The Security Innovation Europe Blog

How to Train Secure PHP Developers

Posted by Alan Pearson on Apr 15, 2015

As with all programming languages, PHP has a unique set of uses, idiosyncrasies and, crucially, security vulnerabilities. In order to effectively train developers in the best practices of secure PHP development, your organisation needs to build upon the basic tenets of developer training, and implement a security training program specific to PHP.

To help you develop a comprehensive training program for your developers, we’re looking at the fundamental elements needed to train secure PHP developers.

The Basic Principles of Developer Training

As with all programming languages, there are a number of security vulnerabilities which are more relevant to PHP projects than any other type of development. However, the basic tenets of developer security are the same for virtually all types of programming language; and developer training should always start by explicitly addressing these topics.  

Security is Rarely a PHP Developer’s Priority

Developers are judged on their ability to write quick and effective code; and following the best practices of secure PHP development can often contradict their primary goals. In order to emphasise the importance of PHP security, your organisation needs to pro-actively educate developers, and recognise their adherence to best practices. This is a crucial part of developing a secure culture.

The Digital Environment is Constantly Changing

Security training needs to be periodically refreshed to ensure developers are following up-to-date security practices. eLearning courses can be helpful in this instance, allowing developers to regularly access the latest training, and keep up with changes to crucial resources like the Open Web Application Security Project (OWASP).

Threat Modelling is a Crucial Web Application Security Tool

Threat modelling offers a systematic framework for analysing the security of application developments. Microsoft’s DREAD framework is regularly used alongside PHP projects; allowing developers to identify security issues, quantify the threat posed by each, choose suitable countermeasures and prioritise their responses accordingly.

Educating Developers on Common PHP Vulnerabilities

Whilst basic security training will offer developers a good grounding in the best practices of security, it unlikely to cover the unique problems faced by PHP developers in enough depth to effectively secure PHP projects.

For example, projects that use server-side PHP will face radically different threats than those that rely on browser-based languages, like Javascript. The most common of these threats, including SQL injection and cross-site scripting, can pose a serious threat to organisation security. As a result, it’s important that security training is tailored specifically to your developer’s specialities, and addresses the vulnerabilities that most commonly effect PHP development.

Securing the Development Environment

Many of the most common PHP security issues arise from improperly secured development environments. It’s essential that developers are able to secure user access and user authentication sessions, and that communication channels are encrypted to prevent network eavesdropping attacks.

SQL Injection, Cross-Site Request Forgery and Cross-Site Scripting

Together, these three threats are the most commonly used methods of attack employed by malicious third-parties, and pose a significant security risk to PHP developments. SQL in particular is the OWASP’s top-rated vulnerability, so it’s essential that all PHP developer security training programs explicitly address these problems, and how to solve them, including:

  • The best practices of database management.
  • How to effectively sanitise all instances of user generated input.
  • How to prevent file inclusion and command injection vulnerabilities.

For more information on these threats, read 5 Website Security Issues Your Company May Be Ignoring.

Securing Agile PHP Development

Agile web application developments are growing in popularity, with the agile methodology regularly used for PHP development, in lieu of traditional waterfall-style processes. Whilst this style of development offers obvious benefits to productivity and efficiency, agile projects also bring with them their own set of unique risks. If PHP developers use agile development processes, they need to be trained in secure agile software development. New Call-to-action

start improving your application security (free whitepaper)

Popular Posts

Wait!

Was this article useful? Sign-up and we'll send you one like it every Monday.


No, I don't need to know more about security

© Copyright 2014 Security Innovation Europe Ltd. All rights reserved. A company registered in England & Wales. Registration number: 8321696.