Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Evolution of PHP Security

Eric Mann
February 06, 2020

Evolution of PHP Security

Regardless of reports to the contrary, PHP is a modern, scalable, secure programming language suitable for any number of applications. As with any other language or tool, PHP can only be used securely if the developers using it wield their tools safely. This training class will walk through best practices in:
* Password management (including hashing)
* Credentials management (API keys)
* Data encryption (both local and remote)
* Data integrity (i.e., signing and authentication)
* Server hardening

Attendees will leave with a better understanding of PHP and how to use it in secure applications. Attendees should have an operable PHP environment before arriving. They will be given a code repo to use during the training class which will demonstrate the principles being discussed and allows them to practice from-scratch implementations in code.

Eric Mann

February 06, 2020
Tweet

More Decks by Eric Mann

Other Decks in Technology

Transcript

  1. 1
    Evolution of PHP Security
    Eric Mann

    View Slide

  2. 2
    Hello.
    Eric Mann
    Director of Engineering, Vacasa

    View Slide

  3. 3
    Today’s Agenda
    Introductions
    Environment
    Credentials Management
    Authentication
    Session Management
    Data - Validation & Sanitization
    Encryption
    Server Hardening
    Ongoing Study
    Questions










    View Slide

  4. 4
    Environment

    View Slide

  5. 5
    I’ll be working through each module on the
    main screen. Feel free to follow along with your
    own computer, but coding is not required
    A COMPUTER IS NOT REQUIRED
    A modern PHP environment is required. I’ll
    be using newer features like strict typing and
    haven’t tested below PHP 7.3
    FIRST: I ASSUME YOU HAVE PHP 7.3
    To avoid the complexity of a MySQL or Postgres
    environment, the project leverages SQLite - You’ll
    need the PHP extension enabled
    SECOND: SQLITE IS A MUST
    You can
    follow along
    OUR WORKSHOP ENVIRONMENT
    Clone the project repository locally and
    code along with me as we work through it!
    git clone [email protected]:ericmann/notes-tutorial.git

    View Slide

  6. 6
    Credentials Management

    View Slide

  7. 7
    Environment Variables
    CREDENTIALS MANAGEMENT
    One way to manage server credentials is with a
    .env file. These files will keep credentials on the
    server in flat files that are easy to keep from being
    leaked to viewers.
    You can use multiple .env files to segregate
    environments - dev vs staging vs - production.
    Utilities like the PHP dotenv project automatically
    load your .env file into the system environment at
    runtime, making all of your credentials accessible
    to the application.

    View Slide

  8. 8
    Environment Variables
    CREDENTIALS MANAGEMENT

    View Slide

  9. 9
    Static Configuration File
    CREDENTIALS MANAGEMENT

    View Slide

  10. 10
    Module 1 - Credentials Management

    View Slide

  11. 11
    Authentication

    View Slide

  12. 12

    View Slide

  13. 13

    View Slide

  14. 14

    View Slide

  15. 15

    View Slide

  16. 16

    View Slide

  17. 17
    YOUR TITLE HERE
    Lorem ipsum dolor sit amet, consectetur
    adipiscing elit. Fusce elit ex, consequat et
    tincidunt non, pharetra non risus. Quisque ut
    leo pretium, eleifend lectus in, ultrices diam.
    Quisque ac congue urna, non finibus orci.
    Password Strength
    AUTHENTICATION

    View Slide

  18. 18
    YOUR TITLE HERE
    Lorem ipsum dolor sit amet, consectetur
    adipiscing elit. Fusce elit ex, consequat et
    tincidunt non, pharetra non risus. Quisque ut
    leo pretium, eleifend lectus in, ultrices diam.
    Quisque ac congue urna, non finibus orci.
    Password Strength
    AUTHENTICATION

    View Slide

  19. 19
    Password Strength - BCrypt
    AUTHENTICATION
    $timeTarget = 0.05; // 50 milliseconds
    $cost = 8;
    do {
    $cost++;
    $start = microtime(true);
    password_hash("test", PASSWORD_BCRYPT, ["cost" => $cost]);
    $end = microtime(true);
    } while (($end - $start) < $timeTarget);
    echo "Appropriate Cost Found: " . $cost;

