Writing Secure PHP Applications

Writing Secure PHP Applications Chris Cornutt Confoo 2013 @enygma Wednesday,
February 27, 2013

Secure development is broken. Let’s ﬁx that... Wednesday, February 27,
2013

SQL injection is ten years old. XSS is eleven years
old. why are they still a problem? Wednesday, February 27, 2013

Conﬁdentiality Integrity Availability Wednesday, February 27, 2013

We need to ﬁx [insert exploit name here] Wednesday, February
27, 2013

WRONG Wednesday, February 27, 2013

Build security in from the start Wednesday, February 27, 2013

Security Standards Wednesday, February 27, 2013

Security Standards Security Testing Wednesday, February 27, 2013

Security Standards Security Testing Threat Modeling Wednesday, February 27, 2013

Security Standards Security Testing Threat Modeling Secure Architecture Wednesday, February
27, 2013

Security 101 Wednesday, February 27, 2013

Defense in Depth Wednesday, February 27, 2013

Reduce Attack Surface Wednesday, February 27, 2013

Effective Auditing & Logging Wednesday, February 27, 2013

Simple > Complex Wednesday, February 27, 2013

Obscurity !== Security Wednesday, February 27, 2013

And now, the speciﬁcs... Wednesday, February 27, 2013

Input validation <?php /* Using built-in */ is_numeric(‘1234’); // true
ctype_digit(‘1234’); // false filter_var(‘invalid.email.com’, FILTER_VALID_EMAIL); // false /* Using 3rd party */ use Respect\Validation\Validator as v; $validator = v::alnum->noWhitespace->length(1,15); var_dump($validator->validate(‘thisisatest’); // true ?> https://github.com/Respect/Validation Wednesday, February 27, 2013

Return fast <?php /* Bad practice */ function foo($bar) {
if ($bar == true) { /* Lots of code here... */ } else { return false; } } //----------------------------------- /* Good practice */ function foo($bar) { if ($bar !== true) { return false; } /* Lots of code here... */ } ?> Wednesday, February 27, 2013

Password hashing <?php /* in PHP 5.5+ */ $hash =
password_hash($password, PASSWORD_BCRYPT, [‘cost’ => 12]); /* Prior to PHP 5.5+ */ $lib = new \PasswordLib\PasswordLib(); $hash = $lib->createPasswordHash($input); \phpSec\Crypt\Hash::$_method = \phpSec\Crypt\Hash::BCRYPT; $hash = \phpSec\Crypt\Hash::create($input); $bcrypt = new \Zend\Crypt\Password\Bcrypt(); $hash = $bcrypt->create($input); ?> https://github.com/icrmaxell/password_compat Wednesday, February 27, 2013

Encrypted sessions <?php /* Set custom session handler */ session_set_save_handler(
‘open’, ‘close’, ‘read’, ‘write’, ‘destroy’, ‘gc’ ); /* Using the handler interface */ class CustomSessionHandler extends SessionHandlerInterface { /* Code goes here */ } $handler = new CustomSessionHandler(); session_set_save_handler($handler, true); ?> https://github.com/enygma/shieldframework/blob/master/Shield/Session.php Wednesday, February 27, 2013

Least privilege <?php /* “Fail fast” for user handling */
function checkAccess($user, $resource) { if (!$user->allowed($resource) { return false; } /* Other permission checking here */ } /* “Fail least” for user handling */ function checkAccess($user, $resource) { if ($user == null) { return false; } if ($resource == null) { return false; } /* Other permission checking here */ } ?> Wednesday, February 27, 2013

Fail securely <?php /* Custom error handler */ set_error_handler(function($num, $str,
$file, $line) { echo ‘ERROR: [‘.$num.’] ‘.$str; }); /* Custom exception handler */ set_exception_handler(function($exception) { echo ‘Uncaught exception: ‘.$exception->getMessage(); }); ?> Wednesday, February 27, 2013

Planning for the Future Wednesday, February 27, 2013

Developer Training Wednesday, February 27, 2013

Code Evaluation Wednesday, February 27, 2013

Secure Coding Standard Wednesday, February 27, 2013

Fixing secure development takes more than just knowing the problems.
Wednesday, February 27, 2013

Thanks! @enygma http://websec.io https://joind.in/7911 Wednesday, February 27, 2013

Writing Secure PHP Applications

Writing Secure PHP Applications

Chris Cornutt

More Decks by Chris Cornutt

Other Decks in Technology

Featured

Transcript