Security Issues Creating a Site

security issues creating a site using trend technologies such as PHP and MySQL

My research proposal is about the security issues creating a site using trend technologies such as PHP and mySQL. My research will expand in what are the security threats using such technologies and what are the solutions that these technologies provide as well as what are their future goals to overcome the security issues.

This paper investigates the various security issues that are involved with the creation of various forms of websites. It the subject matter through a review a variety of literature that is dedicated to the security of data and content that is available or exchanged on websites. Our focus is however concentrated on the use of various forms of trend technologies such as PHP and MySQL.

Summary: This paper utilizes a variety of techniques in the evaluation of the general security threats to which a site is exposed when the various trend technologies are employed in the creation of a site. This is then used to come up with a statistical model that is based on the summation of the good practice techniques available in the market in order to come up with the best and most secure online environment.

Purposes: The purpose of this research paper is to come up with solution that can counter the security threats that are intrinsic to the use of various forms of site building technologies PHP and MySQL. This is in an effort to eliminate the loop-holes associated with the use of the currently available trending technologies.

Definition of terms

Security

It is a measurement and not a characteristic. To begin with one has to consider the cost factor involved in the design of a program. Security is moderately inexpensive, however if the needs are demanding, then a more advanced level of security is required and this translates to increased expense. In addition usability has to be taken into account. Although at times necessary, steps taken to increase security decrease usability due to barriers like timeouts, passwords, and access controls. Important as well is the need to take into consideration application design. Failure to account for security in the design of your application may result in security vulnerabilities leading to program malfunction.

An attempt will be made in order to define the different components of computer security

Assets

The main aim of Security is to safeguard and organizations assets. It detects breach, prevents damage and retrieves stolen or damaged assets.

Confidentiality

Deals with barring unauthorized revelation of information

Integrity

Deals with unauthorized manipulation of information

Availability

Restriction of unauthorized withholding of information or resources

Authenticity

Is the process of verifying a claimed identity.

Accountability

Is the process of locating a responsible party for information audition

Nonrepudiation as a corollary of accountability, an object cannot deny its part in an event

Access

Restriction of the access to host systems and programmes via communication links

Threats

Intended and unintented events that can catastrophically affect an organizations computer system.

Interruption:

When one tries to destroy an asset and make it unusable.

Interception:

When one tries to gain access to information and therefore break confidentiality.

Modification:

When one tries to alter with an asset and therefore destroy its integrity.

Fabrication:

When one tries to destroy the authenticity

Attacks are a source of threats, and can be divided into two categories.

Passive attacks where the attackers main aim monitor information.

Active attacks which involves the alteration of data.

Mechanisms

Any process that is designed to detect, prevent, or recover from a security attack. These mechanisms are thus used to implement the security services and maintain their specific security aspect. Examples of different mechanisms are given below:

Detection:

These inform the administrators of unauthorized entry or intrusions..

Prevention:

Is in the form of firewalls and prevents unauthorized exchange of information into ant out of the system network.

Recovering:

Enables a system to recuperate, retrieve, or recover after a breakdown or malfunction.

Hacker: A person who unlawfully gains access to a particular computer system/server

Root access

This is a type of hack attack in which the hacker accesses the machine as if he or she is at the machine physically. In case a hacker acquires this level of access he or she all the rights that the server has been granted such as the creation,,modification, reading, deleting of system settings. Normally when a user accesses a computer at this particular level they will plant viruses or create a backdoor passage for the deployment of future and further attacks. The process of gaining root access to a machine opens the doors for use in accessing other parts of the system which include resources such as the database and a web site's source code.

Access to the websites' databases is normally orchestrated through by root access and therefore allows a particular unauthorized user to do all wish and desire. If the goal of a certain hacker is to gain unauthorized access a certain database then the most likely target of that particular database will be the user' private and professional information.

