I'm looking at building a website and extranet on my CentOS server for my home business. I use PHP for my intranet but I hear PHP is a big security sieve. Can anybody recommend good books on website security and development? Which procedural language should I use to do this?

Oreilly has a ton of decent books, but I prefer to look for tools which are well written. Things that work with php in safe mode, and don't require the use of globals, allow_url_fopen, etc. If the tools you want to use do require these options, then you need to understand the risks involved, and how to mitigate them. The two biggest security shotguns I employ are selinux and mod_security. With these, and a sane web application, you'll eliminate a good 95% of the security risks out there. You may also want to check out www.onlamp.com but keep in mind that you may need to modify any directions listed there to stay within the parameters set by the distribution.

On 10/22/06, Michael Velez mikev777@hotmail.com wrote:

I'm looking at building a website and extranet on my CentOS server for my home business. I use PHP for my intranet but I hear PHP is a big security sieve.

To build and maintain a secure, functional and cross browser compatible site is probably several full time jobs worth of work.

Using a CMS will probably save you a lot of hassle.

Just looking for one with a reputation for being secure probably won't help much, as you'll no doubt need to use add ons etc. so you need to assess a few CMSs and see which one provides the more secure package for you by the time all the features have arrived.

I use Zope/Plone for its accessibility, functionality and ease of use. Going with something simpler may give you a more secure total solution, but I don't think Plone is considered particularly vulnerable.

Ben