I am the Editor-in-Chief of php|architect magazine, and I wanted to share my most recent editorial that I wrote up with all of you in case you aren’t subscribers to the magazine. Here it is:
Security-driven Development
Beth Tucker Long
Security breach – these are words no one likes to hear. It means disaster for development teams and management, and yet, when projects are being planned, it is often an afterthought that is pushed aside when budgets and timelines get tight. I’ve heard so much discussion about behavior-driven development (BDD) versus test-driven development (TDD) versus feature-driven development (FDD), but I propose we start with security-driven development (SDD) and incorporate all of the other “-driven developments” after that. Planning a project with security in mind from the start can make it easier to implement security and means you don’t have to worry about refactoring the code to add it in later. Not only that, but it means that you can implement the best security methods for your situation instead of trying to wedge what little may fit in later after everything else has already been built (and security holes are so prevalent that it would take a rewrite to fully patch them in the best way possible).
To get you started on your SDD, we have three great articles on popular security topics. Do you allow file uploads on your site? Be sure to check out Chris Tankersley’s article on securing those entry points. Do your users log in? John Congdon will help make sure you are current on the latest in password hashing options, and Chris Stone will teach you an easy way to implement two-factor authentication to make those logins even more secure.
And once you have everything locked down, you’ll still need to test everything, so be sure to check out Jeff Carouth’s article on unit testing with mock objects. When you are done testing, you need to deploy, and Matthew Setter has a new suggestion for easy deployment with Git and CodeShip. Bart McLeod builds a test case and finishes off another bug for ZF 2, and Eli wraps things up with a few thoughts on how we are, and should be, teaching new developers.
If you are going to be at php[tek] in May, be sure to stop by and see me!