Code access

This type of access allows the hacker to go through the codes also allow them to initiate changes to the database. This is mostly observed in cases where a website has been defaced. This is mostly done by the hacker installing a backdoor for their future escapades. Code access is a simple method through which the hackers to leave their calling card as a show of their accomplishments.

User access levels

These are means that define are how computers determine what users can or cannot do accomplish. They include the creation, modification, viewing or deleting system and data files. These settings are also intended to guide how applications are to function. A web server need the ability to accomplish file reading, editing of database files, and the running various programs that help meet the needs of the users. A web server must be allowed to read only the website files, while comfortably other users denying the privilege to view other system files, and to accomplish the running of specific services which include the PHP pre-processors and the access of database needed to orchestrate various forms of queries.

PHP

According to the PHP Documentation Group (), "PHP, which stands for "PHP: Hypertext Preprocessor" is a widely-used Open Source general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Its syntax draws upon C, Java, and Perl, and is easy to learn. The main goal of the language is to allow web developers to write dynamically generated web pages quickly, but you can do much more with PHP."

PHP is one of the most utilized languages on the internet languages. Web developers employ PHP in order to cut the cost involved in developing a site since PHP is very free and is and open source product that is supported by most operating system.

PHP is a popular, general-purpose scripting language that was originally intended for the purpose of web development with a specific desire to power dynamic web sites. For this reason, PHP code is able to be embedded seamless into the HTML source codes and to be interpreted by a various web servers by means of a PHP processor module, which aids in the generation of the web page document. Being a general-purpose programming language, the PHP codes are processed by means of an interpreter application which uses a command-line mode while performing the desired operating system operations and hence the production of program. PHP may also work as graphical software. It is available as a processor for various contemporary web servers and also as standalone interpreter which runs on most of the operating systems.

PHP was however originally designed by Rasmus Lerdorf (1995) and has therefore been subjected to perpetual development since. The major implementation of PHP is now in production through the authority of the PHP Group which serves as the de facto standard unit in use for PHP since there are no standard and formal specification. The software is free and gets released under the PHP License

MySQL

"MySQL is the world's most popular Open Source SQL (Structured Query Language) database management system" (Bloch,). The MySQL software is released under a dual-licensing method. This database software too is free and is released under the General Public License (LGPL) .However corporations can purchase a commercial license at lesser amount as compared to its competitors. MySQL database software is quickly becoming a major database as businesses are focused in the direction of the open source markets in an effort to cut costs.

Introduction

Security of website is one of the most paramount features whose integrity must be assured at all times. A breach of website security can lead to serious privacy and financial implications for both forms and individuals. It is for this reason that the process of planning for a website to the final stages of design and hosting must be approached with utmost care. This is with an effort to perfectly minimize the risks associated with the security breaches that are associated with the use of certain web design technologies.

Even though there is always some form of a risk involved in the coding technique together with the deployment methods of a website, some technologies such as PHP and MySQL form some of the worst aggravators of online website security. The loopholes that exists in the use of these technologies results in some of the worst hack attacks and security breaches ever experienced in the field of web design. The internet is bustling with a lot of activities. Some of the activities that are officiated over the internet are very sensitive due to both the nature of the information exchanged or even the information stored in the database.

It is paramount that websites be provided with secure and personalized databases. One inevitable fact however is that once a site is deployed on the internet, it becomes a resource to be accessed by everyone as postulated by Kabir

Secure website development is of the utmost importance as the number of websites that provide personalized accounts and utilize cross site information. "When you deploy your application on the Web, it becomes available to everyone" (Kabir 737)

In order to fully prescribe a viable solution to be used in tackling the various forms of security threats associated with the use of trending technologies such as PHP and MySQL, it is paramount to understand the mechanisms through which the security threats are orchestrated. Below is a discussion of the general techniques employed by hackers in gaining access to different websites that are developed using the PHP and MySQL, mix

Query String Manipulation

In a query string manipulation, is a hacker passes a set of values that are passed through a browser's address bar. This form of attack appears on site that provides services of some sort. Query String Manipulation can be extremely detrimental in poorly planned and programmed website. It provides an easy access point for a hacker to gain access to the database via referred to as SQL Injection, which leads to root access to the machine and then to the subsequent access to various parts of the websites source code.

