Start your free trial now, and begin learning software, business and creative skills—anytime, anywhere—with video instruction from recognized industry experts.

Start Your Free Trial Now

General security principles


From:

Creating Secure PHP Websites

with Kevin Skoglund

Video: General security principles

Let's quickly review the primary security principles. These principles are covered in more depth in the Fundamentals of Programming, Web Security course that I mentioned earlier. The first principle is least privilege. The principle of least privilege means giving a user account only those privileges which are essential to that user's work, nothing more. Users in human resources shouldn't be able to see accounting information, and users in accounting shouldn't be able to see human resources information. But we're not just talking about user privileges. Code has access privileges too.
please wait ...
Watch the Online Video Course Creating Secure PHP Websites
4h 16m Intermediate Jun 30, 2014

Viewers: in countries Watching now:

Hackers target PHP web applications more often than other sites because most PHP code is written by developers with little security experience. Protecting web applications from these attacks has become an essential skill for all PHP developers. Creating Secure PHP Websites shows you how to meet the most important security challenges when developing websites with PHP. Instructor Kevin Skoglund covers the techniques and PHP code needed to develop sites that are more secure, and to avoid common mistakes. Learn how to configure PHP properly and filter input and escape output. Then check out step-by-step defenses against the most common forms of attack, and the best practices to use for encryption and user authentication.

Topics include:
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • SQL injection
  • Encrypting and signing cookies
  • Session hijacking and fixation
  • Securing uploaded files
  • User authentication
  • Throttling brute-force attacks
  • Blacklisting IPs
  • Implementing password reset tokens
Subject:
Developer
Software:
PHP
Author:
Kevin Skoglund

General security principles

Let's quickly review the primary security principles. These principles are covered in more depth in the Fundamentals of Programming, Web Security course that I mentioned earlier. The first principle is least privilege. The principle of least privilege means giving a user account only those privileges which are essential to that user's work, nothing more. Users in human resources shouldn't be able to see accounting information, and users in accounting shouldn't be able to see human resources information. But we're not just talking about user privileges. Code has access privileges too.

Code should be limited in what it exposes and what it accesses. In object-oriented programming, this means controlling the visibility of class variables and functions. For example, if a function in a PHP class object is only used by that class object, then it does not need to be callable from outside the class. The second principle is that simple is more secure. The larger and more complex that a system becomes, the harder it becomes to secure it. Larger systems have more areas of concern and more complex systems increase the likelihood of bugs or making mistakes.

The third principle is to never trust users. You should be paranoid. Most users aren't hackers, but some are, and it's tough to tell the difference. That applies to the general public primarily, but you also need to use caution with employees, admin users, and contractors. The principle of least privilege can help you here as well and you need to use caution offline as well as online. If you put a lot of effort into securing your site, but then you email a password to someone, back up your database to a thumb drive, or leave your computer logged in overnight, you end up circumventing all of your security efforts.

The fourth principle is to expect the unexpected. Security is not reactive. Our goal is to try and prevent the crime before it happens. In order to do that, you're going to want to consider all the unexpected things that might happen. You'll want to consider what we refer to as edge cases. What are all the possible things that a user might try to do? What are the ways they might try and get around your security? You'll want to get creative as you try to expect the unexpected. The next principle is defense in depth. This is basically layered defenses, redundant security, making sure that if one security mechanism gets circumvented, there's something else behind it that also will help you be protected.

You want to make sure that you think about your people, your technology, and your operations inside the organization and how all three of those can work together to create a secure environment. The next principle is security through obscurity. The idea is that more information benefits hackers who are trying to get into your site. So you want to limit the amount of exposed information. Limit the amount of feedback that you give them. A good example of this is a website's log in form. You shouldn't tell the user whether or not their username or their password was the incorrect piece of information.

