Secure Coding
 

Afternoon All :)

Any of you code monkeys out there got any recommendations for good books on secure coding? Anything that covers general principles would be good (regardless of the language it covers), I'd also be particularly interested in anything that covers PHP specifically :)

Ta muchly :tu:

Re: Secure Coding
 

You mean secure as in locking down any potential vulnerabilities?

Re: Secure Coding
 

Yeah, I guess so.

Basically I'm looking for some texts which go through the issues that cause the vulnerabilities from a coding point of view and then explain how to avoid/mitigate them. I understand the issues well enough, I'm just not a programmer/code so my knowledge of the actual programmatic constructs required to mitigate the issues is fairly limited.

Take something like SQL Injection or XSS in web applications for example - I know what causes them, I know how to exploit them, but what I don't know is how to actually cure them from a coding point of view. It would be nice to be able to see examples of poor code alongside some best practice code so that I can see that actual differences.

Re: Secure Coding
 

A good book should cover how to write secure code. You want one for the web rather than the desktop so I won't recommend the only book I know as this covers how to code securely for the desktop.

Tips:

SQL Injection

Use parametrised queries to get around SQL injection. Do not use anything which strips SQL characters (such as apostrophes) out of a string. Not only is this not a complete work around but it means my name (O'Neill) is marked as invalid which makes me angry. This basically means you write a complete SQL statement which tokens in place of parameters:

Where @firstName and @lastName are the parameters.

You then assign the user given values to the parameters in whichever construct is provided for the task (I only know how to do it in .Net).

This will mean that whatever the user puts as their first name it will go into the database as entered. If you did a string concatenation then it would have executed any SQL they put in, this way it will copy it.

XSS Attacks

You'll need to research more on this but can I suggest to ensure all dynamic content on your system, especially any of which has come from a user, is HTML encoded. This will convert any HTML characters into entities used to represent those characters (so & becomes & ) these are rendered fine in the browser but are not read as HTML thus preventing any user provided code from executing on your site

CSRF Attacks

Don't know much about this. So I'll get someone else to talk about it: http://www.codinghorror.com/blog/200...s-and-you.html

Re: Secure Coding
 

I don't necessarily just want one for the web, if you have desktop recommendations I'd be interested in those as well.

Re: Secure Coding
 

I don't know anything specific to PHP, but in general, like Damien says with the parameterised queries are a must, and always validate user input.

Re: Secure Coding
 

http://www.amazon.co.uk/Writing-Secu...9525483&sr=8-1

Large and it might be overkill....

Re: Secure Coding
 

Parameterised queries are unique to ASP.NET.

ASP.NET has a lot of built-in protection (it even prevents HMTL/script tags from being entered as a parameter by default) but PHP has none. You have to do it yourself.

I don't know any specific books but can give you guidelines. Really its just the usual security practices.

Re: Secure Coding
 

Don't think they are. Admittedly .Net has the best support for it I have yet seen. They are usually handled via database abstraction layers depending on the database outside of a .Net stack. I think PHP has had it since PHP 5. Although you seem to need a newer version of mySQL. Worth it though. Parametrised Queries rock.

http://www.php.net/manual/en/mysqli-stmt.bind-param.php

Yup. More Microsoft awesomeness :D Although MVC takes a lot of this away as it's a far less abstracted framework so it's not always the case.

Re: Secure Coding
 

Admittedly I don't use MySQLi extensions but it doesn't actually say in that doc that it santises input like ASP.NET. So it might just be a glorifed String.Format function.

Speaking of data abstraction ZendFramework does santise input via factory queries but it shouldn't be assumed they all do.

Re: Secure Coding
 

Good Point.

What do you mean by sanitise? If it's removing invalid characters then it's hardly ideal either. Parametrised queries mechanisms shouldn't be tampering with the string, they should simply be telling the database that this is the query and these are the values for that query.

Either way. Removing invalid characters is a nasty workaround.

Re: Secure Coding
 

Sanitising input can mean almost anything but usually it means escaping characters. This means it converts ' to \' so the query remains safe to be executed by MySQL

Its de-escaped (either automatically or manually, I can't remember now its been a while) when its retrieved back onto the page.