Implications

The meaning and implication of this type of attack is that the hacker gains root access to the entire computer and is he or she only gets limited the access level restrictions provided to the web server, a level which is in fact an administrative. This gives the hacker an express permission to modify and even delete files that reside on the machine. The hacker also gains access to the machine's database and all of the data that exist in the database. This is true in the case of web server and database server not being on the same machine.

The possibility of a hacker gaining access to a machine's source code presents him or her with an opportunity to orchestrate devious actions such as website defacement. An interaction with a websites source code also give a revelation of the site's database design and schema (Wood,2004). This could then lead to an easy access to the websites' database and a possible change to its content.

This kind of PHP and MySQL website attack is as a result of to an improperly used and handled query string. The major source of common mistake is the trusting of inputs that originate from the query string as valid. Such a mistake would lead a hacker to interfere with the query string in order to get the information they require. The query string must therefore be validated accordingly and then appropriately verified every time in order in the process of creating and accessing of data. Query string must therefore bee tested for both existence and utmost validity.

Root level access with the administrator privileges can be gained because the server wasn't set up properly. Normally a server should be set to run with the least amount of privileges required by the server to perform its duties. One should determine the appropriate level of access a server will have before a website is developed.

Illustration

When one creates a link that has a query string variable needed to be passed to the next page. This variable is referred to as ID. If one uses this variable to access information from the database then a test for its safety should be carried out.

This test is done by means of the isset () function, which is arguably the simplest method. This allows one to move the back to the previous page whenever the value is present. Then if the variable exists one should then carry out a test to find out if its value has been interfered with. The ID is supposed to be contained in a numeric field only so we on should carry out an examination on the value which has a regular expression.

PHP gives a perfectly good regular expression evaluator function refered to as: ereg (). According to Friedl (2002)"Regular expressions are the key to powerful, flexible, and efficient text processing." By means of the regular expression, '^[0-9]+$', the testing of the value will ensure that there is at least a one digit (0-9) in the variable. The analysis of regular expressions is never to be explored at this point.

After the verification of the value if the ID, the employment of this variable becomes more secure, and one will have gotten rid of most of the invalid ID values. To offer more security, if this value is being utilized to access a file or a database field, one should test such scenarios for its existence before employing the value.

Separation of client and server

As pointed out by Kabir (2003).Sensitive data is often made available unintentionally by programs to people who should not have any access to the information." The various web applications usually run in two separate locations; that is, the server and the client. This has the meaning that both the locations must be developed to give the best security for the user and the system itself. The server must be developed in a way that ensures that the information being stored is never compromised. This must be done while the client should be developed to present and also to retrieve only the required data. A client that gives out too much information is never secure.

This means that the server is the place all the application dynamics are taken place. This separation is therefore mostly evident to the user since are the ones seeing everything that happens during the server -client interaction. This action is so since PHP operates on a transitive level for the website (between the client and the server). The user then request a webpage (1) and then server responds by locating file (2) together with its directories. It then processes (3) and finally delivers the result to the user (4).

Source: Wood (2004)

Developing applications for the client has the implications that the data and actions the user can carry out must be limited.

As a rule of thumb web page must never allow the user to interact directly with a database. If a particular user id providing information then the client should only collect and submit the acquired data to the server.

How it happens

In the process of developing a web page a particular developer would have to manage two different kinds of data types . The data types are very sensitive since they mainly contain user information and various forms business data. The second data type which is insensitive contains application level data that is used to display various forms of images files.

