Evolution of PHP Security

1 Evolution of PHP Security Eric Mann

2 Hello. Eric Mann Director of Engineering, Vacasa

3 Today’s Agenda Introductions Environment Credentials Management Authentication Session Management
Data - Validation & Sanitization Encryption Server Hardening Ongoing Study Questions • • • • • • • • • •

4 Environment

5 I’ll be working through each module on the main
screen. Feel free to follow along with your own computer, but coding is not required A COMPUTER IS NOT REQUIRED A modern PHP environment is required. I’ll be using newer features like strict typing and haven’t tested below PHP 7.3 FIRST: I ASSUME YOU HAVE PHP 7.3 To avoid the complexity of a MySQL or Postgres environment, the project leverages SQLite - You’ll need the PHP extension enabled SECOND: SQLITE IS A MUST You can follow along OUR WORKSHOP ENVIRONMENT Clone the project repository locally and code along with me as we work through it! git clone [email protected]:ericmann/notes-tutorial.git

6 Credentials Management

7 Environment Variables CREDENTIALS MANAGEMENT One way to manage server
credentials is with a .env file. These files will keep credentials on the server in flat files that are easy to keep from being leaked to viewers. You can use multiple .env files to segregate environments - dev vs staging vs - production. Utilities like the PHP dotenv project automatically load your .env file into the system environment at runtime, making all of your credentials accessible to the application.

8 Environment Variables CREDENTIALS MANAGEMENT

9 Static Conﬁguration File CREDENTIALS MANAGEMENT

10 Module 1 - Credentials Management

11 Authentication

17 YOUR TITLE HERE Lorem ipsum dolor sit amet, consectetur
adipiscing elit. Fusce elit ex, consequat et tincidunt non, pharetra non risus. Quisque ut leo pretium, eleifend lectus in, ultrices diam. Quisque ac congue urna, non ﬁnibus orci. Password Strength AUTHENTICATION

18 YOUR TITLE HERE Lorem ipsum dolor sit amet, consectetur
adipiscing elit. Fusce elit ex, consequat et tincidunt non, pharetra non risus. Quisque ut leo pretium, eleifend lectus in, ultrices diam. Quisque ac congue urna, non ﬁnibus orci. Password Strength AUTHENTICATION

19 Password Strength - BCrypt AUTHENTICATION <?php $timeTarget = 0.05;
// 50 milliseconds $cost = 8; do { $cost++; $start = microtime(true); password_hash("test", PASSWORD_BCRYPT, ["cost" => $cost]); $end = microtime(true); } while (($end - $start) < $timeTarget); echo "Appropriate Cost Found: " . $cost;

20 Password Strength - Argon2I AUTHENTICATION <?php $timeTarget = 0.05;
// 50 milliseconds $cost = 1; do { $cost++; $start = microtime(true); password_hash("test", PASSWORD_ARGON2I, ["time_cost" => $cost]); $end = microtime(true); } while (($end - $start) < $timeTarget); echo "Appropriate Cost Found: " . $cost;

21 Module 2 - Authentication

22 Session Management

23 Dos and Do Nots SESSION MANAGEMENT Don’t trust the
user to store sensitive information Don’t trust information provided by the user Don’t store sensitive information with an untrusted party Don’t use cookies to store sensitive data (If you are using cookies, use secure cookies - but only store IDs)

24 Module 3 - Session Management

25 Data - Validation & Sanitization

26 FILTER_VALIDATE_* FILTER_SANITIZE_*

27 Module 4 - Data Validation / Sanitization

28 Encryption

29 At-Rest Encryption ENCRYPTION 1 Protects data written out to
disk 2 Transparent to the application layer 3 (Usually) Provided by hosted DB solutions 4 (Often) Required for regulatory compliance

30 Tom Cruise in "Mission: Impossible — Rogue Nation." YouTube/Paramount

31 Application-level Data Encryption By allowing the application to manage
its own encryption keys, the crypto operations lift up into the application stack itself. The database engine can’t read or manage the data, neither can any other process in memory. Your data’s security then relies on the security of your application’s authentication and access control systems.

