Writing Secure PHP Applications

Slide 1

Slide 1 text

Writing Secure PHP Applications Chris Cornutt SFPHP 2013 @enygma 1 Wednesday, August 21, 2013

Slide 2

Slide 2 text

Hi, I’m Chris Mashery Development Manager, Dallas Security Advocate PHPDeveloper.org @enygma ...and other stuff 2 Wednesday, August 21, 2013

Slide 3

Slide 3 text

Secure development is broken. Let’s ﬁx that... 3 Wednesday, August 21, 2013

Slide 4

Slide 4 text

SQL injection is ten years old. XSS is eleven years old. why are they still a problem? 4 Wednesday, August 21, 2013

Slide 5

Slide 5 text

5 Wednesday, August 21, 2013

Slide 6

Slide 6 text

WhiteHatSec Report OWASP Top 10 SANS 25 6 Wednesday, August 21, 2013

Slide 7

Slide 7 text

We need to ﬁx [insert exploit name here] 7 Wednesday, August 21, 2013

Slide 8

Slide 8 text

WRONG 8 Wednesday, August 21, 2013

Slide 9

Slide 9 text

Build security in from the start 9 Wednesday, August 21, 2013

Slide 10

Slide 10 text

Make it work vs make it secure 10 Wednesday, August 21, 2013

Slide 11

Slide 11 text

Make it work securely 11 Wednesday, August 21, 2013

Slide 12

Slide 12 text

How could this break? 12 Wednesday, August 21, 2013

Slide 13

Slide 13 text

A Good Approach is... 13 Wednesday, August 21, 2013

Slide 14

Slide 14 text

Security Standards 14 Wednesday, August 21, 2013

Slide 15

Slide 15 text

Security Standards Security Testing 15 Wednesday, August 21, 2013

Slide 16

Slide 16 text

Security Standards Security Testing Threat Modeling 16 Wednesday, August 21, 2013

Slide 17

Slide 17 text

Security Standards Security Testing Threat Modeling Secure Architecture 17 Wednesday, August 21, 2013

Slide 18

Slide 18 text

Reduce Attack Surface 18 Wednesday, August 21, 2013

Slide 19

Slide 19 text

Effective Auditing & Logging 19 Wednesday, August 21, 2013

Slide 20

Slide 20 text

Simple > Complex 20 Wednesday, August 21, 2013

Slide 21

Slide 21 text

Obscurity !== Security 21 Wednesday, August 21, 2013

Slide 22

Slide 22 text

Defense in Depth 22 Wednesday, August 21, 2013

Slide 23

Slide 23 text

And now, the speciﬁcs... 23 Wednesday, August 21, 2013

Slide 24

Slide 24 text

Input validation noWhitespace->length(1,15); var_dump($validator->validate(‘thisisatest’); // true ?> https://github.com/Respect/Validation 24 Wednesday, August 21, 2013

Slide 25

Slide 25 text

Output escaping ...’); htmlspecialchars(‘’, ENT_QUOTES, ‘UTF-8’); // UTF-7 filter_var(‘invalid.email.com’, FILTER_VALID_EMAIL); // false /* Using 3rd party */ use Zend\Escaper\Escaper; $twig->render(‘...’); // escapes by default, but... ?> Don’t forget the context...especially if there’s multiple! 25 Wednesday, August 21, 2013

Slide 26

Slide 26 text

Content Security Policy? 26 Wednesday, August 21, 2013

Slide 27

Slide 27 text

Use HTTPS No excuses, just do it 27 Wednesday, August 21, 2013

Slide 28

Slide 28 text

But what about BREACH? It’s all about guessing... 28 Wednesday, August 21, 2013

Slide 29

Slide 29 text

Uses HTTP-level compression Reﬂect user input in body Reﬂect a secret (CSRF) 29 Wednesday, August 21, 2013

Slide 30

Slide 30 text

Return fast 30 Wednesday, August 21, 2013

Slide 31

Slide 31 text

Password hashing 12]); /* Prior to PHP 5.5+ */ $lib = new \PasswordLib\PasswordLib(); $hash = $lib->createPasswordHash($input); \phpSec\Crypt\Hash::$_method = \phpSec\Crypt\Hash::BCRYPT; $hash = \phpSec\Crypt\Hash::create($input); $bcrypt = new \Zend\Crypt\Password\Bcrypt(); $hash = $bcrypt->create($input); ?> https://github.com/icrmaxell/password_compat 31 Wednesday, August 21, 2013

Slide 32

Slide 32 text

Encrypted sessions https://github.com/enygma/shieldframework/blob/master/Shield/Session.php 32 Wednesday, August 21, 2013

Slide 33

Slide 33 text

Least privilege allowed($resource) { return false; } /* Other permission checking here */ } /* “Fail least” for user handling */ function checkAccess($user, $resource) { if ($user == null) { return false; } if ($resource == null) { return false; } /* Other permission checking here */ } ?> 33 Wednesday, August 21, 2013

Slide 34

Slide 34 text

Fail securely getMessage(); }); ?> 34 Wednesday, August 21, 2013

Slide 35

Slide 35 text

And others... Authentication & Authorization Secure storage Secure resource access 35 Wednesday, August 21, 2013

Slide 36

Slide 36 text

Planning for the Future 36 Wednesday, August 21, 2013

Slide 37

Slide 37 text

Developer Training 37 Wednesday, August 21, 2013

Slide 38

Slide 38 text

Code Evaluation 38 Wednesday, August 21, 2013

Slide 39

Slide 39 text

Secure Coding Standard 39 Wednesday, August 21, 2013

Slide 40

Slide 40 text

Secure Coding Standard Handling auth* Filtering practices/tools Proper conﬁgurations Trust boundaries Customer data handling 40 Wednesday, August 21, 2013

Slide 41

Slide 41 text

Secure Code Reviews 41 Wednesday, August 21, 2013

Slide 42

Slide 42 text

Secure Code Reviews Set objectives & limit Use questions related to your app Review incrementally Review for security only Reﬂect common issues in coding standards 42 Wednesday, August 21, 2013

Slide 43

Slide 43 text

43 Wednesday, August 21, 2013

Slide 44

Slide 44 text

Policies & Processes Testing Environments Development Architecture The Evolution To... 44 Wednesday, August 21, 2013

Slide 45

Slide 45 text

Reduce Risk Exploitability Prevalence Detectability Impact + 45 Wednesday, August 21, 2013

Slide 46

Slide 46 text

Fixing secure development takes more than just knowing the problems. 46 Wednesday, August 21, 2013

Slide 47

Slide 47 text

Thanks! @enygma @websecquickﬁx http://websec.io http://phpdeveloper.org http://github.com/enygma 47 Wednesday, August 21, 2013

Slide 48

Slide 48 text

http://mashery.com/careers 48 Wednesday, August 21, 2013