When it comes to PHP security, you often think of input filtering, SQL injection prevention, XSS in user submitted content and so on. Well, forget about that. They’re all pretty trivial compared to what I feel is by far the most important security issue of any web application. Read on to find out why.
So, the winner of the security-tip-that-will-make-or-break-your-life is…
Keep your systems updated.
You might be thinking, what does this have to do with security? Or maybe, “sure, my systems are up to date.” When it comes to developing PHP applications, even some of the most security conscious developers will entirely miss the deployment environment.
Yet, the most important part of any PHP web application’s security is keeping your systems up to date. Having your database tables truncated is nothing compared to having all your user data dumped to an SQL file which is then taken off-site through your very own sshd. See, your web application is just that – a web application. Under that you’ve got Apache, MySQL and various other servers; various other utilities running on top of those servers as well. And you don’t control any of these; you don’t know how they work, chances are you’ve never looked at the source of any of them.
So, what if a security vulnerability is found in one of these underlying systems? Often these systems, working much closer to the machine, pose a far greater security threat than the limited access available via a compromised web application. Sure, somebody might manage to run an SQL query through your database and view most of the result (although they really shouldn’t be able to).
But what if they can dump every single database on your database server via a shell? Take webmin, for instance, the web-based server control panel. Last I checked, a vulnerability in webmin, with control over pretty much your entire server, was a whole lot more serious. With a shell console, which could be used to read your app config files for database passwords, someone could potentially get hold of all your databases, log files and application code. Just a tad more serious than database query access. </sarcasm>
Now, the best way to keep on top of potential vulnerabilities in your underlying systems is with updates. Sometimes, however, you need to go a little further. Try sla.ckers.org for some vulnerability postings on web apps literally as they happen; seclists.org is probably a better destination for your underlying systems. Subscribe to the lists at seclists; maybe setup a spare gmail account and forward anything with ‘Apache’, ‘PHP’, ‘MySQL’ and so on to your main inbox. Watching the web is also a good idea; major security vulnerabilities generally make it to the front page of Digg.
In summary, keep on top of the systems you rely on. They may be reasonably stable, but on the odd occasion that they have a vulnerability, you could be in serious trouble.