32 Application-level Data Encryption By allowing the application to manage
its own encryption keys, the crypto operations lift up into the application stack itself. The database engine can’t read or manage the data, neither can any other process in memory. Your data’s security then relies on the security of your application’s authentication and access control systems.

33 Module 5 - Encryption

34 Tom Cruise in "Mission: Impossible." Paramount

35 CipherSweet by Paragon Initiative Enterprsies: Fast, searchable ﬁeld-level encryption
for PHP projects

36 Server Hardening

37 Why it Matters ... Server Hardening We ship MVPs
loaded with technical debt SHIP OR DIE Dependencies might leak vulnerabilities COMPONENTS FAIL You’re always under attack if your system’s online ADVERSARIES LEARN CommitStrip: Stack Overﬂow Patchwork

38 PHP - Lock Down Functionality [PHP] ;;;;;;;;;;;;;;;;;;; ; About
php.ini ; ;;;;;;;;;;;;;;;;;;; ; PHP's initialization file, generally called php.ini, is responsible for ; configuring many of the aspects of PHP's behavior. ; PHP attempts to find and load this configuration from a number of locations. ; The following is a summary of its search order: ; 1. SAPI module specific location. ; 2. The PHPRC environment variable. (As of PHP 5.2.0) ; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0) ; 4. Current working directory (except CLI)

39 PHP - Lock Down Functionality ; open_basedir, if set,
limits all file operations to the defined directory ; and below. ; http://php.net/open-basedir ;open_basedir = ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes =

limits all file operations to the defined directory ; and below. ; http://php.net/open-basedir open_basedir = /var/www ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes =

limits all file operations to the defined directory ; and below. ; http://php.net/open-basedir ;open_basedir = ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = eval,shell_exec,exec,create_function,popen,system ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes =

limits all file operations to the defined directory ; and below. ; http://php.net/open-basedir ;open_basedir = ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = eval,shell_exec,exec,create_function,popen,system ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes = splfileobject

43 PHP - Lock Down Functionality ; Maximum allowed size
for uploaded files. ; http://php.net/upload-max-filesize ;upload_max_filesize = ; Maximum number of files that can be uploaded via a single request ;max_file_uploads = ; Whether to allow the treatment of URLs as files. ; http://php.net/allow-url-fopen ;allow_url_fopen = ; Whether to allow include/require to open URLs as files. ; http://php.net/allow-url-include ;allow_url_include =

for uploaded files. ; http://php.net/upload-max-filesize upload_max_filesize = 2M ; Maximum number of files that can be uploaded via a single request max_file_uploads = 20 ; Whether to allow the treatment of URLs as files. ; http://php.net/allow-url-fopen allow_url_fopen = On ; Whether to allow include/require to open URLs as files. ; http://php.net/allow-url-include allow_url_include = Off

46 PHP Doesn’t Run in a Vacuum SERVER HARDENING Don’t
display errors in production. Don’t leak server tokens. Define your system hostname. DISABLE DEBUGGING Disable directory traversal. Use proper TLS certificates. Return documented error codes. LOCK DOWN THE APP SERVER Use a cloud host if possible. Bind the server to the correct address for connections. Tighly scope permissions. PROPERLY CONFIGURE MySQL Close down unnecessary ports. Ensure only you have access to SSH. USE A FIREWALL Scan log files for illicit access and block malicious traffic entirely at the firewall. INSTALL fail2ban Leverage unattended upgrades to auto-install patches. Ensure you log everything to catch anomalies. KEEP SYSTEM PACKAGES UPDATED

47 Ongoing Study

48 Further Resources ONGOING STUDY • Attend industry conferences to
keep track of new advances • Leverage security-focused blogs and websites like https://paragonie.com or https://securingphp.com to learn more • Keep track of changes, conversations around security vulnerabilities, and new best practices “cheat sheets” created by groups like OWASP • Subscribe to php[architect] and pick up their Web Security bundle Pick up my book on Security Principles for PHP

49 Questions?

50 Thank You! [email protected] | 503.925.6266

Evolution of PHP Security

Evolution of PHP Security

More Decks by Eric Mann

Other Decks in Technology

Featured

Transcript