    View Slide

  20. 20
    Password Strength - Argon2I
    AUTHENTICATION
    $timeTarget = 0.05; // 50 milliseconds
    $cost = 1;
    do {
    $cost++;
    $start = microtime(true);
    password_hash("test", PASSWORD_ARGON2I, ["time_cost" => $cost]);
    $end = microtime(true);
    } while (($end - $start) < $timeTarget);
    echo "Appropriate Cost Found: " . $cost;

    View Slide

  21. 21
    Module 2 - Authentication

    View Slide

  22. 22
    Session Management

    View Slide

  23. 23
    Dos and Do Nots
    SESSION MANAGEMENT
    Don’t trust the user to store sensitive information
    Don’t trust information provided by the user
    Don’t store sensitive information with an untrusted party
    Don’t use cookies to store sensitive data
    (If you are using cookies, use secure cookies - but only store IDs)

    View Slide

  24. 24
    Module 3 - Session Management

    View Slide

  25. 25
    Data - Validation & Sanitization

    View Slide

  26. 26
    FILTER_VALIDATE_* FILTER_SANITIZE_*

    View Slide

  27. 27
    Module 4 - Data Validation / Sanitization

    View Slide

  28. 28
    Encryption

    View Slide

  29. 29
    At-Rest Encryption
    ENCRYPTION
    1 Protects data written out to disk
    2 Transparent to the application layer
    3 (Usually) Provided by hosted DB
    solutions
    4 (Often) Required for regulatory
    compliance

    View Slide

  30. 30
    Tom Cruise in "Mission: Impossible — Rogue Nation." YouTube/Paramount

    View Slide

  31. 31
    Application-level Data Encryption
    By allowing the application to manage its own encryption keys, the
    crypto operations lift up into the application stack itself. The
    database engine can’t read or manage the data, neither can any
    other process in memory.
    Your data’s security then relies on the security of your application’s
    authentication and access control systems.

    View Slide

  32. 32
    Application-level Data Encryption
    By allowing the application to manage its own encryption keys, the
    crypto operations lift up into the application stack itself. The
    database engine can’t read or manage the data, neither can any
    other process in memory.
    Your data’s security then relies on the security of your application’s
    authentication and access control systems.

    View Slide

  33. 33
    Module 5 - Encryption

    View Slide

  34. 34
    Tom Cruise in "Mission: Impossible." Paramount

    View Slide

  35. 35
    CipherSweet by Paragon Initiative Enterprsies: Fast, searchable field-level encryption for PHP
    projects

    View Slide

  36. 36
    Server Hardening

    View Slide

  37. 37
    Why it Matters ...
    Server Hardening
    We ship MVPs loaded with technical debt
    SHIP OR DIE
    Dependencies might leak vulnerabilities
    COMPONENTS FAIL
    You’re always under attack if your system’s online
    ADVERSARIES LEARN
    CommitStrip: Stack Overflow Patchwork

    View Slide

  38. 38
    PHP - Lock Down Functionality
    [PHP]
    ;;;;;;;;;;;;;;;;;;;
    ; About php.ini ;
    ;;;;;;;;;;;;;;;;;;;
    ; PHP's initialization file, generally called php.ini, is responsible for
    ; configuring many of the aspects of PHP's behavior.
    ; PHP attempts to find and load this configuration from a number of locations.
    ; The following is a summary of its search order:
    ; 1. SAPI module specific location.
    ; 2. The PHPRC environment variable. (As of PHP 5.2.0)
    ; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0)
    ; 4. Current working directory (except CLI)

    View Slide

  39. 39
    PHP - Lock Down Functionality
    ; open_basedir, if set, limits all file operations to the defined directory
    ; and below.
    ; http://php.net/open-basedir
    ;open_basedir =
    ; This directive allows you to disable certain functions for security reasons.
    ; It receives a comma-delimited list of function names.
    ; http://php.net/disable-functions
    disable_functions =
    ; This directive allows you to disable certain classes for security reasons.
    ; It receives a comma-delimited list of class names.
    ; http://php.net/disable-classes
    disable_classes =

    View Slide

  40. 40
    PHP - Lock Down Functionality
    ; open_basedir, if set, limits all file operations to the defined directory
    ; and below.
    ; http://php.net/open-basedir
    open_basedir = /var/www
    ; This directive allows you to disable certain functions for security reasons.
    ; It receives a comma-delimited list of function names.
    ; http://php.net/disable-functions
    disable_functions =
    ; This directive allows you to disable certain classes for security reasons.
    ; It receives a comma-delimited list of class names.
    ; http://php.net/disable-classes
    disable_classes =

