is clearly the more secure system in practice. We propose several small changes in browser behavior and HTTP standards that will make HTTP authenti*cation schemes, such as digest authentication, a viable option in future application development.
This thread would be greatly improved if those in the know can supply sitepoint fans a long list of reputable web security companies or programmers we may hire in order to secure or fix our sites.
All this info. is good. But if u run a business and don't know how to program, you should have a list of security experts you can hire to secure your business' website.
Can anyone compile this kind of list here?
Here is the updated link to my PHP security checklist:
(The domain changed abruptly last November.)
(invision2 reminded me about it in one of his posts.)
sk89q, LOL just came here to post that very same link of yours
phpGACL - Generic Access Control Lists
A PHP class offering Web developers a simple, yet immensely powerful "drop in" permission system to their current Web based applications.
P.S. Thank you Admins for pinning this topic
Qualys is offering anyone their product QualysGuard:
Thousands of web sites are infected with malware daily, propagating the infection to visitors of their web sites at an increasing speed. To combat these threats, QualysGuard® Malware Detection is a FREE service that proactively scans web sites of any size, anywhere in the world for malware infections and threats. QualysGuard Malware Detection provides businesses with automated alerts and in-depth reporting for effective remediation of identified malware to help businesses protect their web sites and web site visitors from malware.
It should give you an early warning if your website is hacked.
@pilotjourney - I think you can check out their blog: http://blog.websecurify.com/ and About page, which leads to: www.gnucitizen.org
next page →