What makes CakePHP secure, and how can we increase it's security?

Question

Right now I'm learning about the CakePHP framework, and I just wanted to know what makes CakePHP secure. How secure are its components like for example how secure is the authentication component. Also, what can we do as developers to increase the security of our CakePHP base web application?

Also do you guys recommend any books or sites to learn more about CakePHP security?

Hope to hear from you guys soon. Thanks

Answer 1

Leo: Some sites don't need high levels of security and they can give a performance hit. Others must be inviolable.

Sorry Leo, but i disagree. Every site you build, you do so with the utmost care of security in mind. Regardless of what type of site it is. Suppose for example you've built this very tight superduper hackersafe site. You host it on a shared server, and guess what.. Someone got access to your safe site via a hole in your less safe site. Or even the entire server.

I know, its a doom theory but i believe stuff like this happens on a daily bases.

Answer 2

Cake follows best practices in many areas, and has pretty secure tools built-in comes with infrastructure that already has many typical areas of webapp security covered to some degree. You won't need to worry much about SQL injection for example, since Cake's database abstraction escapes all input. Where it doesn't, the manual warns you appropriately:

updateAll(array $fields, array $conditions)

! The $fields array accepts SQL expressions. Literal values should be quoted manually.

Using the SecurityComponent you get automatic form spoofing protection.
Data validation is a big integrated part of models.
The AuthComponent hashes and salts passwords properly, though not necessarily in the most secure manner possible.
There's a handy h() shortcut for htmlentities that you should use to escape output to avoid XSS problems.
Et cetera perge perge...

You will still have to use all the components correctly though and be careful not to open any "custom" holes. Cake is only a toolbox, it's still perfectly possible to build a horrendously insecure application using it. You can still shoot yourself in the foot, no matter how good the gun. The default Cake structure is only a starting point. It's not the end-all-be-all in terms of security; think for yourself. The link provided by John is indeed a good starting point.

Answer 3

The CakePHP framework has been around for quite some time (since 2005) and is open source software. This means its code is available for review by any developer, or non-developer, who wishes to do so. Both the CakePHP community and security communities have had ample time to review the code base and find/correct potential security issues. That doesn't mean that the software is perfect but with CakePHP being so popular you can bet it's been reviewed quite thoroughly and if there are any flaws in it they are deep and very difficult to find/identify.

But keep in mind, just because the code in the framework is secure doesn't mean using it makes your code secure. You still need to follow secure coding practices because your code base can be vulnerable regardless of the security level of the framework you use.

Answer 4

Cake security is pretty good, but everything has holes. For an ultra secure site, I'd be researching known security holes and blunders and testing the site against those cases. It simply isn't enough to rely on someone else's statement of a degree of security.

Some sites don't need high levels of security and they can give a performance hit. Others must be inviolable.

All said, I'm impressed with Cake's inbuilt security and haven't had to modify it yet.