There is no shortage of bad, incomplete, and outdated information on the Internet and in print. And if that was not bad enough, there is also the problem of information overload.
Here are a few resources that can get you up to speed…
Chapter 3: PHP from book “Apache Security”, by Ivan Ristic [of mod_security fame].
A good overview of some security issues with PHP. Most of the mentioned measures will be most useful in a hosting environment.
Center for Internet Security (CIS) Benchmarks for the Apache Web Server.
CIS is the only distributor of consensus best practice standards for security configuration. The Benchmarks are widely accepted by U.S. government agencies for FISMA compliance, and by auditors for compliance with the ISO standard as well as GLB, SOx, HIPAA, FIRPA and other the regulatory requirements for information security.
I recommend CIS Level-1 security for the Apache Web-Server. A number of the steps are OS-independent, and have been implemented under the Web-Developer Server Suite.
The OWASP Guide to Building Secure Web Applications
The Guide is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure web applications.
- Web Application Security Consortium
- SANS Information and Computer Security Resources [with emphasis on the Reading Room]