Doing so will allow a hacker to keep trying until they can find a valid username and then start to try and find a valid password. But if you simply tell them there was no match, then they don't have any idea which one was the wrong piece of information. For security,, it's important to understand the difference between blacklisting and whitelisting. A blacklist is a reference list for what is forbidden. A whitelist is a reference list for what is permitted. These are opposites, but they're not equal. And the reason why is because whitelisting means restricted by default, and that's a more secure approach.

So in general, if you can, when making the choice, choose to define the things that are permitted instead of just listing the things that are forbidden. And last of all, you'll want to make sure that you map the exposure points and data passageways in your application. Think about the incoming data through URLs, forms, cookies, sessions, and the outgoing data, what goes out to the user as HTML or JavaScript, and consider what paths data takes as it travels from a user through the application and into a database.

Or from the database back to the application and back to the user. Remember our equation, awareness plus protection equals security. We want to have not just awareness of the outside threats that are coming in, we want to have awareness of what our application actually looks like so that we know where our points of vulnerability might be. These general principles are going to guide all the choices that we're going to make in the upcoming chapters.

There are currently no FAQs about Creating Secure PHP Websites.

 
Share a link to this course

What are exercise files?

Exercise files are the same files the author uses in the course. Save time by downloading the author's files instead of setting up your own files, and learn by following along with the instructor.

Can I take this course without the exercise files?

Yes! If you decide you would like the exercise files later, you can upgrade to a premium account any time.

Become a member Download sample files See plans and pricing

Please wait... please wait ...
Upgrade to get access to exercise files.

Exercise files video

How to use exercise files.

Learn by watching, listening, and doing, Exercise files are the same files the author uses in the course, so you can download them and follow along Premium memberships include access to all exercise files in the library.


Exercise files

Exercise files video

How to use exercise files.

For additional information on downloading and using exercise files, watch our instructional video or read the instructions in the FAQ .

This course includes free exercise files, so you can practice while you watch the course. To access all the exercise files in our library, become a Premium Member.

* Estimated file size

Are you sure you want to mark all the videos in this course as unwatched?

This will not affect your course history, your reports, or your certificates of completion for this course.


Mark all as unwatched Cancel

Congratulations

You have completed Creating Secure PHP Websites.

Return to your organization's learning portal to continue training, or close this page.


OK

Upgrade to View Courses Offline

login

With our new Desktop App, Annual Premium Members can download courses for Internet-free viewing.

Upgrade Now

After upgrading, download Desktop App Here.

Become a member to add this course to a playlist

Join today and get unlimited access to the entire library of video courses—and create as many playlists as you like.

Get started

Already a member ?

Exercise files

Learn by watching, listening, and doing! Exercise files are the same files the author uses in the course, so you can download them and follow along. Exercise files are available with all Premium memberships. Learn more

Get started

Already a Premium member?

Exercise files video

How to use exercise files.

Ask a question

Thanks for contacting us.
You’ll hear from our Customer Service team within 24 hours.

Please enter the text shown below:

Exercise files

Access exercise files from a button right under the course name.

Mark videos as unwatched

Remove icons showing you already watched videos if you want to start over.

Control your viewing experience

Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.

Interactive transcripts

Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.

Learn more, save more. Upgrade today!

Get our Annual Premium Membership at our best savings yet.

Upgrade to our Annual Premium Membership today and get even more value from your lynda.com subscription:

“In a way, I feel like you are rooting for me. Like you are really invested in my experience, and want me to get as much out of these courses as possible this is the best place to start on your journey to learning new material.”— Nadine H.

Start your FREE 10-day trial

Begin learning software, business, and creative skills—anytime,
anywhere—with video instruction from recognized industry experts.
lynda.com provides
Unlimited access to over 4,000 courses—more than 100,000 video tutorials
Expert-led instruction
On-the-go learning. Watch from your computer, tablet, or mobile device. Switch back and forth as you choose.
Start Your FREE Trial Now
 

A trusted source for knowledge.

 

We provide training to more than 4 million people, and our members tell us that lynda.com helps them stay ahead of software updates, pick up brand-new skills, switch careers, land promotions, and explore new hobbies. What can we help you do?

Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.