Programming

I just finished reading Pro PHP Security by Chris Snyder and Michael Southwell. I'm always looking for ways to improve my programming skills and security is an area I try to focus on. Secure web applications are becoming more important every day as more and more of our lives are placed online. With that in mind, I purchased this book to increase my PHP skills.

Overall the book was quite good. The book is broken into four parts. Part one is a general overview of security and it's importance. Nothing really new here, but a good introduction nonetheless.

Part two delves into server-side security, outside of the realm of PHP. This includes shared hosts, firewalls, software installation, and more. None of this is really PHP specific per se, but still important topics. There is a decent introduction to encryption and it's importance in security. There are a few PHP examples throughout these chapters that show how to handle SSH, SSL, hashing, and general encryption using the mcrypt() function. Part two concludes with an overview of authentication, permissions, and restrictions. There is a decent example of a single sign-on system, as well as an overview of PHP safe mode.

Part three covers more in-depth PHP programming practices designed to prevent many of the more common security problems. This section starts with a chapter on input validation, a very important topic indeed. The authors explain what input validation is and how to accomplish it. There are several examples that show how to validate the data you need and ensure that it's safe to use throughout your program. Subsequent chapters cover SQL Injection, Cross-Site Scripting, Remote Execution, and Session Hijacking. Throughout each chapter are dozens of examples showing how to handle each situation.

Finally, part four covers user interaction with your programs. Since the majority of the web applications you will write are intended to interact with users, this is pretty important.  The authors cover ways to ensure that your users are, in fact, human users and not scripts.  Identity verification is covered with methods ranging from simple email response to SMS messages.  And once you've determined that your users are real, you'll need to provide them with a list of actions they can perform.  The authors show how roles-based authorization can help with this and allow for a scaleable system that can be extended in the future.  In the next few chapters, the authors cover data loss, safely executing system commands, and handling RPC calls.  And finally, the authors explain the value of Open Source software and the advantages of peer review.

Overall this is an excellent book and I highly recommend it.  While this book is geared towards PHP programming, it does cover a wide variety of topics that are not strictly PHP specific.  While I was aware of many of the topics covered within this book, I did learn a variety of new tricks for dealing with security threats.  If you're interested in learning more about security and how to secure your programs, I definitely recommend reading this book.

After 7 months a new version of phpTodo has arrived. I've spent the last month or so working on this and polishing it up. I think I have a pretty decent release put together.

New additions include a "Next Action" field, validated RSS feeds, UI enhancements, and tons of bug fixes. You can read all about the enhancements and bug fixes in the release itself, so head over and download it!

Future plans include adding ATOM 1.0 support, sub task support (todos for your todos!), group support (so you can assign a single task to multiple people), and more. I'd like to eventually migrate into an entire management system that can be used for project management.

I'd love to hear any feedback regarding this project. This is my first sourceforge project and really the first open source code I've released into the wild. So please feel free to leave me comments!

Gamasutra has some news about Microsoft's XNA Game Studio Express, a game development tookit geared towards the amateur/hobbyist developer. From the article :

"The details of the new tech are as follows: XNA Game Studio Express will be available for free to anyone with a Windows XP-based PC, and will provide them with what's described as "Microsoft's next-generation platform for game development." In addition, by joining a "creators club" for an annual subscription fee of $99, users will be able to build, test and share their games on Xbox 360, as well as access a wealth of materials to help speed the game development progress."

So it looks like Microsoft is taking the first steps towards making the need for modchips obsolete! Maybe. According to the article, the content created won't be available to "regular" 360 owners, just to those who are part of the creator's club. However, they go on to state that the content may be available via Xbox Live Arcade (XBLA) at some point in the future. It's not explicitly stated, but it looks like PC owners will have access to the content regardless of membership.

Other companies have already pledged support. GarageGames has already ported their Torque Engine over to the studio, and Autodesk has confirmed support for their FBX file exchange format. Apparently some universities and game development schools have decided to add the studio to their curriculum and will use the XBox 360 exclusively. While I'm not sure I like the lock-in to the 360 console, it is nice to see awareness and knowledge growing.

So, what does this mean for the indie developer? Well, in short, it gives access to a pretty powerful console. And since it's officially sanctioned by Microsoft you can expect mailing lists and forums dedicated to development. Ownership of a 360 isn't necessary either as the studio runs on a Windows XP PC. It may also mean a revenue stream as well. If Microsoft opts to allow content to be available on XBLA, they may also allow the developer to charge for downloads. I'm sure Microsoft will get their cut, but this could mean some serious cash for the young developer.

Overall, this is definitely a step in the right direction. Despite what you and I may think of Microsoft, I think they're doing something right here. Only time will tell how it turns out. I'll definitely be downloading this when it becomes available on August 30th.

UPDATE : Maxconsole dug up the official FAQ direct from Microsoft. This is different than the FAQ on the XNA site. Looks like you'll have to sign up to get the beta :

"A beta of XNA Game Studio Express will be released on August 30. To receive a notification on when the Beta is available, please go to http://connect.microsoft.com and select "Available Connections." Then choose the XNA connection and follow the link to sign up for the XNA Game Studio Express Beta. (Note: A valid Windows Live ID is required, if you do not have one, you will be given the option of creating one.)"

It looks like the beta will be limited to PC content only. It uses .NET technology on both the 360 and PC to create the games and according to the FAQ, it looks like it will be limited to C# code only.

I read an interesting article today over at Darknet. It brings to light some of the "new" techniques that can be used to exploit newer Web 2.0 applications.

The article was an interesting read and got me thinking about application security again. I find myself spending more and more time on security in an application, and less time on features and actual logic. Generally I'm splitting coding time between idiot proofing the application so the end user is forced to put in the right data, and hack proofing the code against would-be hackers. Even with custom frameworks to handle the boring bits, it still takes a lot of time and effort to make sure you've covered your bases. Oh well, such is the world we live in nowadays.

The new ways to exploit applications are interesting as well. Actually, most of them aren't new, but rather the same old hacks used to exploit the new way of doing things. For instance, in an AJAX application you pass information between the browser and the server, behind the scenes. Ok, all well and good, but how do you make sure you're still talking to the original browser that opened the request? You could use a cookie, or perhaps some sort of a session ID. Maybe a combination of the two. And on top of it, you might check the User Agent string and the referrer URL. Mind you, this can all be spoofed. In fact, spoofing the UA and referrer is extremely easy and can be done with tools like curl and wget. So what is the best way to secure these apps?

I haven't really started working with AJAX very seriously, so I haven't done much research into the matter. But, thinking about it, maybe there is a way to secure things a little better? Perhaps a variable in the browsers memory rather than a cookie? Combined with a session ID? Right now I like to secure my apps by using a combination of a session ID, the IP address of the user, and a cookie with seemingly random data in it. This has worked pretty well thus far, but I'm not sure how hard anyone has tried to hack it. I'm definitely interested in more security, though, provided it doesn't slow things to a grinding halt.

Of course, there's always the one true way for security. Unplug it. Turn it off. If it's not running, it can't be broken into.. Well, not yet anyways.. There's always the quantum level.