how do you handle security

[Jocka]

FYI: I know I post in this particular forum too much

Moving on. I take every step of precaution I can with security but sometimes I feel that isn't enough. I check everything that goes in and comes out. Dissecting each little piece of information that goes through each page and yet people still find ways through my site every so often.
I'm not saying I'm the worlds worst at security. For the most part I keep sites very secure. Sometimes "too" secure.

When working on big websites I get kind of nervous as far as the security. I wouldn't have posted this if I wasn't concerned with it. I'm in the early stages of building this from the ground up and I figure that it's best to start security from the start rather than going back. But of course if a hacker wants in bad enough he'll find his way in.

What's the best idea on keeping security at it's best? Should this company hire a team to keep track of this? Should I daily search the pages and check for any "new" security holes? Is there companies that TRY to find security issues with your website?

[neylitalo]

www.scanalert.com will scan your website for vulnerabilities, and then once you reach a certain level of "hacker safe", then you get an image on your website saying "Hacker safe blah blah blah". I don't know what they test, or how reliable it is, but I've seen it on some pretty big-name sites so I'd assume it's pretty good.

[ober]

Yeah.... that must be expensive, because you pretty much have to call them to get involved. 

Has anyone used that?  Any idea how much it costs?  Is there a free alternative?

[.josh]

you could always buy a junk machine, setup wamp and your script and post an open invite here (or somewhere else) for people to try to bust it. I love invites like that :)

[ober]

I just wish I knew all the tricks to get injection and stuff like that to actually do stuff.

[tomfmason]

@Ober
  It is a pain. You have to try over and over again until you get the table name right, if you are going to drop the table. Or you have to guess the field names.. However, most of the time you can just few the source. Ihe input field names are often the db field's as well.

I find that most people have less security in search, lost password and register scripts. For some reason most people focus on the login.

Tom

[Jocka]

[quote author=Crayon Violent link=topic=114906.msg467908#msg467908 date=1163523467]
you could always buy a junk machine, setup wamp and your script and post an open invite here (or somewhere else) for people to try to bust it. I love invites like that :)
[/quote]
This is exactly what I had in mind at first. To throw a "fake" out there and ask people to try and hack it. I mean, thats the free alternative lol. The only problem with that is, some of those 'hackers' might not share how they hacked it. Most of them do if you give them permission to try to get in your site, but some don't.
That scanalert.com site looks promising. But like ober said, since you have to call just to get information, it's probably expensive.

.. i'm not sure which idea to go with here. Option 1, the wamp site, i have the satisfaction of getting [i]some[/i] answers but risk people not telling me potential security issues and hacking the site once it's online and running. Or option 2, spend god knows how much for a group of people to SAY they looked over my site and throw a sticker on my website.

[tomfmason]

You can hire a security freelancer. It will most likely cost you around 200 USD for a full security report. Which in my opinion would be your best bet..

Good Luck,
Tom

[.josh]

well if you are concerned about people potentially not sharing their method(s) then only send invites out to people you know/trust to share their methods.  Also it helps if you post invites in places where people have no idea what/where the real site is.  I mean, if you have for instance been on a board talking about www.mysite.com for the last few months, i probably wouldn't post an invite on that board.

[Jocka]

It's just the idea that people might hold back information doesn't work for me. If I pay someone and make them sign a contract, they legally have to inform me of any issues there are.. so i think i'm going to go the expensive ways.

Just a question. I'm going back on one of my scripts because I forgot a "forgot password" area. Now I'm limited on what I can do from here. I can either reset the password in the database or put the password in the database non-hashed. Of course I could do that "security question" thing but to me, thats pointless. If you can get even the smallest piece of information on someone, you can usually find out the answer to those in a matter of minutes.
I was thinking maybe I could do the "reset password" thing. What it will do is send an email out (only one a day or a week.. or something) and if the user requested the password be reset, they'd have to click this link with a generated and saved code in it. Otherwise, the password would stay the same and the IP would be logged and reported (or whatever). Is that a good idea?

