I'm looking at building a website and extranet on my CentOS server for my home business. I use PHP for my intranet but I hear PHP is a big security sieve. Can anybody recommend good books on website security and development? Which procedural language should I use to do this?
Oreilly has a ton of decent books, but I prefer to look for tools which are well written. Things that work with php in safe mode, and don't require the use of globals, allow_url_fopen, etc. If the tools you want to use do require these options, then you need to understand the risks involved, and how to mitigate them. The two biggest security shotguns I employ are selinux and mod_security. With these, and a sane web application, you'll eliminate a good 95% of the security risks out there. You may also want to check out www.onlamp.com but keep in mind that you may need to modify any directions listed there to stay within the parameters set by the distribution.