/    Sign up×
Community /Pin to ProfileBookmark

Handling security on a custom built site?

Copy linkTweet thisAlerts:
Nov 11.2014

I’m an entry level web dev, and have some basic chops in PHP, HTML, CSS, JS, and the LAMP stack. I would like to go freelance eventually, and am wondering how freelancers handle security.

Do MVC platforms handle this generally? Does CakePHP have something for this? Or should it just be built into your know-how for building websites? Also, how does the client verify that their site is indeed secure against attacks? Do they even care about this? Should I contract out to a freelance QA, that can tell me if the site I’ve developed is vulnerable or not?

Any other info along these lines would be greatly appreciated. Thanks!

to post a comment
PHP

7 Comments(s)

Copy linkTweet thisAlerts:
@NogDogNov 11.2014 — Start by reading this short book (maybe twice?): [url=http://phpsecurity.org/]Essential PHP Security[/url]
Copy linkTweet thisAlerts:
@NogDogNov 11.2014 — PS: For all database interactions, use PDO or MySQL[b]i[/b] (not the deprecated MySQL extension), using prepared statements and bound parameters for all external inputs into the queries.
Copy linkTweet thisAlerts:
@thebombman53authorNov 11.2014 — That sounds good I think I will. But besides giving myself confidence that I can code a secure website, how do I relay this to the client? Is there some kind of certification that I can run the website through, to assure them that it is indeed, secure?

Or do they just have to trust me on that one?
Copy linkTweet thisAlerts:
@Strider64Nov 11.2014 — That sounds good I think I will. But besides giving myself confidence that I can code a secure website, how do I relay this to the client? Is there some kind of certification that I can run the website through, to assure them that it is indeed, secure?

Or do they just have to trust me on that one?[/QUOTE]
As long as you take all the measures that you personally can think of to make a website secure and the explain client in layman's terms in what you did. Then explain that nothing is 100 percent foolproof on the internet then you should be OK. One side note if you want add additional insurance have your sites SSL (https instead of http), you'll have to buy certificate in order to have a verified website.
Copy linkTweet thisAlerts:
@NogDogNov 11.2014 — I believe there are services out there you can pay to try to crack your site. I do not personally know, however, which ones give you a good return on your investment.

One downside to working as a one-person freelance "shop" is that doing code reviews is usually not part of the process, which is often the first line of defense on any project to make sure you haven't done anything obviously stupid security-wise (not to mention other non-security issues it can turn up).
Copy linkTweet thisAlerts:
@thebombman53authorNov 12.2014 — @Strider - That is good advice. I think that is what I will do.

@NogDog - Yes, I am aware of this problem. The idea is that I'll work in the industry first though, so that way I get an understanding of some common errors, and can keep a look out for them when I'm finally on my own.
×

Success!

Help @thebombman53 spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.7,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...