Appendix Additional Resources

No one book can include every piece of information you need, so we’re doing the next best thing—giving you the list of resources we’d take with us if we were stranded on a deserted island (that just happens to have electricity, computers, caffeine—the bare essentials) and had to write a PHP Web application.

PEAR

The PHP Extensions and Application Repository is the equivalent of the Library of Congress for reusable PHP code libraries. We’ve already discussed using off-the-shelf libraries to speed up development and improve security by delegating some of the more complicated code to someone with more specialized knowledge. PEAR is the first place you should look when you need a code library.

PEAR is more than just a collection of code libraries. It is a five-part toolbox for writing and distributing reusable PHP code. The five tools included in PEAR are

• The code repository itself. As of this writing, there are 450 packages in the code repository.

• The PEAR package manager for collecting, maintaining, and distributing all those code libraries.

• The PHP Extension Community Library, or PECL.

• A standardized coding style.

• A Web site, mailing lists, forums, and download mirrors to support the PHP community.

In order to use the code libraries in PEAR, you’ll need to download and install the PEAR package manager. It comes bundled with PHP as of version 4.3.0, so if your PHP is newer than that you already have PEAR installed. If not, you’ll need to get it from http://pear.php.net and follow the installation and configuration instructions in the included documentation.

Books

Bace, Rebecca Gurley. Intrusion Detection. Indianapolis, IN: Sams Publishing, 2000.

Bragg, Roberta. Hardening Windows Systems. New York: Osborne/McGraw-Hill, 2004.

Cheswick, William R., Steven M. Bellovin, and Aviel D. Rubin. Firewalls and Internet Security: Repelling the Wily Hacker, 2nd ed. Boston: Addison-Wesley, 2003.

Danseglio, Mike. Securing Windows Server 2003. Sebastopol, CA: O’Reilly, 2004.

Edge, Charles S. Jr., William Barker, and Zack Smith. Foundations of Mac OS X Leopard Security. Berkeley, CA: Apress, 2008.

Ferguson, Niels, and Bruce Schneier. Practical Cryptography. Indianapolis, IN: Wiley, 2003.

Friedl, Jeffrey E. F. Mastering Regular Expressions, 3rd ed. Sebastopol, CA: O’Reilly, 2006.

Garfinkel, Simson, Gene Spafford, and Alan Schwartz. Practical Unix & Internet Security, 3rd ed. Sebastopol, CA: O’Reilly, 2003.

ISECOM. Hacking Exposed Linux. New York: McGraw-Hill, 2008.

Korff, Yanek, Paco Hope, and Bruce Potter. Mastering FreeBSD and OpenBSD Security. Sebastopol, CA: O’Reilly, 2005.

Lerdorf, Rasmus, Kevin Tatroe, and Peter MacIntyre. Programming PHP, 2nd ed. Sebastopol, CA: O’Reilly, 2006.

McClure, Stuart, Joel Scambray, and George Kurtz. Hacking Exposed, 5th ed. New York: Osborne/McGraw-Hill, 2005.

Ristic, Ivan. Apache Security. Sebastopol, CA: O’Reilly, 2005.

Schneier, Bruce. Applied Cryptography, 2nd ed. New York: Wiley, 1996.

Schneier, Bruce. Secrets and Lies: Digital Security in a Networked World. New York: Wiley, 2000.

Shiflett, Chris. Essential PHP Security. Sebastopol, CA: O’Reilly, 2005.

Snyder, Chris, and Michael Southwell. Pro PHP Security. Berkeley, CA: Apress, 2005.

Watt, Andrew. Beginning Regular Expressions. New York: Wiley, 2005.

Web Sites

www.php.net

The official Web site of PHP. This is where you’ll get the newest version of PHP. PHP.net also has an extensive documentation section with plenty of user-contributed notes on how various functions are used in the real world. The documentation alone earns PHP.net a place on any PHP developer’s bookmark list.

http://pear.php.net

The PEAR code repository.

www.Zend.com

Home of the Zend Framework and Zend Optimizer, as discussed in Chapter 13, “Securing PHP on the Server.”

www.hardened-php.net

The Hardened-PHP Project. Home of Suhosin. Also releases security advisories as open issues are found.

www.securityfocus.com

SecurityFocus releases regular security bulletins on all major Web application platforms.

www.cert.org

CERT, Carnegie Mellon University’s Computer Emergency Response Team.

www.owasp.org

OWASP, the Open Web Application Security Project. A community-driven project with the goal of improving Web application security.

http://sqlsecurity.com

Site dedicated to securing Microsoft SQL Server.

http://netsecurity.about.com/

A great beginner’s security site.

http://ha.ckers.org

A “gray hat” security site. You’ll find lots of great information on security testing and hardening, but you’ll also run into a fair amount of “here’s how to break into XYZ server” information. Use your best judgment when applying information from a gray hat site. Some of it is just plain dangerous (or illegal), but that doesn’t mean all of it is. You’ll find information on ha.ckers.org that you just won’t find on a more professional site.

www.ballad-nonfiction/SecuringPHP/

Securing PHP Web Applications’ very own corner of the Web.

Tools

Integrated Development Environments (IDE) and Frameworks

• Komodo: www.activestate.com/Products/Komodo/

A full-featured IDE that supports PHP, Perl, Python, and several other languages.

• Zend Studio: www.zend.com

The development environment built just for writing Zend applications.

• VS PHP: www.jcxsoftware.com/vs.php

A PHP IDE based on the Microsoft Visual Studio environment.

Exploit Testing Tools

We discussed each of these tools in detail in Chapter 15, “Introduction to Exploit Testing,” so we’ll keep the list brief and to the point here.

• PowerFuzzer: http://sourceforge.net/projects/powerfuzzer

• CAL9000: www.owasp.org/index.php/
Category:OWASP_CAL9000_Project

• Acunetix Web Vulnerability Scanner: www.acunetix.com

Automated Testing Tools

• SimpleTest: www.lastcraft.com/simple_test.php

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.133.124.21