Evolution of PHP Security

1
Evolution of PHP Security
Eric Mann

View Slide

2
Hello.
Eric Mann
Director of Engineering, Vacasa

View Slide

3
Today’s Agenda
Introductions
Environment
Credentials Management
Authentication
Session Management
Data - Validation & Sanitization
Encryption
Server Hardening
Ongoing Study
Questions
•
•
•
•
•
•
•
•
•
•

View Slide

4
Environment

View Slide

5
I’ll be working through each module on the
main screen. Feel free to follow along with your
own computer, but coding is not required
A COMPUTER IS NOT REQUIRED
A modern PHP environment is required. I’ll
be using newer features like strict typing and
haven’t tested below PHP 7.3
FIRST: I ASSUME YOU HAVE PHP 7.3
To avoid the complexity of a MySQL or Postgres
environment, the project leverages SQLite - You’ll
need the PHP extension enabled
SECOND: SQLITE IS A MUST
You can
follow along
OUR WORKSHOP ENVIRONMENT
Clone the project repository locally and
code along with me as we work through it!
git clone [email protected]:ericmann/notes-tutorial.git

View Slide

6
Credentials Management

View Slide

7
Environment Variables
CREDENTIALS MANAGEMENT
One way to manage server credentials is with a
.env file. These files will keep credentials on the
server in flat files that are easy to keep from being
leaked to viewers.
You can use multiple .env files to segregate
environments - dev vs staging vs - production.
Utilities like the PHP dotenv project automatically
load your .env file into the system environment at
runtime, making all of your credentials accessible
to the application.

View Slide

8
Environment Variables

View Slide

9
Static Conﬁguration File

View Slide

10
Module 1 - Credentials Management

View Slide

11
Authentication

View Slide

12

View Slide

13

View Slide

14

View Slide

15

View Slide

16

View Slide

17
YOUR TITLE HERE
Lorem ipsum dolor sit amet, consectetur
adipiscing elit. Fusce elit ex, consequat et
tincidunt non, pharetra non risus. Quisque ut
leo pretium, eleifend lectus in, ultrices diam.
Quisque ac congue urna, non ﬁnibus orci.
Password Strength
AUTHENTICATION

View Slide

18
YOUR TITLE HERE
Lorem ipsum dolor sit amet, consectetur
adipiscing elit. Fusce elit ex, consequat et
tincidunt non, pharetra non risus. Quisque ut
leo pretium, eleifend lectus in, ultrices diam.
Quisque ac congue urna, non ﬁnibus orci.
Password Strength
AUTHENTICATION

View Slide

19
Password Strength - BCrypt
AUTHENTICATION
$timeTarget = 0.05; // 50 milliseconds
$cost = 8;
do {
$cost++;
$start = microtime(true);
password_hash("test", PASSWORD_BCRYPT, ["cost" => $cost]);
$end = microtime(true);
} while (($end - $start) < $timeTarget);
echo "Appropriate Cost Found: " . $cost;

View Slide

20
Password Strength - Argon2I
AUTHENTICATION
$timeTarget = 0.05; // 50 milliseconds
$cost = 1;
do {
$cost++;
$start = microtime(true);
password_hash("test", PASSWORD_ARGON2I, ["time_cost" => $cost]);
$end = microtime(true);
} while (($end - $start) < $timeTarget);
echo "Appropriate Cost Found: " . $cost;

View Slide

21
Module 2 - Authentication

View Slide

22
Session Management

View Slide

23
Dos and Do Nots
SESSION MANAGEMENT
Don’t trust the user to store sensitive information
Don’t trust information provided by the user
Don’t store sensitive information with an untrusted party
Don’t use cookies to store sensitive data
(If you are using cookies, use secure cookies - but only store IDs)

View Slide

24
Module 3 - Session Management

View Slide

25
Data - Validation & Sanitization

View Slide

26
FILTER_VALIDATE_* FILTER_SANITIZE_*

View Slide

27
Module 4 - Data Validation / Sanitization

View Slide

28
Encryption

View Slide

29
At-Rest Encryption
ENCRYPTION
1 Protects data written out to disk
2 Transparent to the application layer
3 (Usually) Provided by hosted DB
solutions
4 (Often) Required for regulatory
compliance

View Slide

30
Tom Cruise in "Mission: Impossible — Rogue Nation." YouTube/Paramount

View Slide

31
Application-level Data Encryption
By allowing the application to manage its own encryption keys, the
crypto operations lift up into the application stack itself. The
database engine can’t read or manage the data, neither can any
other process in memory.
Your data’s security then relies on the security of your application’s
authentication and access control systems.