[tomfmason]

very few people that would "crack" your site would use there home ip.. Ip's can be spoofed. Session hijacking is another thing that you might want to research. Here is a nice article from site point on the subject. http://www.sitepoint.com/blogs/2004/03/03/notes-on-php-session-security/

<rant>
I say crack because there is a big difference between a hacker and cracker.. Hacker is one of the many coined terms that I hate.. You get some pimple faced teen that has nothing better to do then deface peoples sites that don know any better and he is called a 'Hacker'. Were as a real hacker does nothing of the sort.
</rant>

Tom

[Jocka]

sessions are definatly one of my weaker points. Is it safer to store less info or more info in sessions and/or cookies? I only have like 3 things saved in my sessions. But according to that article, all they need is the session id? Well how the hell do I prevent that? I doesn't go into great detail. I thought you had to have everything... this whole time I had this huge security whole setting in my lap.
.. with the sessions and cookies I compare against quite a few things in the database.. i thought it was safe but i'm kind of worried that it isn't now.. how can I check this by myself (just one computer?)

BTW, hacker is a more commonly used word. I would've said "cracker, script kiddie, etc" but frankly hacker gets the point across faster even though it's not quite the same thing.

[tomfmason]

To me saying hacker is on almost the same level as Web 2.0... Say something like.. "My web 2.0 site got hacked" and I will most likely flip out..lol

I would say that a custom session handler would be inorder. Here is a decent tutorial on this http://devzone.zend.com/node/view/id/141

Good Luck,
Tom

[Jocka]

Hmm. Well maybe I missed something but all this does is saves files in particular directories assigned or files? I don't think I would need this. We're on a dedicated server so we don't share this server with anyone.
To help figure out if I'm doing this right I'll give 1 of my validation methods (considered most useful to me).
I assign the username in a session and/or cookie. My script then checks the username and compares it against 3 things saved in the database when logged in.
1. Username matches name used in 2 seperate tables (dont want to go into great detail).
2. IP must match IP saved in database
3. Session ID must match the assigned session id in the same table with username and IP.

I thought this would work perfectly. However, if you took the session id and found the users IP address (could be used in one script) then this might not work either. You could spoof the IP and add the session ID to your cookie. However my script requires that the session id in the cookie and session match.. can you actually change your "session" information, not just cookies?

[tomfmason]

Also, here are a few tips for added security..

1)always sanitize all user input.. and place a max length on input fields
2)use obscure names for the the db tables and fields. Ie.. don't name your users table users.. Something random or a something like this blabla_users would be best..
3)Same with the fields
4)Never pass the session id through a url
5)Never depend on a ip for identification purposes..
6)write a custom error handler
7)I always use mod rewrite to hide the .php extension.. This will make it a little harder for them..
8)Have a session time out.. something like 10 minutes or whatever..
9)Never place sensitive data in cookies..

If I think of anymore I will post them..

Tom

[Jocka]

Ok u wrote not to depend on IP's for identification. I know someone can use a proxy or change their ip, etc.. etc..
What methods would you recommend? I try to validate among layers. As in, creating multiple steps you have to take to actually log in under someone else's account. So you get their session id and IP? Then you still have to go through the other steps I have to get in (which I'm NOT going to post).
I'm less worried about user accounts and more worried about my database information. If they get in an account they don't get much. If they get in my database, they have FAARRR too much.

With that said, let's talk database security. The problem with database security is that it spreads upon more than just the database. It goes into FTP security, server security, file security, etc.

Forgot all that though. lol. I was just ranting. I know with the database I need to protect against SQL attacks first. I ALWAYS break down any piece of code that goes in or comes out of the database (just incase they sneak some past me). Aside from SQL attacks, and the obvious hacking of the ftp and finding my mysql info, what else can I do to protect the database?

[txmedic03]

I know this is a bit off topic, but I just had to say I couldn't agree more with tomfmason about the term "hacker".  More often than not it is a script kiddie who doesn't know the difference between a port and a subnet.  A hacker, in the truest sense of the word, is not malicious.  The term has been dirtied by script kiddies and crackers, but it once refered to those now know by terms such as "internet security specialist".  I always correct people when they start telling me about the "hacker problem" they are having.  I hate it when people do that.