Hello all, I'm looking at building a website and extranet on my CentOS server for my home business. I use PHP for my intranet but I hear PHP is a big security sieve. Can anybody recommend good books on website security and development? Which procedural language should I use to do this? I apologize and realize this may not be the right site for this but it seems there are already a lot of website security and development experts on this list. Thanks in advance, Michael -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20061021/bc2b4781/attachment-0002.html>
> I'm looking at building a website and extranet on my CentOS server for my > home business. I use PHP for my intranet but I hear PHP is a big security > sieve. Can anybody recommend good books on website security and > development? Which procedural language should I use to do this?Oreilly has a ton of decent books, but I prefer to look for tools which are well written. Things that work with php in safe mode, and don't require the use of globals, allow_url_fopen, etc. If the tools you want to use do require these options, then you need to understand the risks involved, and how to mitigate them. The two biggest security shotguns I employ are selinux and mod_security. With these, and a sane web application, you'll eliminate a good 95% of the security risks out there. You may also want to check out www.onlamp.com but keep in mind that you may need to modify any directions listed there to stay within the parameters set by the distribution. -- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell
On 10/21/06, Michael Velez <mikev777 at hotmail.com> wrote:> > Hello all, > > > > I'm looking at building a website and extranet on my CentOS server for my > home business. I use PHP for my intranet but I hear PHP is a big security > sieve. Can anybody recommend good books on website security and > development? Which procedural language should I use to do this? > > >O'Reilly Linux Server Security ISBN 0-596-00670-5 is a great foundation to work on. Personally I am looking at moving away from PHP and more to Zope/Python as this is reputedly more secure. Whether that will still be true as it becomes more popular is to be seen. John -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20061021/974b5aa2/attachment-0002.html>
On 10/22/06, Michael Velez <mikev777 at hotmail.com> wrote:> > I'm looking at building a website and extranet on my CentOS server for my > home business. I use PHP for my intranet but I hear PHP is a big security > sieve.To build and maintain a secure, functional and cross browser compatible site is probably several full time jobs worth of work. Using a CMS will probably save you a lot of hassle. Just looking for one with a reputation for being secure probably won't help much, as you'll no doubt need to use add ons etc. so you need to assess a few CMSs and see which one provides the more secure package for you by the time all the features have arrived. I use Zope/Plone for its accessibility, functionality and ease of use. Going with something simpler may give you a more secure total solution, but I don't think Plone is considered particularly vulnerable. Ben