I have a experience on Joomla, Drupal, wordpress and small cms configuration. But one of my client is asking about the security level in the above cms. I never thought about the security risks and it's really very new to me. On which basis i can choose which is best CMS when considering about the security level and minimum risks? And what kind of security we can provide to the server make the application highly secured?
All the big CMS products you mentioned should be okay. Look at who else is using them; this is a great way to judge how good the product really is. For example, Drupal is used by the White House. This fact gives me a lot of confidence in Drupal.
The important thing is to make certain that you keep up-to-date with any security fixes that are released.
The vast majority of security problems in all these products come from non-core modules that you might install. If you're really worried about security, I suggest keeping the number of modules you use to an absolute minimum.
Where you do need to use an external module, do thorough investigations to find out how good it is: how often is it updated? are there any known bugs with it which may be security issues? how widely used is it? And as I mentioned above with the core CMS, who is using it?
You should also ensure that your web server is secure. It's not just your CMS that will provide routes in for a hacker. Close all un-necessary ports and services. Make sure that everything possible is encrypted (use SFTP, definitely not FTP). If you're using a PHP-based CMS such as Drupal, use a security-hardened PHP version (Suhosin) rather than the basic version.
Finally, you should accept that no matter how good your software and no matter how vigilant you are, you could still get hacked. Worse, you could get hacked without even knowing about it. Even the best software has flaws which can be exploited. For this reason, you should aim to have several layers of security before anyone can get to any genuinely sensitive data.
Related
I have an AJAX (jquery) based website. It has lots of ajax calls.
Anyways, I have to check whether my website is hack proof, sessions are properly maintained, etc, i mean anything that can be considered as a security flaw and patch it.
Can anyone suggest me any tools using which I can do all kinds of hack on my website to find out vulnerability?
Thanks.
EDIT:
Why will someone want to vote this question down?
I can recommend to you the Burp Suite. User friendly, many features, well documented. Also discussed in some web application security books, e.g. The Web Application Hacker's Handbook. It has both free and paid version. The free one is quite useful as well.
It is written in Java so you can use it on many platforms.
check http://sectools.org/tag/web-scanners/
I am planing to build a website using PHP to be hosted on the public internet with decent user load (between 1000 to 5000). I am using FreeBSD as a server and I configured Apache, PHP and MySQL from scratch.
With proper configuration, is it safe to use such a server, or should I go with some web framework? I am asking as I've heard few horrible things about PHP.
If it is safe, does PHP get too complex when the size of the site increases beyond a certain point?
I know Facebook uses PHP; are there any other big websites that use PHP?
Last, is it recommended to use some PHP framework or should I stick to plain old PHP?
PHP works fine for just about any size server. The question isn't really the programming language but the infrastructure you set up. 1000-5000 users is not very many unless they are all banging on the site at the same time. Are they doing a lot of DB queries or consuming a lot of CPU resources? If so, then you may want to look at a dedicated MySQL server for the DB queries.
I have nothing against frameworks. However, you are usually shoehorning your problem into their solution. Careful design on your part with common routines, etc., are usually just as good as a framework in my opinion. However, some people are more comfortable working within a framework because it removes some of the plumbing issues.
A lot of large sites use PHP. It may not be obvious because they hide the extension of the scripts in the URLs.
With proper configuration PHP is fine. However if youre new to php and server administration you might want to read up on configuring php as well as Apache for security. Youll also need to read specifics on configuration for performance as well but you need to have an app to test before its really worth doing that beyond some basics.
As far as using a framework or just basic PHP that depends totally on you. a framework is othing more really than a set of useful code and structure to accomplish alot of tasks. If you dont use a framework youre going to have to write code that meets similar requirements, so you might save time using a framework. Generally you are going to sacrifice performance in trade for having to design/write less code. You need to decide yourself if a framework (and which one) is right for the project.
In terms of sites that use php... There are a ton... Facebook, Yahoo Bookmarks, Daily Motion, parts of MySpace (at one time, not sure if its still the case), anything running Drupal or Wordpress... PHP is more than capable.
PHP is just a tool and choice of framework does not really makes your application secure or fast, unless you understand the principles of web security and how things works.
Facebook is good example of what php is capable of in hands of processionals. And there are plenty of websites that capable to handle 10K visitors a day on a single low end server.
I am looking for a clean, well-built CMS. I want to migrate a number of sites away from a self-built CMS which I will not be developing further.