View Slide

32
Application-level Data Encryption
By allowing the application to manage its own encryption keys, the
crypto operations lift up into the application stack itself. The
database engine can’t read or manage the data, neither can any
other process in memory.
Your data’s security then relies on the security of your application’s
authentication and access control systems.

View Slide

33
Module 5 - Encryption

View Slide

34
Tom Cruise in "Mission: Impossible." Paramount

View Slide

35
CipherSweet by Paragon Initiative Enterprsies: Fast, searchable ﬁeld-level encryption for PHP
projects

View Slide

36
Server Hardening

View Slide

37
Why it Matters ...
Server Hardening
We ship MVPs loaded with technical debt
SHIP OR DIE
Dependencies might leak vulnerabilities
COMPONENTS FAIL
You’re always under attack if your system’s online
ADVERSARIES LEARN
CommitStrip: Stack Overﬂow Patchwork

View Slide

38
PHP - Lock Down Functionality
[PHP]
;;;;;;;;;;;;;;;;;;;
; About php.ini ;
;;;;;;;;;;;;;;;;;;;
; PHP's initialization file, generally called php.ini, is responsible for
; configuring many of the aspects of PHP's behavior.
; PHP attempts to find and load this configuration from a number of locations.
; The following is a summary of its search order:
; 1. SAPI module specific location.
; 2. The PHPRC environment variable. (As of PHP 5.2.0)
; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0)
; 4. Current working directory (except CLI)

View Slide

39
; open_basedir, if set, limits all file operations to the defined directory
; and below.
; http://php.net/open-basedir
;open_basedir =
; This directive allows you to disable certain functions for security reasons.
; It receives a comma-delimited list of function names.
; http://php.net/disable-functions
disable_functions =
; This directive allows you to disable certain classes for security reasons.
; It receives a comma-delimited list of class names.
; http://php.net/disable-classes
disable_classes =

View Slide

40
; and below.
open_basedir = /var/www
disable_functions =
disable_classes =

View Slide

41
; and below.
;open_basedir =
disable_functions = eval,shell_exec,exec,create_function,popen,system
disable_classes =

View Slide

42
; and below.
;open_basedir =
disable_functions = eval,shell_exec,exec,create_function,popen,system
disable_classes = splfileobject

View Slide

43
; Maximum allowed size for uploaded files.
; http://php.net/upload-max-filesize
;upload_max_filesize =
; Maximum number of files that can be uploaded via a single request
;max_file_uploads =
; Whether to allow the treatment of URLs as files.
; http://php.net/allow-url-fopen
;allow_url_fopen =
; Whether to allow include/require to open URLs as files.
; http://php.net/allow-url-include
;allow_url_include =

View Slide

44
upload_max_filesize = 2M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off

View Slide

45
upload_max_filesize = 2M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off

View Slide

46
PHP Doesn’t Run in a Vacuum
SERVER HARDENING
Don’t display errors in production. Don’t leak server
tokens. Define your system hostname.
DISABLE DEBUGGING
Disable directory traversal. Use proper TLS
certificates. Return documented error codes.
LOCK DOWN THE APP SERVER
Use a cloud host if possible. Bind the server to the correct
address for connections. Tighly scope permissions.
PROPERLY CONFIGURE MySQL
Close down unnecessary ports. Ensure only you have
access to SSH.
USE A FIREWALL
Scan log files for illicit access and block malicious
traffic entirely at the firewall.
INSTALL fail2ban
Leverage unattended upgrades to auto-install patches.
Ensure you log everything to catch anomalies.
KEEP SYSTEM PACKAGES UPDATED

View Slide

47
Ongoing Study

View Slide

48
Further Resources
ONGOING STUDY
● Attend industry conferences to keep track of new advances
● Leverage security-focused blogs and websites like
https://paragonie.com or https://securingphp.com to learn more
● Keep track of changes, conversations around security vulnerabilities,
and new best practices “cheat sheets” created by groups like OWASP
● Subscribe to php[architect] and pick up their Web Security bundle
Pick up my book on Security Principles for PHP

View Slide

49
Questions?

View Slide

50
Thank You!
[email protected] | 503.925.6266

View Slide

Evolution of PHP Security

Evolution of PHP Security

Eric Mann

More Decks by Eric Mann

Other Decks in Technology

Featured

Transcript