Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What makes CakePHP secure, and how can we increase it's security?

Right now I'm learning about the CakePHP framework, and I just wanted to know what makes CakePHP secure. How secure are its components like for example how secure is the authentication component. Also, what can we do as developers to increase the security of our CakePHP base web application?

Also do you guys recommend any books or sites to learn more about CakePHP security?

Hope to hear from you guys soon. Thanks

like image 589
Amir Rustamzadeh Avatar asked Jul 19 '10 15:07

Amir Rustamzadeh


People also ask

Is CakePHP secure?

Security library in CakePHP provides methods, by which we can encrypt and decrypt data. Following are the two methods, which are used for the same purpose. The encrypt method will take text and key as the argument to encrypt data and the return value will be the encrypted value with HMAC checksum.

What is CakePHP used for?

CakePHP is a PHP, object-oriented, Model-View-Controller framework, designed around providing the tooling to let you rapidly build web applications. CakePHP focuses on solving problems rapidly, by using conventions over configuration, to enable you to work sooner, without making a lot of decisions upfront.

What is CakePHP developer?

A CakePHP developer is responsible for writing server-side web application logic using the CakePHP framework. They usually develop back-end components, connect the application with the other (often third-party) web services, and support the front-end developers by integrating their work with the application.


4 Answers

Leo: Some sites don't need high levels of security and they can give a performance hit. Others must be inviolable.

Sorry Leo, but i disagree. Every site you build, you do so with the utmost care of security in mind. Regardless of what type of site it is. Suppose for example you've built this very tight superduper hackersafe site. You host it on a shared server, and guess what.. Someone got access to your safe site via a hole in your less safe site. Or even the entire server.

I know, its a doom theory but i believe stuff like this happens on a daily bases.

like image 129
Amelia Avatar answered Nov 02 '22 23:11

Amelia


Cake follows best practices in many areas, and has pretty secure tools built-in comes with infrastructure that already has many typical areas of webapp security covered to some degree. You won't need to worry much about SQL injection for example, since Cake's database abstraction escapes all input. Where it doesn't, the manual warns you appropriately:

updateAll(array $fields, array $conditions)

! The $fields array accepts SQL expressions. Literal values should be quoted manually.

Using the SecurityComponent you get automatic form spoofing protection.
Data validation is a big integrated part of models.
The AuthComponent hashes and salts passwords properly, though not necessarily in the most secure manner possible.
There's a handy h() shortcut for htmlentities that you should use to escape output to avoid XSS problems.
Et cetera perge perge...

You will still have to use all the components correctly though and be careful not to open any "custom" holes. Cake is only a toolbox, it's still perfectly possible to build a horrendously insecure application using it. You can still shoot yourself in the foot, no matter how good the gun. The default Cake structure is only a starting point. It's not the end-all-be-all in terms of security; think for yourself. The link provided by John is indeed a good starting point.

like image 28
deceze Avatar answered Nov 03 '22 00:11

deceze


The CakePHP framework has been around for quite some time (since 2005) and is open source software. This means its code is available for review by any developer, or non-developer, who wishes to do so. Both the CakePHP community and security communities have had ample time to review the code base and find/correct potential security issues. That doesn't mean that the software is perfect but with CakePHP being so popular you can bet it's been reviewed quite thoroughly and if there are any flaws in it they are deep and very difficult to find/identify.

But keep in mind, just because the code in the framework is secure doesn't mean using it makes your code secure. You still need to follow secure coding practices because your code base can be vulnerable regardless of the security level of the framework you use.

like image 25
John Conde Avatar answered Nov 02 '22 22:11

John Conde


Cake security is pretty good, but everything has holes. For an ultra secure site, I'd be researching known security holes and blunders and testing the site against those cases. It simply isn't enough to rely on someone else's statement of a degree of security.

Some sites don't need high levels of security and they can give a performance hit. Others must be inviolable.

All said, I'm impressed with Cake's inbuilt security and haven't had to modify it yet.

like image 40
Leo Avatar answered Nov 03 '22 00:11

Leo