Application security should not be a "when all else fails" situation. It's not something you can "put in later". As we've mentioned before, there is no single silver bullet to solve your application security issues. Security is something that should be rolling around in the back of your dead in the design phase, the coding phase, the testing phase, even after you've rolled your code into production.

Chris Shiflett, noted PHP security expert, has a PDF on his web site that should be required reading for all PHP developers. Compiled by the PHP Security Consortium, this 37 page guide explains the terms and concepts involved in securing your PHP application. Here's how they describe security.

  • Security is a measurement, not a characteristic.
    It is unfortunate that many software projects list security as a simple requirement to be met. Is it secure? This question is as subjective as asking if something is hot.
  • Security must be balanced with expense.
    It is easy and relatively inexpensive to provide a sufficient level of security for most applications. However, if your security needs are very demanding, because you're protecting information that is very valuable, then you must achieve a higher level of security at an increased cost. This expense must be included in the budget of the project.
  • Security must be balanced with usability.
    It is not uncommon that steps taken to increase the security of a web application also decrease the usability. Passwords, session timeouts, and access control all create obstacles for a legitimate user. Sometimes these are necessary to provide adequate security, but there isn't one solution that is appropriate for every application. It is wise to be mindful of your legitimate users as you implement security measures.
  • Security must be part of the design.
    If you do not design your application with security in mind, you are doomed to be constantly addressing new security vulnerabilities. Careful programming cannot make up for a poor design.

If security is important to you but you don't know where to start, this is a good place. Download the PDF and spend the hour or so reading it thoroughly. If you are already a seasoned veteran, download it and skim through it. You might pick up on something new.