I've come across Apostrophe and instantly fell in love with the great, integrated user interface.
It is based on the Symfony framework, which I have practically no experience with.
My questions:
I am planning to deploy sites I build with this CMS on shared hosting packages which do not offer any command line access. I know that many of Symfony's development and maintenance functions rely on command line access to the symfony script. Is it feasible to deploy an Apostrophe-based web site to such a web host, or is access to the command line tools required for a live product on a regular basis?
To be very honest, I'm not really keen on learning Symfony in depth right now: I'm sure it's a great framework, but I have tons of other obligations. I just really like what Apostrophe offers to the end user of the CMS. In your opinion as a seasoned Symfony or even Apostrope developer, will a professional PHP developer be able to set up a web site (without much customization on the code end - lots on the front-end, but that's a different matter) without being a Symfony expert? Or is this a recipe for disaster?
Are there any other arguments that, from your experience, speak for or against using Apostrophe in my situation?
I'm one of the core Apostrophe developers at P'unk Avenue.
Right now Apostrophe's open source release is oriented toward folks who are willing to get somewhat up to speed with Symfony, yes, at least so far as understanding the layout of a Symfony project and learning to edit templates. You need those skills to add new page templates and edit the global layout.
You don't have to create entirely new PHP classes to launch and maintain an Apostrophe site, though. Sometimes "light PHP" skills (creating new templates) are all that is required.
Usually the Apostrophe ecosystem works like this: a client wants to work with us, or with another developer, to create a site that they can then maintain on their own without the usual problems of the client accidentally trashing the design, busting the layout with horrible HTML pasted from Microsoft Word, et cetera.
Apostrophe solves that problem very thoroughly with robust built-in HTML filters and media slots that aggressively manage images and video so that they display correctly for a given page template and so on.
So we take the problem of helping clients (who are very competent in their own knowledge domain, but not designers) to maintain their own content safely very seriously and have some unique solutions as standard equipment in the system.
As for your hosting situation though, yes, it is difficult to use Apostrophe (or other really modern PHP code) with zero command line access. Symfony tasks are used to clear the Symfony cache and to reoptimize the search engine nightly. You could work around the former with some other hack to empty the cache folder and the latter by ignoring it, which will work if the site is small.
Another problem with shared hosting is that it won't have APC running as a bytecode cache. Without APC pretty much all PHP code runs much much much slower. Systems with a lot of PHP classes are not meant to be run without APC and they appear much slower than is really accurate without APC.
I would strongly urge you to check out the offerings of ServerGrove (www.servergrove.com). When your client can have a virtual machine all to themselves for $20/month with all the security benefits that brings, I think it's a questionable decision not to go for it. (Use whatever host you want, the main principle here is that VM hosting is always vastly more secure and performs much better than old-school shared hosting. ServerGrove does specialize in Symfony hosting though which is a nice plus.)
Some shared hosting services are not completely terrible in this regard - servergrove does have a shared hosting offering, still no APC (which is a serious disadvantage for any big PHP system, including WordPress or Drupal) but they do give you shell access and secure the system by preventing other clients from being able to find your files through the filesystem via PHP. Some shared hosts don't do that at all, which is a horrendous security hole.
There is an apostrophenow community to help you along:
http://groups.google.com/group/apostrophenow
Whatever you choose, good luck with your site!
At my workplace we're planning a major refactor on our core product, a web application with several 'modules'. I quoted that because that's one of our main concerns: modules are not really modules, the whole thing is monolithic. The application is written in PHP with smarty templating and using Pear for accessing a MySQL database. We're not really concerned with database independence, although it would be nice if that wouldn't take months to implement.
Our main concerns are that development time/cost is increasing exponentially because of bugs popping up in unrelated places and not having a sound common architecture to rely on to get the most common functionality (each module is basically copy/paste from the previous one, then adapt).
I've got some experience with the web MVC principle, mainly in ASP.NET MVC. I like the clean separation it offers and the testability. However, when trying this on a local machine the app is simply a lot slower than it should be.
Alright, enough introduction, off to the questions:
- Should I rely on caching modules? Does this remove most of the overhead using a good architecture provide? Something like APC.
The application is mainly read. Writing is mainly single values (change a single field on a record). Any OR/M for PHP that are good at this?
Also looking for a flexible MVC framework. I know Zend, CakePHP, maybe Symfony?