The web application client can be decoded and then subsequently viewed by the unintended audience and this therefore gives room to the client domain to be the entry point of accessing the various sensitive data. This leads to the exposure of sensitive data the tainted version of the client can be utilized to attack the website and also to fool other unsuspecting website users into giving out vital personal and financial information.

A particular webpage is delivered to a browser in a HTML format. This HTML script is then interpreted by the browser and is viewable in plain text. Since HTML is readily and commonly available to most web browsers, it allow its user to seamlessly view the source code of a particular web page.

A hacker then analyses the source code of a web page and then deduces some of the functionalities that may be contained on the page. A form and its input fields may all have values that get posted when the particular form is submitted. This content can than be effectively manipulated in order to as something else which dupes the server to think that it is receiving something else other then what the page was originally intended to submit. Such a form of form overloading can lead to sensitive data getting relayed to the hacker.

As an example the server part of the application need to be designed in order to take care of inputs that is supposed to be malicious. On the receipt of a client's request and variables postings, the server should be able to validate and also to verify that this information request is genuine. A perfect example is to prevent various malicious clients from coming into direct interaction with a server function that would otherwise be utilized as a global variable that is provided and included in PHP. This particular variable would then be used to store the details of the server which include the client's computer's internet protocol (IP) address, together with the location of the requesting page among other details. Security is one if the most important parameters to be used in the process of designing these sites. The developers' codes must therefore effectively address this issue. This is with an intention of ensuring that the connection between the client and the server is properly secured.

Methodology

Research design

The process adopted in developing the methodology for this research is focused on the use of inductive case study as postulated by Eisenhardt (1989).In order to fully fathom all the factors that are important for the improvement of the security concerns revolving around the use of trend technologies such as PHP and MySQL, the research is to be carried out through an intensive study and analysis of data acquired from 20 online data security and webhosting firms. This is with a consideration of the thorough and properly developed security breach monitoring platform and processes that these firms have put in place. Security breach data from each of the firms is to be analyzed and the technical support teams at these firms be asked a series of 30 open-ended questions that would be used as the main guidelines.

The procedure is to involve the employment of questions that are pre-formulated from several multivariate data sources. In other words the research is to be designed on the according to data sourced from multiple case studies which presents the merit of allowing for logic replication (Yin, 1989).The implication of this is that the research design therefore allows for the consideration of the various incidents as a series of experiments. Individual incidents are treated as basic theoretical knowledge bases that are defined through the analysis of various previous cases. The objective is to make better through gradual refinement and the subsequent modification of the identified variables. This form of logic replication gives rise to the creation of relatively stable theory which is void of the many forms of bias whose source is the researchers themselves (Eisenhardt, 1989). The final result is the coming up with a comparatively testable theory that void of the various elements of researcher bias and which also gives room for the close relationship between the theory and the gathered data (Glaser & Strauss, 1967).

The field of website security is quickly rapidly evolving and the collection of a set of emerging theory in terms of information obtained can result in the acquisition of better viewpoints on the contemporary research areas (Hitt et al., 1998). The use of this framework is very important in the infant stages of the research area. The extent to which the research topic is to be explored is in this case difficult to predict as a result of the multivariate nature of the research area and the existing theories online website security.

Sample Selection

In the process of carrying out this research, I am to focus on data acquired from online security firms that are based in the United States and the UK. A list is then to be generated of all the most important online security firms whose contribution to the field of website security and integrity are renowned. The listof the online security firms is to consist of about twelve online security firms whose basis of selection is based on the uniform probability distribution of all the other firms that are in the sample pool. In order to generate a comparable list of data samples, we are to consider a list of online security firms that are based in various parts of the globe such as Europe. These firms are selected on the basis of three major criteria;

The initial condition is that the company must be based in the U.S.A. Or UK. The second condition is that the firm is to have publicly traded stock exchange data. The third condition is that the identified firm must have an actively involved policy and infrastructure for detecting and reporting various security threats with an intention of analyzing the threat level and its neutralization protocols.