Secure Development with PHP

Transcript

1. Denis Brumann // PHPers Summit 2024 // 2024-06-21 ISO-27001, EU-CRA

   and beyond Secure Development with PHP 1

2. Who am I • Denis Brumann • Solutions Architect @

   Next Kraftwerke • [email protected] 2

3. Agenda 1. Common & proposed security standards 2. DevSecOps lifecycle

   3. Overview of common security measures along the lifecycle: Build & Deployment, Implementation, Information Gathering, Testing 4. Summary What will I talk about? 3

4. Important Notes • We will not cover the full standards,

   focusing on technical controls for development. I will go into cherry-picked topics, which I find relevant for (PHP) devs • The procedures described in this talk are not enough to become certified. They are meant to show that the PHP ecosystem provides many helpful tools & libraries to establish a secure development cycle. • I am not a subject matter expert. Please verify the code snippets, check the sources and use your own brain • Feel free to ask questions during the talk. 4

5. ISO-27001 Requirements 5

6. 1. User endpoint devices 2. Privileged access rights 3. Information

   access restriction 4. Access to source code 5. Secure authentication 6. Capacity management 7. Protection against malware 8. Management of technical vulnerabilities 9. Configuration management 10. Information deletion 11. Data masking 12. Data leakage prevention 13. Information backup 14. Redundancy of information processing facilities 15. Logging 16. Monitoring activities Technical Controls 17. Clock synchronization 18. Use of privileged utility programs 19. Installation of software on operational systems 20. Network security 21. Security of network services 22. Segregation of networks 23. Web filtering 24. Use of cryptography 25. Secure development lifecycle 26. Application security requirements 27. Secure system architecture & engineering principles 28. Secure coding 29. Security, testing in development & acceptance 30.Outsourced development 31. Separation of dev, test & prod ends 32. Change management 33. Test information 34. Protection of information systems during audit testing 6

7. ISO-27002 Controls 7

8. BSI “IT-Grundschutz” 8

9. EU-CRA Cyber Resilience Act 9

10. EU-CRA Cyber Resilience Act 9

11. EU NIS2 Security requirements for essential or important organizations 10

12. Do any of these apply to you? 11

13. OWASP 12

14. Maturity Model DevSecOps 5 Dimensions with 5 maturity levels: 1.

    Build & Deployment 2. Culture & Organization 3. Implementation 4. Information Gathering 5. Test & Verification See: https://dsomm.owasp.org/ 13

15. ISO 27001 EU CRA OWASP Cheatsheet BSI Grundschutz A.8.8 Management

    of technical vulnerabilities A.8.25 Secure development lifecycle A1.2.1 identify and document vulnerabilities and components contained in the product A1.2.2 …address and remediate vulnerabilities without delay Supply Chain Security Vulnerable Dependency Management CI/CD Security PHP Configuration OPS.1.1.3: Patch- & Änderungsmanagement CON.8: Software-Entwicklung Build & Deployment 14

16. Supply Chain • Source code threats Access control, logging &

    monitoring, security automation • Build environment threats Build cache poisoning, building untrusted code • Dependency related threats • Deployment & runtime threats 15

17. Dependencies • Assess suppliers • Monitor dependencies • SAST (Static

    analysis) → (Private) Packagist → roave/security-advisories → phpstan, psalm, … 16

18. Software Bill of Materials 17

19. 18

20. 18

21. 18

22. 19

23. 20

24. 20

25. 21

26. 22

27. ISO 27001 EU CRA OWASP Cheat Sheet BSI Grundschutz A.8.24

    Use of cryptography A.8.26 Application security requirements A.8.27 Secure system architecture & engineering principles A1.1.3c protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, … A1.1.3d protect the integrity of stored, transmitted or otherwise processed data, personal or other, … Transport Layer Security Cryptographic Storage Injection Prevention Input Validation CON.8: Software-Entwicklung APP.7: Entwicklung von Individualsoftware Implementation 23

28. Encryption • Only support strong protocols “General purpose web applications

    should default to TLS 1.3 (support TLS 1.2 if necessary) with all other protocols disabled.” • Only support string ciphers • Use strong parameters • Tip: https://ssl-config.mozilla.org/ 24

29. 25

30. 25

31. TLSv1 & TLSv1.1! 25

32. 26

33. Cryptography • Where to perform encryption • Algorithms • Key

    Management & Storage 27

34. 28

35. 28

36. 28

37. 28

38. SQL Injection • Use of prepared statements • Out of

    the box with Doctrine/ Eloquent • BUT beware when “bypassing” and doing SQL directly • Read the fine print 29

39. 30

40. 30

41. 31

42. Input Validation • Frameworks offer safeguards and tools to make

    your life easier • Static code analysis can help here too 32

43. ISO 27001 EU CRA OWASP Cheat Sheet BSI Grundschutz A.8.2

    Privileged Access Rights A.8.3 Information access restrictions A.8.5 Secure authentication A1.1.3b ensure protection from unauthorised access by appropriate control mechanisms, … Password Storage Authentication Authorization Session Management ORP.4: Identitäts- und Berechtigungsmanagement Identity & Access Management 33

