Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Writing Secure PHP Applications

224dac66704579d941e927965a6220a2?s=47 Chris Cornutt
February 27, 2013

Writing Secure PHP Applications

Being secure on the web is getting harder and harder - the attacks are happening more and more and we, as web app developers, have to respond. The session will share tips you can follow in your code to ensure that your app stays safe and some tips to help improve investigation and preventing your app from becoming the next statistic.

224dac66704579d941e927965a6220a2?s=128

Chris Cornutt

February 27, 2013
Tweet

Transcript

  1. Writing Secure PHP Applications Chris Cornutt Confoo 2013 @enygma Wednesday,

    February 27, 2013
  2. Secure development is broken. Let’s fix that... Wednesday, February 27,

    2013
  3. SQL injection is ten years old. XSS is eleven years

    old. why are they still a problem? Wednesday, February 27, 2013
  4. Confidentiality Integrity Availability Wednesday, February 27, 2013

  5. Confidentiality Integrity Availability Wednesday, February 27, 2013

  6. Confidentiality Integrity Availability Wednesday, February 27, 2013

  7. Confidentiality Integrity Availability Wednesday, February 27, 2013

  8. We need to fix [insert exploit name here] Wednesday, February

    27, 2013
  9. WRONG Wednesday, February 27, 2013

  10. Build security in from the start Wednesday, February 27, 2013

  11. Security Standards Wednesday, February 27, 2013

  12. Security Standards Security Testing Wednesday, February 27, 2013

  13. Security Standards Security Testing Threat Modeling Wednesday, February 27, 2013

  14. Security Standards Security Testing Threat Modeling Secure Architecture Wednesday, February

    27, 2013
  15. Security 101 Wednesday, February 27, 2013

  16. Defense in Depth Wednesday, February 27, 2013

  17. Reduce Attack Surface Wednesday, February 27, 2013

  18. Effective Auditing & Logging Wednesday, February 27, 2013

  19. Simple > Complex Wednesday, February 27, 2013

  20. Obscurity !== Security Wednesday, February 27, 2013

  21. And now, the specifics... Wednesday, February 27, 2013

  22. Input validation <?php /* Using built-in */ is_numeric(‘1234’); // true

    ctype_digit(‘1234’); // false filter_var(‘invalid.email.com’, FILTER_VALID_EMAIL); // false /* Using 3rd party */ use Respect\Validation\Validator as v; $validator = v::alnum->noWhitespace->length(1,15); var_dump($validator->validate(‘thisisatest’); // true ?> https://github.com/Respect/Validation Wednesday, February 27, 2013
  23. Return fast <?php /* Bad practice */ function foo($bar) {

    if ($bar == true) { /* Lots of code here... */ } else { return false; } } //----------------------------------- /* Good practice */ function foo($bar) { if ($bar !== true) { return false; } /* Lots of code here... */ } ?> Wednesday, February 27, 2013
  24. Password hashing <?php /* in PHP 5.5+ */ $hash =

    password_hash($password, PASSWORD_BCRYPT, [‘cost’ => 12]); /* Prior to PHP 5.5+ */ $lib = new \PasswordLib\PasswordLib(); $hash = $lib->createPasswordHash($input); \phpSec\Crypt\Hash::$_method = \phpSec\Crypt\Hash::BCRYPT; $hash = \phpSec\Crypt\Hash::create($input); $bcrypt = new \Zend\Crypt\Password\Bcrypt(); $hash = $bcrypt->create($input); ?> https://github.com/icrmaxell/password_compat Wednesday, February 27, 2013
  25. Encrypted sessions <?php /* Set custom session handler */ session_set_save_handler(

    ‘open’, ‘close’, ‘read’, ‘write’, ‘destroy’, ‘gc’ ); /* Using the handler interface */ class CustomSessionHandler extends SessionHandlerInterface { /* Code goes here */ } $handler = new CustomSessionHandler(); session_set_save_handler($handler, true); ?> https://github.com/enygma/shieldframework/blob/master/Shield/Session.php Wednesday, February 27, 2013
  26. Least privilege <?php /* “Fail fast” for user handling */

    function checkAccess($user, $resource) { if (!$user->allowed($resource) { return false; } /* Other permission checking here */ } /* “Fail least” for user handling */ function checkAccess($user, $resource) { if ($user == null) { return false; } if ($resource == null) { return false; } /* Other permission checking here */ } ?> Wednesday, February 27, 2013
  27. Fail securely <?php /* Custom error handler */ set_error_handler(function($num, $str,

    $file, $line) { echo ‘ERROR: [‘.$num.’] ‘.$str; }); /* Custom exception handler */ set_exception_handler(function($exception) { echo ‘Uncaught exception: ‘.$exception->getMessage(); }); ?> Wednesday, February 27, 2013
  28. Planning for the Future Wednesday, February 27, 2013

  29. Developer Training Wednesday, February 27, 2013

  30. Code Evaluation Wednesday, February 27, 2013

  31. Secure Coding Standard Wednesday, February 27, 2013

  32. Fixing secure development takes more than just knowing the problems.

    Wednesday, February 27, 2013
  33. Thanks! @enygma http://websec.io https://joind.in/7911 Wednesday, February 27, 2013