5

I am looking for the current, state of the art, coding standards for web development (mostly PHP). Since I do not want to reinvent the wheel I would like to reuse libraries written by people much clever than I am.

I know about OWASP which is a wonderful source of best practices and brilliant information. Their web site is however quite unorganized when it comes to libraries.

  • On the one hand there is OWASP ESAPI with pointers to libraries.
  • On the other hand there is OWASP AntiSamy, which also has libraries. It in turn points to HTMLPurifier or the MS Anti-XSS library.

I did not find any links between these different solutions.

Is there currently a consensus on the most recommendable libraries to use in order to mitigate the major security risks?

Thank you

WoJ
  • 1,551
  • 1
  • 11
  • 16

2 Answers2

2

You will need to add static code analysis to your testing. Many Cross-site scripting (XSS) problems are very difficult for the human eye to pick out. Automated code analysis finds them easily.

Bruce Ediger
  • 3,535
  • 16
  • 16
2

(Hey, I know that Bruce Ediger character! ;) Seriously, you did not mention what exactly you were looking for, but ESAPI is not a "coding style", but rather a library of various security controls. There is an 'ESAPI for PHP'. OTOH, AntiSamy only exists for Java and .NET, so if you are looking for something to help defend against XSS in PHP, ESAPI should get the nod.

However, Bruce is correct...to a degree. Unless you are doing a green-field approach on some brand new project, static or dynamic analysis is a definite plus, especially if you are working on a large code base. These tools will have you identify places within your code where you need to insert the ESAPI's security controls.

Finally, you might find this book useful (note: I have not read it at all, but based on its title and TOC, it would seem to fit the bill): Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second Edition by Chris Snyder, Thomas Myer and Michael Southwell. It's published by Apress. I'll let you look it up on your favorite online bookstore, etc.

Dynamic
  • 5,746
  • 9
  • 45
  • 73
Kevin Wall
  • 21
  • 1
  • Thanks. I should have been more clear with my question. What I actually meant is that there are several libraries which get a recommendation from OWASP and they are not mentionned as "you can use ESAPI or AntiSamy" but rather get independednt sections without any cross links or comments. Anyway I will have both tested to see which one will be easiest to implement in a PHP environment (since both cover PHP). – WoJ Sep 02 '11 at 06:49