The tricky part is that we don't have the luxury of being able to do a full rewrite. We'll have to incrementally improve a currently very messy codebase. This has to be done while writing new code, or fixing bugs. One thing I'd really, REALLY like to be able to do is write a regression test for a new bug before fixing it, to prevent it from popping up again later (this happens, occasionally).
The stack I'm currently considering contains:
MVC framework of choice
Logging (log4php?)
an OR/M of choice (doesn't have to be dynamic, code generation is fine too)
IoC container of choice
Smarty Templating, perhaps abstracted so we can switch it out if we need to.
Opcode cache of choice (we're using one now, forgot which one, have to ask sysadmin)
The main point that worries me is the performance implications of creating clean code in PHP. Seeing it's a parsed language opposed to something like the .NET/Java web stack, creating abstractions for otherwise in-line code (with obligatory separation in different files) might create new problems on another level.
Note: Retag if you come up with more appropriate tags, I'm not sure on the current ones.
Having a clean setup isn't a performance issue, usually. Most performance is spent with databases or other external systems you're talking to.
Except for these there are usually one or two hotspots which might be worth optimizing but for that you should start with a clean design, then use a profiler (like XDebug or ZendDebugger) to identify the bottlenecks.
A clean software design is way more important than the 0.01% performance gain by a "optimized" design. Usuallyit's even cheaper to buy and run more hardware than worry about an "optimized" codebase which is unmaintainable.
I'd stress budgeting time to build tests, with the following arguments to management:
When developers fix a bug, allow them to write a test for the bug. Bugs reoccur much more often than they probably should, and this is a cheap and effective way to stop that completely.
When developers are building new functionality, allow them to write tests under it. Since they're completely familiar with the functionality at that point, this is the least expensive time to build the "safety net" of automated testing.
Don't candy coat how long testing will take you; whether it's 1% of your time or 50%, give that to the manager straight, but stress that building automated testing as a safety net will stop users from hitting as many bugs, and will save developer time for new development instead of bugfixing.
As far as managing an MVC component with a spaghetti code component, we had a similar issue with a large project. What worked well was just taking a directory and making that the new docroot for MVC app (Zend Framework in our case) such that:
old part:
http://site.com/data.php
http://site.com/other.php
new part:
http://site.com/app/controller/action/...
Re authentication, you have a couple of choices. Probably the most logical is to redirect your login.php script to the MVC login and then pass it back to the original page that you want to go with necessary info passed as a GET parameter. This will allow legacy and new systems to exist simultaneously and transparently.
Re slowness, before I would pull out XDebug, I would try to isolate a problematic part and just output times it takes. Faster IMHO.
There isn't any good reason that well structured object oriented code should perform significantly worse than sapghetti php code in a database driven web application. You need to do some profiling to find where your bottlenecks are and optimize accordingly.
You do have a tough (but not uncommon) situation.
As far as organizing the code to minimize bugs, all I can give is a tip of the cap to DRY.
For performance issues, those are easy to find, because their very slowness shows them to you, by this technique.
I've heard that there are some free applications that will check the vulnerability of a PHP website, but I don't know what to use. I'd like a free program (preferably with a GUI) for Windows that will analyze my site an give me a report.
Anyone know of a solution?
Top 10 Web Vulnerability Scanners from Insecure.org (listing from 2006). Their number one, Nikto2, can be found here.
There are only certain security holes you can check for with any program. You can check your PHP configuration, Apache configuration, passwords, common bugs, etc. but you can't really check programatically for logic errors which might cause security holes.
Your best bet would be to do a thorough code review of the website. Or, better yet, have several other people do a thorough code review of the website, looking for security holes.
Netsparker Community Edition does that and it's free (GUI + Windows).
I recently found Detectify which seems to make a decent scan and has nice UI. They work on donation basis which means you should decide how much you can spend.
We cover OWASP Top 10. That means we find a wide variety of flaws, including SQL, LDAP, XPATH and NoSQL injections, Cross Site Scripting flaws, broken session management, remote code and command execution, etc.
I'm a little late to the party, but since you specifically asked for easy to use and not-too-technical scanners, take a look at Golem Technologies website security scanner - the full scan isn't free, but they have a demo scan which checks about 10% of a site and will catch a lot of the common vulnerabilities.
This is another one, but as previously stated, nothing beats a professional eye-over:
http://www.websitedefender.com