Re: Auditing Code (security wise)
Posted by Vaughan on 1198098426
yep, nice read that steve.. clear & precise.
i'm glad i never became under the illusion that a security audit would be quick & easy.. lol i've only done 2 very basic checks and those 2 alone took me over 12hrs constantly to get through.
but we have to continue with the audit on an ongoing basis, and we should also audit modules that are to be released alongside the core distribution. (yes more work to do but esential work non the less if we want impressCMS to be secure as we can)
but what we also will need to do is take notes of exactly what we are doing security wise, and explain why those changes are necessary and why we devs should do it that way instead of this way and so on. we need to make module devs and future core devs aware of the right way to do things as opposed to the insecure(r) ways, so that they aswell as ourselves don't reintroduce some of the insecure coding practices back into the core and/or modules. It would also make auditing a lot quicker if we can get devs to understand the basics of things. like encapsulating all query values in single quotes including integer values, and using sql_escape functions etc.
sometimes the little thingsd get overlooked and missed due to the complexity of the code we are developing at times, but it's sometimes those little things that mean a secure site as opposed to an insecure site.
I think we are all learning things here, especially me.
This Post was from: https://www.impresscms.org/iforum/viewtopic.php?topic_id=618&post_id=6548