Web development platforms and web applications to build our sites securely

June 18, 2021

When developing our web and mobile projects one of the many things we have to think about is safety, that is why with a framework you can give a more consistent and secure way of developing applications.

Below, we will discuss some of the benefits it can bring to our team by using a framework to build our own tool.

A widely used framework has an important security implementation.

Being a framework a base platform that is designed to be used in a wide range of projects, safety is an important factor and a high range of commonly required protection is already implemented.

Thousands of people constantly testing the layer of application security

Being a framework used by thousands of people, also this translates into thousands of people testing the code and finding faults and constantly improving it. By building a platform for ourselves, only us would be the ones testing the security flaws and would not be reported by anyone, and could be used against us.

Invest time on task, not technology

Building a secure platform is a demanding task so using a framework saves us a great deal and we take part of concern regarding the security issue, allowing us to spend our time developing our technology or business, not in security.

Guarantee updates over time

As flaws are found, new ways to attack the sites or vulnerabilities, we can ensure that we will receive updates of our platform..

Protection against attacks

In Rootstack is common practice working with frameworks. Some tips on how we protect ourselves from some of the most common attacks.

Sql Injection

One of the most common attacks on websites. The platforms that use Drupal and Symfony usually have protection against this:

Drupal

Drupal provides a set of functions to access the database, the canonical form of this is the function db_query.

The function db_query allows parameterized queries, these functions perform a replacement of placeholders with the arguments properly escaped by the order in which they appear.

Example:

[prism:css] db_query("SELECT n.nid FROM {node} n WHERE n.nid > %d", $nid); db_query("SELECT n.nid FROM {node} n WHERE n.type = '%s'", $type); db_query("SELECT n.nid FROM {node} n WHERE n.nid > %d AND n.type = '%s'", $nid, $type); db_query("SELECT n.nid FROM {node} n WHERE n.type = '%s' AND n.nid > %d", $type, $nid); [/prism:css]

New features in Drupal also allows use a PDO of PHP and send an array of arguments

[prism:css] db_query("SELECT t.s FROM {table} t WHERE t.field IN (:users)", array(':users' => $from_user)); [/prism:css]

O

[prism:css] $result = db_select('table', 't') ->fields('t', array('s')) ->condition('t.field', $from_user, 'IN') ->execute(); [/prism:css]

Symfony

Symfony uses ORM for PHP call Doctrine, what doctrine does is making a map of the structure in the database and PHP objects in addition to serving as a Database abstraction layer.

With Doctrine is possible to make "prepared statements", This is a two-step process in which separate query parameters, thus the parameters are properly escaped by the ORM.

Examples of these consultations:

[prism:css] // SQL Prepared Statements: Positional $sql = "SELECT * FROM users WHERE username = ?"; $stmt = $connection->prepare($sql); $stmt->bindValue(1, $_GET['username']); $stmt->execute();

// SQL Prepared Statements: Named $sql = "SELECT * FROM users WHERE username = :user"; $stmt = $connection->prepare($sql); $stmt->bindValue("user", $_GET['username']); $stmt->execute(); [/prism:css]

CSRF Attacks

The attacks of Cross-site request forgery (CSRF) is a process where an application is made to a site that causes an action when a user was not really trying to make a longline action.

Drupal

With Drupal, protecting our site from an CSRF attack is done easily.

In Drupal there is an API called Form API, this API is used to build forms. This gives us protection against CSRF tokens added automatically, specially when the form is generated.

Symfony

Symfony contains a security component that can be used for protection of CSRF attacks. Symfony component uses when generating a provider tokens in form, which can be specified.

[prism:css]

app/config/security.yml

security:

...
firewalls:
    secured_area:
        # ...
        form_login:
            # ...
            csrf_token_generator: security.csrf.token_manager

[/prism:css]

The above example specifies a token generator for the login form. Now we have to add the token to the form itself:

[prism:css] {# src/AppBundle/Resources/views/Security/login.html.twig #}

{# ... #}

{# ... the login fields #} login

[/prism:css]

Other elements

These are some very specific cases on how these platforms can help us with the security of our code in our projects.

However there are many more tools within these two platforms we can use in our projects.

Drupal

Drupal has a Security Team which has a number of responsibilities within the community and platform:

  • Solve security problems reported.
  • Provide assistance to developers who write modules for Drupal.
  • Provide documentation on how to write secure code.
  • Provide documentation on how to build a secure site.
  • Keeping drupal.org a secure site.

In addition, Drupal provides a set of APIs and tools to keep the code safe

More info about it in:

Symfony

The main tools are within the Symfony security components.

To mention some of the ones we use are: