Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Development with PHP

Secure Development with PHP

In recent years new security standards were introduced or updated like ISO 27001 and NIS2. While there is some overlap in terms of what these standards ask for the scope of who needs to be compliant is steadily growing. Even if those standards do not yet apply to you the growing focus on software security will likely catch up with you soon. Considering PHP still has the reputation of being insecure it might be useful to check what the current state of tools and libraries is.

This talk introduces some of the legislation around software security and then, based on the DevSecOps maturity model, looks into concrete measures in PHP to satisfy some of the controls from these standards. It is important to note. While this provides only a very narrow look at these standards from a developer's perspective, ignoring some of the additional work around governance and policies (focusing on the build and implementation-phase), it should give you an idea where you might want to improve your security posture or dissuade concerns around not being able to create secure software with PHP.

Note: The slides are rather image heavy. If you have any questions or comments feel free to reach out to me.

Denis Brumann

June 21, 2024

More Decks by Denis Brumann

Other Decks in Programming


  1. Agenda 1. Common & proposed security standards 2. DevSecOps lifecycle

    3. Overview of common security measures along the lifecycle: Build & Deployment, Implementation, Information Gathering, Testing 4. Summary What will I talk about? 3
  2. Important Notes • We will not cover the full standards,

    focusing on technical controls for development. I will go into cherry-picked topics, which I find relevant for (PHP) devs • The procedures described in this talk are not enough to become certified. They are meant to show that the PHP ecosystem provides many helpful tools & libraries to establish a secure development cycle. • I am not a subject matter expert. Please verify the code snippets, check the sources and use your own brain • Feel free to ask questions during the talk. 4
  3. 1. User endpoint devices 2. Privileged access rights 3. Information

    access restriction 4. Access to source code 5. Secure authentication 6. Capacity management 7. Protection against malware 8. Management of technical vulnerabilities 9. Configuration management 10. Information deletion 11. Data masking 12. Data leakage prevention 13. Information backup 14. Redundancy of information processing facilities 15. Logging 16. Monitoring activities Technical Controls 17. Clock synchronization 18. Use of privileged utility programs 19. Installation of software on operational systems 20. Network security 21. Security of network services 22. Segregation of networks 23. Web filtering 24. Use of cryptography 25. Secure development lifecycle 26. Application security requirements 27. Secure system architecture & engineering principles 28. Secure coding 29. Security, testing in development & acceptance 30.Outsourced development 31. Separation of dev, test & prod ends 32. Change management 33. Test information 34. Protection of information systems during audit testing 6
  4. Maturity Model DevSecOps 5 Dimensions with 5 maturity levels: 1.

    Build & Deployment 2. Culture & Organization 3. Implementation 4. Information Gathering 5. Test & Verification See: https://dsomm.owasp.org/ 13
  5. ISO 27001 EU CRA OWASP Cheatsheet BSI Grundschutz A.8.8 Management

    of technical vulnerabilities A.8.25 Secure development lifecycle A1.2.1 identify and document vulnerabilities and components contained in the product A1.2.2 …address and remediate vulnerabilities without delay Supply Chain Security Vulnerable Dependency Management CI/CD Security PHP Configuration OPS.1.1.3: Patch- & Änderungsmanagement CON.8: Software-Entwicklung Build & Deployment 14
  6. Supply Chain • Source code threats Access control, logging &

    monitoring, security automation • Build environment threats Build cache poisoning, building untrusted code • Dependency related threats • Deployment & runtime threats 15
  7. Dependencies • Assess suppliers • Monitor dependencies • SAST (Static

    analysis) → (Private) Packagist → roave/security-advisories → phpstan, psalm, … 16
  8. 18

  9. 18

  10. 18

  11. 19

  12. 20

  13. 20

  14. 21

  15. 22

  16. ISO 27001 EU CRA OWASP Cheat Sheet BSI Grundschutz A.8.24

    Use of cryptography A.8.26 Application security requirements A.8.27 Secure system architecture & engineering principles A1.1.3c protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, … A1.1.3d protect the integrity of stored, transmitted or otherwise processed data, personal or other, … Transport Layer Security Cryptographic Storage Injection Prevention Input Validation CON.8: Software-Entwicklung APP.7: Entwicklung von Individualsoftware Implementation 23
  17. Encryption • Only support strong protocols “General purpose web applications

    should default to TLS 1.3 (support TLS 1.2 if necessary) with all other protocols disabled.” • Only support string ciphers • Use strong parameters • Tip: https://ssl-config.mozilla.org/ 24
  18. 25

  19. 25

  20. 26

  21. 28

  22. 28

  23. 28

  24. 28

  25. SQL Injection • Use of prepared statements • Out of

    the box with Doctrine/ Eloquent • BUT beware when “bypassing” and doing SQL directly • Read the fine print 29
  26. 30

  27. 30

  28. 31

  29. Input Validation • Frameworks offer safeguards and tools to make

    your life easier • Static code analysis can help here too 32
  30. ISO 27001 EU CRA OWASP Cheat Sheet BSI Grundschutz A.8.2

    Privileged Access Rights A.8.3 Information access restrictions A.8.5 Secure authentication A1.1.3b ensure protection from unauthorised access by appropriate control mechanisms, … Password Storage Authentication Authorization Session Management ORP.4: Identitäts- und Berechtigungsmanagement Identity & Access Management 33
  31. Passwords Argon2id > scrypt > bcrypt Also look at the

    configuration: • Memory cost parameter • Work factor • Iterations Hashing 34
  32. 35

  33. Authorization Enforce least privilege Deny by default Validate permissions on

    every request ReBAC | ABAC > RBAC Ensure lookup IDs are not accessible see: CWE-639 … Implement appropriate logging Create unit & integrations tests Recommendations 36
  34. 37

  35. 39 Grant access based on an attribute e.g. a post

    is public or user is the author of the post Attribute based access control
  36. 41

  37. 42

  38. ISO 27001 EU CRA OWASP BSI Grundschutz A.8.15 Logging A.8.16

    Monitoring activities A1.3j provide security related information by recording and/or monitoring relevant internal activity, … Logging Logging Vocabulary OPS.1.1.5: Protokollierung OPS.1.1.1.A9 Durchführung von IT-Monitoring DER1.A6 Kontinuirliche Überwachung… Information Gathering Logging & Monitoring 44
  39. Logging Attacks on logging infrastructure: • Attacker prevents writing or

    alters/ deletes logged data • Attacker floods logging to exceed capacity • Attacker reads logs to access sensitive data 45
  40. 46

  41. 46

  42. 46

  43. 46

  44. Monitoring • Tip: OpenTelemetry standardises tracing across tech stacks and

    is well supported by most monitoring tools • PHP implementations have recently become stable 47
  45. ISO 27001 EU CRA OWASP BSI Grundschutz A.8.28 Secure coding

    A.8.29 Security testing in development and acceptance A.8.31 Separation of development, test and production environments A.8.33 Test information A1.2.3 apply effective and regular tests and reviews CON.8: Software-Entwicklung OPS.1.1.6: Software-Tests und Freigaben Testing 48
  46. In order of first use References https://www.iso.org/standard/27001 https://www.iso.org/standard/75652.html https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Kompendium/ Zuordnung_ISO_und_IT_Grundschutz_Edit_6.html?nn=128568

    https://www.cyberresilienceact.eu/the-cyber-resilience-act-annex-eu/ https://owasp.org/www-project-top-ten/ https://owasp.org/www-project-devsecops-maturity-model/ https://cheatsheetseries.owasp.org/cheatsheets/Software_Supply_Chain_Security.html https://blog.packagist.com/composer-2-7-7/ https://www.naderman.de/slippy/slides/2024-04-23-PHPTEK-Composer-Guide-To-Supply-Chain-Security.pdf 53
  47. Continued References 54 https://docs.github.com/en/code-security/dependabot/working-with-dependabot https://docs.renovatebot.com/ https://phpstan.org https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html https://nginx.org/en/docs/http/configuring_https_servers.html https://ssl-config.mozilla.org/ https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html

    https://symfony.com/doc/current/configuration/secrets.html#generate-cryptographic-keys https://symfony.com/doc/current/cache.html#encrypting-the-cache https://symfony.com/doc/current/session.html#encryption-of-session-data https://symfony.com/doc/current/mailer.html#signing-and-encrypting-messages