0

I am working with developers right now that write code the way they want and when i tell them to do it other way they respond that its just matter of preference how to do it and they have their way and i have mine.

I am not talking about the formatting of code, but rather of way site is organized in classes and the way the utilize them. and the way they create functions and process forms etc.

Their coding does not match my standards, but again they argue that its matter of preference and as long as goal achieved the can be different way's to do it. I agree but their way is proven to have bugs and we spend a lot of time going back and forth with them to fix all problems security or functionality, yet they still write same code no matter how many times i asked them to stop doing certain things.

Now i am ready to dismiss them but friend of mine told me that he has same exact problem with freelance developers he work with. So i don't want to trade one bad apple for another.

Question is is there some world wide (or at least europe and usa) accepted standard or compliance on how write secure web based applications. What application architecture should be for maintainable application.

Is there are some general standard that can be used for any language ruby php or java govern security and functionality and quality of code? Or at least for PHP and MySQL i use for my website. So i can make them follow this strict standard and stop making excuses.

Yusubov
  • 21,498
MarkusK
  • 19
  • 1

5 Answers5

2

There are wide variety of these standards and each BIG Player in software business has it's own guidelines. The approach and methodology on application security may vary or have common aspects depending on chosen development platform. As a good solid start you may look at the following articles for thought:

Yusubov
  • 21,498
2

Or at least for PHP and MySQL i use for my website

I would first enforce using PHP Data Objects (PDO) extension for all database communication. Especially by using PDO's prepared statements. See http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

Secondly, I would look at using a library or framework for working with forms. You can use Zend Framework as a library and ZF has libraries for working with forms. Since Zend is "The PHP Company" it may be considered "official" I suppose. EDIT: and/or review this link What technical details should a programmer of a web application consider before making the site public?

Thirdly, you should probably read Essential PHP Security by Chris Shiflett. It goes over basic security practices and can enlighten you to potential security holes that may not be as obvious to you. Then you can reference this book as another "standard".

Community
  • 1
programmer
  • 3,388
2

You may have reached the point in your life as a programmer, where you want to use a framework. you write

I am not talking about the formatting of code, but rather of way site is organized in classes and the way the utilize them. and the way they create functions and process forms etc..

If you take any of the modern frameworks (Ruby on Rails, Python/Django, PHP/ZEND) they will give you exactly that:

they will tell you how to slice your app into models, views, controllers, where to put your code, what to call your classes, how to process forms, .... and they will also give you built in security features for handling raw html or escaped html, for preventing injection, xss, csrf, and so on.

My personal recommendation would be to leave php behind and move on to Rails - which I consider the most advanced of the frameworks. But YMMV.

bjelli
  • 181
1

There's the OWASP Application Security Verification Standard. It's an objective way of determining that best practices involved with security were followed by answering a checklist about the product. The checklist's requirements are independent from server-side technology.

http://code.google.com/p/owasp-asvs/wiki/ASVS

You may want to consider requiring at least level 1 compliance from your freelancers.

As a warning, the checklist contains items like "V5.2 - Verify that a positive validation pattern is defined and applied to all input." This means that unless a developer has actually carefully studied the requirements prior to implementation (or has already adopted a secure development methodology) they're unlikely to deliver an end result that doesn't need large rewrites to match the ASVS requirements.

Joeri Sebrechts
  • 13,002
0

The first thing I thought of was the nightmares I endured during a Sarbanes-Oxley audit. Now while you may not have to comply with SOX (you're not a publicly traded company for example) the companies you do business with might.

To that end, and while I am no expert, a good place to start is making sure all personal customer information in your possession is encrypted.

In fact you can begin with thinking about the problem by assuming that at some point your whole database will be stolen and what ramifications would there be if that were to happen. In short, encrypt personal information robustly with the appropriate libraries (do not simply hash) and do not store the key in the same database.

http://www.jasonkolb.com/weblog/2006/04/web_20_security_1.html

http://www.opensecuritylab.org/storing-passwords-securely-using-salt-in-php

https://www.php.net/manual/en/ref.mcrypt.php

Community
  • 1
ekeyser
  • 196
  • 2