This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "PHP Security for Architects"
| Line 16: | Line 16: | ||
=== Process === | === Process === | ||
* The proof of the pudding is in the testing, before and after going live. | * The proof of the pudding is in the testing, before and after going live. | ||
| − | * Maintain and improve your code till the end its life by continuous bug fixing, patching, refactoring, etc. | + | * Maintain and improve your code till the end of its life by continuous bug fixing, patching, refactoring, etc. |
==Architecture, patterns and frameworks== | ==Architecture, patterns and frameworks== | ||
| Line 22: | Line 22: | ||
Why ? Because structuring and organizing your code reduces unnecessary complexity, therefore it's less error prone, easier to debug, to maintain and to change. | Why ? Because structuring and organizing your code reduces unnecessary complexity, therefore it's less error prone, easier to debug, to maintain and to change. | ||
Architectural patterns help you to accomplish this by providing coding rules and guidelines while frameworks enforce architecture and code structure. | Architectural patterns help you to accomplish this by providing coding rules and guidelines while frameworks enforce architecture and code structure. | ||
| − | Before getting into detail about architecture and security first a short explanation about architecture, patterns, frameworks and the relationship between them: | + | Before getting into detail about architecture and security, first a short explanation about architecture, patterns, frameworks and the relationship between them: |
=== Architecture === | === Architecture === | ||
| − | First of all a definition of software architecture | + | First of all a definition of software architecture. There are many to find on the Internet but the most applicable one for web applications is: |
"Software architecture is the description of the subsystems and components of an application and the relationships between them". | "Software architecture is the description of the subsystems and components of an application and the relationships between them". | ||
From the perspective of programming, components can be seen here as modules, classes, objects or even procedural functions. | From the perspective of programming, components can be seen here as modules, classes, objects or even procedural functions. | ||
| Line 36: | Line 36: | ||
===Frameworks=== | ===Frameworks=== | ||
| − | Frameworks can be seen as prefab code, they make it easy for developers to build | + | Frameworks can be seen as prefab code, they make it easy for developers to rapidly build web applications with ready to use components and libraries. |
| − | (Good) frameworks are based on a proven software architecture and feature built-in best practices for software design | + | (Good) frameworks are based on a proven software architecture and feature built-in best practices for software design. Current most popular PHP frameworks are all MVC based. |
| − | Though frameworks allow developers less freedom, applications build without using a framework, depend entirely on the developer | + | Though frameworks allow developers less freedom, applications build without using a framework, depend entirely on the developer own interpretation of good architecture and design. |
==Design considerations== | ==Design considerations== | ||
Revision as of 13:45, 13 January 2017
Introduction
Application security isn't just a feature or an add-on. Security is directly linked to how an application has been coded: bad designed applications have bad security. Good software architecture and design is therefore the foundation for secure code. Security also depends on how it's been incorporated in the software development life cycle and software maintenance processes. Summarized: architecture, design and process are the 3 pillars for secure code:
Architecture
- Don’t glue your application together with code snippets from the Internet
- Structure & Organize your code by using an architectural pattern and/or application framework
Design
- Don’t re-invent the wheel
- Follow proven software design principles to avoid common pitfalls
Process
- The proof of the pudding is in the testing, before and after going live.
- Maintain and improve your code till the end of its life by continuous bug fixing, patching, refactoring, etc.
Architecture, patterns and frameworks
Good software architecture and design is the foundation for secure code as it helps to structure and organize your code. Why ? Because structuring and organizing your code reduces unnecessary complexity, therefore it's less error prone, easier to debug, to maintain and to change. Architectural patterns help you to accomplish this by providing coding rules and guidelines while frameworks enforce architecture and code structure. Before getting into detail about architecture and security, first a short explanation about architecture, patterns, frameworks and the relationship between them:
Architecture
First of all a definition of software architecture. There are many to find on the Internet but the most applicable one for web applications is: "Software architecture is the description of the subsystems and components of an application and the relationships between them". From the perspective of programming, components can be seen here as modules, classes, objects or even procedural functions. While a subsystem is a set of components which work together to accomplish a specific task.
Patterns
Patterns are standard architectures, they are the product of the experience of many developers and are proven solutions which promote good design practices. Patterns describe a set of predefined subsystems, their responsibilities, and rules and guidelines for organizing the relationships between them. The Model-View-Controller (MVC) pattern is the most common used one for PHP web applications and PHP frameworks.
Frameworks
Frameworks can be seen as prefab code, they make it easy for developers to rapidly build web applications with ready to use components and libraries. (Good) frameworks are based on a proven software architecture and feature built-in best practices for software design. Current most popular PHP frameworks are all MVC based. Though frameworks allow developers less freedom, applications build without using a framework, depend entirely on the developer own interpretation of good architecture and design.
Design considerations
Architectural considerations
Middle tier
Web Services Middle tier
Middle tier
Noteworthy Frameworks
Zend Framework
PEAR
OWASP Filters
CakePHP
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.
