Web development platforms and web applications to build our sites securely

When developing our web and mobile projects one of the many things we have to think about is safety, that is why with a framework you can give a more consistent and secure way of developing applications. Below, we will discuss some of the benefits it can bring to our team by using a framework to build our own tool. ### A widely used framework has an important security implementation. Being a framework a base platform that is designed to be used in a wide range of projects, safety is an important factor and a high range of commonly required protection is already implemented. ### Thousands of people constantly testing the layer of application security ### Being a framework used by thousands of people, also this translates into thousands of people testing the code and finding faults and constantly improving it. By building a platform for ourselves, only us would be the ones testing the security flaws and would not be reported by anyone, and could be used against us. ### Invest time on task, not technology ### Building a secure platform is a demanding task so using a framework saves us a great deal and we take part of concern regarding the security issue, allowing us to spend our time developing our technology or business, not in security. ### Guarantee updates over time ### As flaws are found, new ways to attack the sites or vulnerabilities, we can ensure that we will receive updates of our platform.. ## Protection against attacks ## In Rootstack is common practice working with frameworks. Some tips on how we protect ourselves from some of the most common attacks. ### Sql Injection ### One of the most common attacks on websites. The platforms that use Drupal and Symfony usually have protection against this: #### Drupal #### Drupal provides a set of functions to access the database, the canonical form of this is the function [db_query](https://api.drupal.org/api/drupal/includes%21database%21database.inc/function/db_query/7.x). The function db_query allows parameterized queries, these functions perform a replacement of placeholders with the arguments properly escaped by the order in which they appear. Example: [prism:css] db_query("SELECT n.nid FROM {node} n WHERE n.nid > %d", $nid); db_query("SELECT n.nid FROM {node} n WHERE n.type = '%s'", $type); db_query("SELECT n.nid FROM {node} n WHERE n.nid > %d AND n.type = '%s'", $nid, $type); db_query("SELECT n.nid FROM {node} n WHERE n.type = '%s' AND n.nid > %d", $type, $nid); [/prism:css] New features in Drupal also allows use a PDO of PHP and send an array of arguments [prism:css] db_query("SELECT t.s FROM {table} t WHERE t.field IN (:users)", array(':users' => $from_user)); [/prism:css] O [prism:css] $result = db_select('table', 't') ->fields('t', array('s')) ->condition('t.field', $from_user, 'IN') ->execute(); [/prism:css] ### Symfony ### Symfony uses ORM for PHP call [Doctrine](http://www.doctrine-project.org/index.html), what doctrine does is making a map of the structure in the database and PHP objects in addition to serving as a [Database abstraction layer](https://en.wikipedia.org/wiki/Database_abstraction_layer). With Doctrine is possible to make "prepared statements", This is a two-step process in which separate query parameters, thus the parameters are properly escaped by the ORM. Examples of these consultations: [prism:css] // SQL Prepared Statements: Positional $sql = "SELECT * FROM users WHERE username = ?"; $stmt = $connection->prepare($sql); $stmt->bindValue(1, $_GET['username']); $stmt->execute(); // SQL Prepared Statements: Named $sql = "SELECT * FROM users WHERE username = :user"; $stmt = $connection->prepare($sql); $stmt->bindValue("user", $_GET['username']); $stmt->execute(); [/prism:css] ### CSRF Attacks ### The attacks of [Cross-site request forgery (CSRF)](https://en.wikipedia.org/wiki/Cross-site_request_forgery) is a process where an application is made to a site that causes an action when a user was not really trying to make a longline action. #### Drupal #### With Drupal, protecting our site from an CSRF attack is done easily. In Drupal there is an API called [Form API](https://api.drupal.org/api/drupal/developer!topics!forms_api_reference.html/7), this API is used to build forms. This gives us protection against CSRF tokens added automatically, specially when the form is generated. #### Symfony #### Symfony contains a security component that can be used for protection of CSRF attacks. Symfony component uses when generating a provider tokens in form, which can be specified. [prism:css] # app/config/security.yml security: # ... firewalls: secured_area: # ... form_login: # ... csrf_token_generator: security.csrf.token_manager [/prism:css] The above example specifies a token generator for the login form. Now we have to add the token to the form itself: [prism:css] {# src/AppBundle/Resources/views/Security/login.html.twig #} {# ... #}

{# ... the login fields #} login

[/prism:css] ### Other elements ### These are some very specific cases on how these platforms can help us with the security of our code in our projects. However there are many more tools within these two platforms we can use in our projects. #### Drupal #### Drupal has a [Security Team](https://www.drupal.org/security-team) which has a number of responsibilities within the community and platform: * Solve security problems reported. * Provide assistance to developers who write modules for Drupal. * Provide documentation on how to write secure code. * Provide documentation on how to build a secure site. * Keeping drupal.org a secure site. In addition, Drupal provides a set of APIs and tools to keep the code safe More info about it in: * [Writing Secure Code](https://www.drupal.org/writing-secure-code) * [Security](https://www.drupal.org/security) * [Secure Configuration](https://www.drupal.org/security/secure-configuration) #### Symfony #### The main tools are within the [Symfony security components](http://symfony.com/doc/current/components/security/authentication.html). To mention some of the ones we use are: * [Authentication](http://symfony.com/doc/current/components/security/authentication.html) * [Sessions](http://symfony.com/doc/current/components/http_foundation/sessions.html) * Access control * [Firewalls](http://symfony.com/doc/current/components/security/firewall.html)