Evolution of PHP Security

46093583d8895095adb1b0071c505af2?s=47 Eric Mann
February 06, 2020

Evolution of PHP Security

Regardless of reports to the contrary, PHP is a modern, scalable, secure programming language suitable for any number of applications. As with any other language or tool, PHP can only be used securely if the developers using it wield their tools safely. This training class will walk through best practices in:
* Password management (including hashing)
* Credentials management (API keys)
* Data encryption (both local and remote)
* Data integrity (i.e., signing and authentication)
* Server hardening

Attendees will leave with a better understanding of PHP and how to use it in secure applications. Attendees should have an operable PHP environment before arriving. They will be given a code repo to use during the training class which will demonstrate the principles being discussed and allows them to practice from-scratch implementations in code.

46093583d8895095adb1b0071c505af2?s=128

Eric Mann

February 06, 2020
Tweet

Transcript

  1. 3.

    3 Today’s Agenda Introductions Environment Credentials Management Authentication Session Management

    Data - Validation & Sanitization Encryption Server Hardening Ongoing Study Questions • • • • • • • • • •
  2. 5.

    5 I’ll be working through each module on the main

    screen. Feel free to follow along with your own computer, but coding is not required A COMPUTER IS NOT REQUIRED A modern PHP environment is required. I’ll be using newer features like strict typing and haven’t tested below PHP 7.3 FIRST: I ASSUME YOU HAVE PHP 7.3 To avoid the complexity of a MySQL or Postgres environment, the project leverages SQLite - You’ll need the PHP extension enabled SECOND: SQLITE IS A MUST You can follow along OUR WORKSHOP ENVIRONMENT Clone the project repository locally and code along with me as we work through it! git clone git@github.com:ericmann/notes-tutorial.git
  3. 7.

    7 Environment Variables CREDENTIALS MANAGEMENT One way to manage server

    credentials is with a .env file. These files will keep credentials on the server in flat files that are easy to keep from being leaked to viewers. You can use multiple .env files to segregate environments - dev vs staging vs - production. Utilities like the PHP dotenv project automatically load your .env file into the system environment at runtime, making all of your credentials accessible to the application.
  4. 12.

    12

  5. 13.

    13

  6. 14.

    14

  7. 15.

    15

  8. 16.

    16

  9. 17.

    17 YOUR TITLE HERE Lorem ipsum dolor sit amet, consectetur

    adipiscing elit. Fusce elit ex, consequat et tincidunt non, pharetra non risus. Quisque ut leo pretium, eleifend lectus in, ultrices diam. Quisque ac congue urna, non finibus orci. Password Strength AUTHENTICATION
  10. 18.

    18 YOUR TITLE HERE Lorem ipsum dolor sit amet, consectetur

    adipiscing elit. Fusce elit ex, consequat et tincidunt non, pharetra non risus. Quisque ut leo pretium, eleifend lectus in, ultrices diam. Quisque ac congue urna, non finibus orci. Password Strength AUTHENTICATION
  11. 19.

    19 Password Strength - BCrypt AUTHENTICATION <?php $timeTarget = 0.05;

    // 50 milliseconds $cost = 8; do { $cost++; $start = microtime(true); password_hash("test", PASSWORD_BCRYPT, ["cost" => $cost]); $end = microtime(true); } while (($end - $start) < $timeTarget); echo "Appropriate Cost Found: " . $cost;
  12. 20.

    20 Password Strength - Argon2I AUTHENTICATION <?php $timeTarget = 0.05;

    // 50 milliseconds $cost = 1; do { $cost++; $start = microtime(true); password_hash("test", PASSWORD_ARGON2I, ["time_cost" => $cost]); $end = microtime(true); } while (($end - $start) < $timeTarget); echo "Appropriate Cost Found: " . $cost;
  13. 23.

    23 Dos and Do Nots SESSION MANAGEMENT Don’t trust the

    user to store sensitive information Don’t trust information provided by the user Don’t store sensitive information with an untrusted party Don’t use cookies to store sensitive data (If you are using cookies, use secure cookies - but only store IDs)
  14. 29.

    29 At-Rest Encryption ENCRYPTION 1 Protects data written out to

    disk 2 Transparent to the application layer 3 (Usually) Provided by hosted DB solutions 4 (Often) Required for regulatory compliance
  15. 31.

    31 Application-level Data Encryption By allowing the application to manage

    its own encryption keys, the crypto operations lift up into the application stack itself. The database engine can’t read or manage the data, neither can any other process in memory. Your data’s security then relies on the security of your application’s authentication and access control systems.
  16. 32.