44. Passwords Argon2id > scrypt > bcrypt Also look at the

    configuration: • Memory cost parameter • Work factor • Iterations Hashing 34

45. 35

46. Authorization Enforce least privilege Deny by default Validate permissions on

    every request ReBAC | ABAC > RBAC Ensure lookup IDs are not accessible see: CWE-639 … Implement appropriate logging Create unit & integrations tests Recommendations 36

47. 37

48. 38 Last route is fallback: Deny all here Role based

    access control

49. 39 Grant access based on an attribute e.g. a post

    is public or user is the author of the post Attribute based access control

50. Sessions Secure-attribute prevents MitM HttpOnly prevents XSS SameSite against CSRF

    & Cookies 40

51. 41

52. 42

53. Headers CSP X-Frame-Options X-XSS-Protection HSTS Access-Control-Allow-Origin … 43

54. ISO 27001 EU CRA OWASP BSI Grundschutz A.8.15 Logging A.8.16

    Monitoring activities A1.3j provide security related information by recording and/or monitoring relevant internal activity, … Logging Logging Vocabulary OPS.1.1.5: Protokollierung OPS.1.1.1.A9 Durchführung von IT-Monitoring DER1.A6 Kontinuirliche Überwachung… Information Gathering Logging & Monitoring 44

55. Logging Attacks on logging infrastructure: • Attacker prevents writing or

    alters/ deletes logged data • Attacker floods logging to exceed capacity • Attacker reads logs to access sensitive data 45

56. 46

57. 46

58. 46

59. 46

60. Monitoring • Tip: OpenTelemetry standardises tracing across tech stacks and

    is well supported by most monitoring tools • PHP implementations have recently become stable 47

61. ISO 27001 EU CRA OWASP BSI Grundschutz A.8.28 Secure coding

    A.8.29 Security testing in development and acceptance A.8.31 Separation of development, test and production environments A.8.33 Test information A1.2.3 apply effective and regular tests and reviews CON.8: Software-Entwicklung OPS.1.1.6: Software-Tests und Freigaben Testing 48

62. Web Security Testing Guide WSTG Current Release: 4.2 GitHub main

    branch: 5.0-dev 49

63. Security Training Learning by doing 50

64. Summary 51

65. Thank You! 52

66. In order of first use References https://www.iso.org/standard/27001 https://www.iso.org/standard/75652.html https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Kompendium/ Zuordnung_ISO_und_IT_Grundschutz_Edit_6.html?nn=128568

    https://www.cyberresilienceact.eu/the-cyber-resilience-act-annex-eu/ https://owasp.org/www-project-top-ten/ https://owasp.org/www-project-devsecops-maturity-model/ https://cheatsheetseries.owasp.org/cheatsheets/Software_Supply_Chain_Security.html https://blog.packagist.com/composer-2-7-7/ https://www.naderman.de/slippy/slides/2024-04-23-PHPTEK-Composer-Guide-To-Supply-Chain-Security.pdf 53

67. Continued References 54 https://docs.github.com/en/code-security/dependabot/working-with-dependabot https://docs.renovatebot.com/ https://phpstan.org https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html https://nginx.org/en/docs/http/configuring_https_servers.html https://ssl-config.mozilla.org/ https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html

    https://symfony.com/doc/current/configuration/secrets.html#generate-cryptographic-keys https://symfony.com/doc/current/cache.html#encrypting-the-cache https://symfony.com/doc/current/session.html#encryption-of-session-data https://symfony.com/doc/current/mailer.html#signing-and-encrypting-messages

68. Continued References https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html https://laravel.com/docs/11.x/queries https://www.doctrine-project.org/projects/doctrine-dbal/en/4.0/reference/data-retrieval-and-manipulation.html https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html https://symfony.com/doc/current/security/passwords.html#passwordhasher-supported-algorithms https://laravel.com/docs/10.x/hashing#configuration https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html https://cwe.mitre.org/data/definitions/639.html

    https://laravel.com/docs/11.x/authorization https://symfony.com/doc/current/security.html#access-control-authorization 55

69. Continued References https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html https://symfony.com/doc/current/session.html#configuration https://symfony.com/doc/current/reference/configuration/framework.html#cookie-samesite https://github.com/symfony/recipes/blob/main/symfony/monolog-bundle/3.7/config/packages/monolog.yaml https://github.com/Seldaek/monolog/blob/main/doc/02-handlers-formatters-processors.md https://opentelemetry.io/docs/languages/php/ https://sentry.io/for/opentelemetry/ https://tideways.com/

    https://github.com/OWASP/wstg/tree/master/document https://github.com/juice-shop/juice-shop https://leanpub.com/juice-shop 56