    View Slide

  41. 41
    PHP - Lock Down Functionality
    ; open_basedir, if set, limits all file operations to the defined directory
    ; and below.
    ; http://php.net/open-basedir
    ;open_basedir =
    ; This directive allows you to disable certain functions for security reasons.
    ; It receives a comma-delimited list of function names.
    ; http://php.net/disable-functions
    disable_functions = eval,shell_exec,exec,create_function,popen,system
    ; This directive allows you to disable certain classes for security reasons.
    ; It receives a comma-delimited list of class names.
    ; http://php.net/disable-classes
    disable_classes =

    View Slide

  42. 42
    PHP - Lock Down Functionality
    ; open_basedir, if set, limits all file operations to the defined directory
    ; and below.
    ; http://php.net/open-basedir
    ;open_basedir =
    ; This directive allows you to disable certain functions for security reasons.
    ; It receives a comma-delimited list of function names.
    ; http://php.net/disable-functions
    disable_functions = eval,shell_exec,exec,create_function,popen,system
    ; This directive allows you to disable certain classes for security reasons.
    ; It receives a comma-delimited list of class names.
    ; http://php.net/disable-classes
    disable_classes = splfileobject

    View Slide

  43. 43
    PHP - Lock Down Functionality
    ; Maximum allowed size for uploaded files.
    ; http://php.net/upload-max-filesize
    ;upload_max_filesize =
    ; Maximum number of files that can be uploaded via a single request
    ;max_file_uploads =
    ; Whether to allow the treatment of URLs as files.
    ; http://php.net/allow-url-fopen
    ;allow_url_fopen =
    ; Whether to allow include/require to open URLs as files.
    ; http://php.net/allow-url-include
    ;allow_url_include =

    View Slide

  44. 44
    PHP - Lock Down Functionality
    ; Maximum allowed size for uploaded files.
    ; http://php.net/upload-max-filesize
    upload_max_filesize = 2M
    ; Maximum number of files that can be uploaded via a single request
    max_file_uploads = 20
    ; Whether to allow the treatment of URLs as files.
    ; http://php.net/allow-url-fopen
    allow_url_fopen = On
    ; Whether to allow include/require to open URLs as files.
    ; http://php.net/allow-url-include
    allow_url_include = Off

    View Slide

  45. 45
    PHP - Lock Down Functionality
    ; Maximum allowed size for uploaded files.
    ; http://php.net/upload-max-filesize
    upload_max_filesize = 2M
    ; Maximum number of files that can be uploaded via a single request
    max_file_uploads = 20
    ; Whether to allow the treatment of URLs as files.
    ; http://php.net/allow-url-fopen
    allow_url_fopen = On
    ; Whether to allow include/require to open URLs as files.
    ; http://php.net/allow-url-include
    allow_url_include = Off

    View Slide

  46. 46
    PHP Doesn’t Run in a Vacuum
    SERVER HARDENING
    Don’t display errors in production. Don’t leak server
    tokens. Define your system hostname.
    DISABLE DEBUGGING
    Disable directory traversal. Use proper TLS
    certificates. Return documented error codes.
    LOCK DOWN THE APP SERVER
    Use a cloud host if possible. Bind the server to the correct
    address for connections. Tighly scope permissions.
    PROPERLY CONFIGURE MySQL
    Close down unnecessary ports. Ensure only you have
    access to SSH.
    USE A FIREWALL
    Scan log files for illicit access and block malicious
    traffic entirely at the firewall.
    INSTALL fail2ban
    Leverage unattended upgrades to auto-install patches.
    Ensure you log everything to catch anomalies.
    KEEP SYSTEM PACKAGES UPDATED

    View Slide

  47. 47
    Ongoing Study

    View Slide

  48. 48
    Further Resources
    ONGOING STUDY
    ● Attend industry conferences to keep track of new advances
    ● Leverage security-focused blogs and websites like
    https://paragonie.com or https://securingphp.com to learn more
    ● Keep track of changes, conversations around security vulnerabilities,
    and new best practices “cheat sheets” created by groups like OWASP
    ● Subscribe to php[architect] and pick up their Web Security bundle
    Pick up my book on Security Principles for PHP

    View Slide

  49. 49
    Questions?

    View Slide

  50. 50
    Thank You!
    [email protected] | 503.925.6266

    View Slide