Re: Secure Coding
 

Thought you meant that. Surely some of the bigger layers support actual parametrisation?

Re: Secure Coding
 

Not quite. PHP frameworks contain query factory classes that look like ASP.NET parameterisation but it all it does is build the query and then sanitise the input for you.

For example, using a generic query factory class:

$myQuery = $framework->query( "INSERT INTO table ('Name') VALUES(@Name);")
$myQuery->addWithValue("@Name", "punky");
$myQuery->execute();

That looks like ASP.NET but really all it does is it santises "punky" and then does a regexp replace to put it in so it becomes:

"INSERT INTO table ('Name') VALUES('punky');"

And then gets executed. That's all ASP.NET parameterisation does really (except in ASP.NET you can specify types which will throw exceptions if you try and tamper with it) but in that case you are trusting Microsoft to handle it.

Anyway, Raistlin asked about base PHP.

Re: Secure Coding
 

In .Net the parametrization is a concept supported at the database level, i.e the database itself knows what a parameter is. So that a query is passed down along with the parameters and the database will then execute the query, and draw on those parameters to put into the database but the .Net framework doesn't escape the characters and send the database a safe string.

This also allows MS SQL to draw and cache database execution plans because the parametrised query will always been the same string with only the params changing.

Anyway yes, off-topic :erm:

Re: Secure Coding
 

As far as MySQL is concerned, you dont need parameterised queries to be safe, you just need to make sure that if the data is a number then its really numeric (use something like intval(x) to clean it) - and if its text, make sure its escaped (the MySQL/PHP inteface has a built in function to do this).

Re: Secure Coding
 

Surely you mean ADO.NET ;)

Re: Secure Coding
 

I didn't think about that as Raistlin was talking about web-only technologies so defaulted to ASP.NET rather than all of .NET

Which reminds me, I used ADO.NET a while ago to connect my ASP.NET app to MySQL. I wonder if they supports parameterisation? I'm guessing it does as ASP.NET does the work and not the DB engine?

Re: Secure Coding
 

Like I mentioned previously. The database does require support. This is because the Parametrised Queries are not a query which is then escaped by the ADO.Net Framework.

Instead these are queries which are passed down to the database with the tokens (@whatever) to the database. The MS SQL database does two things, that I know of, first of all it caches a query execution plan. This allows it to perform subsequent operations marginally faster as, because the query has been parametrised , the only variables to the query are those parameters which it does not need yet.

Second; it inserts the parameter values which you pass down from your application.

Try it out. Write a parametrised query from your application and 'forget' to supply a parameter. The error thrown will be from the database and not the .Net framework.

Re: Secure Coding
 

To be honest the original query was meant to be platform/language agnostic - so all/any comments/suggestions are being gratefully received :)

Coding is something I haven't done much of, so whilst I understand the requirement to properly check/santise input and to use parameterised queries etc I've never actually had to do it - hence the reason for the original question.

I want to start coding more, but (being aware of the usual issues that people create for themselves by not doing it properly) I want to get into good secure habits from the start :)

Re: Secure Coding
 

You're correct, never realised that before. :tu:

Re: Secure Coding
 

Can't say I've noticed that before either lol. Nice one.

Re: Secure Coding
 

Makes me feel less of a noob then :p:

Re: Secure Coding
 

Lol, yeah :) I don't get exceptions which is why I never noticed! ;) :D LMAO

Re: Secure Coding
 

I only know it because I have worked with it for a project :p:

But they are a neat feature and one I would hope is supported by modern technologies. I not sure if that PHP one does work correctly and not, as Punky said might be the case, a glorified string.format.

---------- Post added at 21:23 ---------- Previous post was at 21:14 ----------

The thing is any book that covers only security might well be far too in-depth for what you need right now. They would be aimed at people trying to lock down an enterprise level application.

What stage are you at? I think that learning best practices in general regarding code reuse, readability, will be of greater benefit you than security. All you need to remember at the moment is DON'T TRUST YOUR USERS INPUT! Then learn the rest as you go...