    32 Application-level Data Encryption By allowing the application to manage

    its own encryption keys, the crypto operations lift up into the application stack itself. The database engine can’t read or manage the data, neither can any other process in memory. Your data’s security then relies on the security of your application’s authentication and access control systems.
  17. 37.

    37 Why it Matters ... Server Hardening We ship MVPs

    loaded with technical debt SHIP OR DIE Dependencies might leak vulnerabilities COMPONENTS FAIL You’re always under attack if your system’s online ADVERSARIES LEARN CommitStrip: Stack Overflow Patchwork
  18. 38.

    38 PHP - Lock Down Functionality [PHP] ;;;;;;;;;;;;;;;;;;; ; About

    php.ini ; ;;;;;;;;;;;;;;;;;;; ; PHP's initialization file, generally called php.ini, is responsible for ; configuring many of the aspects of PHP's behavior. ; PHP attempts to find and load this configuration from a number of locations. ; The following is a summary of its search order: ; 1. SAPI module specific location. ; 2. The PHPRC environment variable. (As of PHP 5.2.0) ; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0) ; 4. Current working directory (except CLI)
  19. 39.

    39 PHP - Lock Down Functionality ; open_basedir, if set,

    limits all file operations to the defined directory ; and below. ; http://php.net/open-basedir ;open_basedir = ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes =
  20. 40.

    40 PHP - Lock Down Functionality ; open_basedir, if set,

    limits all file operations to the defined directory ; and below. ; http://php.net/open-basedir open_basedir = /var/www ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes =
  21. 41.

    41 PHP - Lock Down Functionality ; open_basedir, if set,

    limits all file operations to the defined directory ; and below. ; http://php.net/open-basedir ;open_basedir = ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = eval,shell_exec,exec,create_function,popen,system ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes =
  22. 42.

    42 PHP - Lock Down Functionality ; open_basedir, if set,

    limits all file operations to the defined directory ; and below. ; http://php.net/open-basedir ;open_basedir = ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = eval,shell_exec,exec,create_function,popen,system ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes = splfileobject
  23. 43.

    43 PHP - Lock Down Functionality ; Maximum allowed size

    for uploaded files. ; http://php.net/upload-max-filesize ;upload_max_filesize = ; Maximum number of files that can be uploaded via a single request ;max_file_uploads = ; Whether to allow the treatment of URLs as files. ; http://php.net/allow-url-fopen ;allow_url_fopen = ; Whether to allow include/require to open URLs as files. ; http://php.net/allow-url-include ;allow_url_include =
  24. 44.

    44 PHP - Lock Down Functionality ; Maximum allowed size

    for uploaded files. ; http://php.net/upload-max-filesize upload_max_filesize = 2M ; Maximum number of files that can be uploaded via a single request max_file_uploads = 20 ; Whether to allow the treatment of URLs as files. ; http://php.net/allow-url-fopen allow_url_fopen = On ; Whether to allow include/require to open URLs as files. ; http://php.net/allow-url-include allow_url_include = Off
  25. 45.

    45 PHP - Lock Down Functionality ; Maximum allowed size

    for uploaded files. ; http://php.net/upload-max-filesize upload_max_filesize = 2M ; Maximum number of files that can be uploaded via a single request max_file_uploads = 20 ; Whether to allow the treatment of URLs as files. ; http://php.net/allow-url-fopen allow_url_fopen = On ; Whether to allow include/require to open URLs as files. ; http://php.net/allow-url-include allow_url_include = Off
  26. 46.

    46 PHP Doesn’t Run in a Vacuum SERVER HARDENING Don’t

    display errors in production. Don’t leak server tokens. Define your system hostname. DISABLE DEBUGGING Disable directory traversal. Use proper TLS certificates. Return documented error codes. LOCK DOWN THE APP SERVER Use a cloud host if possible. Bind the server to the correct address for connections. Tighly scope permissions. PROPERLY CONFIGURE MySQL Close down unnecessary ports. Ensure only you have access to SSH. USE A FIREWALL Scan log files for illicit access and block malicious traffic entirely at the firewall. INSTALL fail2ban Leverage unattended upgrades to auto-install patches. Ensure you log everything to catch anomalies. KEEP SYSTEM PACKAGES UPDATED
  27. 48.

    48 Further Resources ONGOING STUDY • Attend industry conferences to

    keep track of new advances • Leverage security-focused blogs and websites like https://paragonie.com or https://securingphp.com to learn more • Keep track of changes, conversations around security vulnerabilities, and new best practices “cheat sheets” created by groups like OWASP • Subscribe to php[architect] and pick up their Web Security bundle Pick up my book on Security Principles for PHP