While filling out secure forms on bank websites, I have always wondered how they know their application is completely secure. Sure you know you are on SSL, your account “should” be secure, and hopefully the security question, account throttle, timeouts etc. should keep your account safe. But what is the best way to test this? And what determines how “safe” your application is? What if there was a bug in your code somewhere, then it would not matter how many safeguards you have in place.
I recently created a login for a website which will log the user out automatically after 15 mins, will lock their account after 3 failed attempts, contains a security question, and runs on SSL. But I need to know what determines the security of a program.
Thanks for any help!
Metropolis
EDIT
The main question is. “What is the best way to test for PHP security”. Is there steps to take to ensure this. Surely there must be.
There is a standard for security verification of web applications: OWASP ASVS.
It prescribes a checklist of all the processes you must have in place, and all the facts you must have verified before you can claim a certain level of security. I suggest you go read the detailed requirements to know what is involved. An example of an ASVS requirement is “Verify that a positive validation pattern is defined and applied to all input.”
The requirements are grouped into 4 levels:
Another possible standard to adhere to is the Microsoft Security Development Lifecycle (SDL). It’s the process they use for their own products. The SDL is more process-oriented, and more generic.