DragonBe's PHP blog

In my previous post I described 10 steps we should take to improve security of web applications. In this article I'm going to describe the purpose of documenting a project and what information should be included.
Every successful project requires documentation to communicate a project goal and requirements to reach it.
Purpose of documentation The reason documentation exists is to communicate in a clear, understandable language with all people involved. For web applications this documentation should describe the idea as a concept, steps needed to convert the idea into an application, what tools, applications and services are required in the proces of building the application, how the application is architected and who are the people involved.

Since documentation is never complete, a good structure is required to allow additions or corrections being made over time. I prefer to use a Wiki type of platform to write my documentation. A wiki has often a simplified markup language and a…

In this article I first try to understand what security is and what are best security practices for web applications.

In my previous article "The challenge for 2019 has just got real" I had set a challenge for myself in 2019: to learn more about securing web applications in general and PHP web applications in specific.

In this article we're going to explore what security means and what basic steps should be considered in providing security. After all we want to incorporate security in our design and development process instead of trying to bold it on at the end.


What is security? Security is freedom from, or resilience against, potential harm (or other unwanted coercive change) caused by others. This quote is taken from WikiPedia where in my opinion the goal of security is very well described.
Security should provide freedom for the related partySecurity should create a resilience against harm or unwanted change caused by others What I'm missing in this quote is the f…

Yesterday evening I posted a Tweet about improving user entered passwords using Troy Hunt's service Have I Been Pwnd.

It went viral over night with many likes and retweets. But I also got a ton of questions regarding the usage and the security of this package. It turns out many people are scared to send passwords over the internet and are afraid to just use a package (like mine) for password checking.




Just to give you an idea of how Have I Been Pwnd service works, I created this little diagram to visualise how I'm using the service.

A user enters their password in our registration or password renewal form. We create a SHA1 hash from it and send the first 5 characters of that hash to HIBP. We get a list of hashes back and a count of how many times this hash has been found in the HIBP database. On our server we lookup the remaining hash against the list we received from HIBP and if there's a match, we return the count back to the user.

No passwords are sent in the clear ove…

I am a regular listener to the Security Weekly Podcasts Network, that includes Hack Naked News, Business Security Weekly, Enterprise Security Weekly, Secure Digital Life and Application Security Weekly. I really love their shows and over the years I've been listening to them, I learned a lot about business leadership, communication and security. If you're in tech, I can highly recommend listening to their podcasts. And since I'm always on the go, these are great shows to listen to while driving around.

But… and here it comes: for some reason they have a love-hate relationship with PHP, where their disliking of the technology is omnipresent in their shows. Particularly in their Application Security Weekly they love to pick on PHP and blame it for all the evil that exists on the internet. On one hand, I cannot blame them since the strength of PHP lies in the fact that anyone can write a dynamic website within a few minutes. The downside is also that anyone can write a dynam…

I'm participating (as much as possible) in the #30daysoftesting challenge organised by Ministry of Testing and SauceLabs. If you're interested, read the full 30 Days of E-Commerce Testing article and join this fun and educational challenge.

The 2nd challenge on the list was to read and share interesting blog articles about E-commerce testing. Since I'm working as a PHP professional I thought it would be great if I oriented my focus on testing PHP based E-commerce platforms. I picked WooCommerce as it's an easy to install and use E-commerce solution. For Magento, PrestaShop and others I've added useful links at the bottom of this article.

WooCommerce
WooCommerce is an add-on for WordPress, allowing you to integrate E-commerce functionality directly within your blog. This ensures you can be up-and-running in no-time. Even though WooCommerce and WordPress are very active community-driven projects, they both suffer from legacy that has been carried along with WordPress…

DEPLOY DOCKER CONTAINERS FAST TO MICROSOFT AZURE It’s hard to ignore the fact thatDockeris a way to move forward for rapid application development, distributed architectures and microservices. For developersDockeroffers great advantages as they can build their containers specifically for the task they work on. They grab a base image of a container, modify it for their purpose and prepare the functionality inside the container. Quality, testing and security teams now have a single instance to look at and ensure all functional and regulatory requirements are met. System engineers now don’t have to worry about providing a system with the required specs as the container is already provisioned for that purpose. But where do you deploy yourDockercontainers? You can set up your existing bare metal infrastructure to allow them to run containers, but this also means you need to learn about securing your container infrastructure, which is not an easy task. Luckily “the cloud” offers container …