Evolution of PHP Security Cascadia PHP 2024

Today’s Plan … Introductions Environment Credentials Management Authentication Session Management Data - Validation / Sanitization Encryption Server Hardening Ongoing Study Questions? Lunch

Environment

I’ll be working through each module on the main screen. Feel free to follow along with your own computer, but coding is not required A COMPUTER IS NOT REQUIRED A modern PHP environment is required. I’ll be using newer features like strict typing and haven’t tested older versions FIRST: I ASSUME YOU HAVE PHP 8.3 To avoid the complexity of a MySQL or Postgres environment, the project leverages SQLite - You’ll need the PHP extension enabled SECOND: SQLITE IS A MUST You can follow along OUR WORKSHOP ENVIRONMENT Clone the project repository locally and code along with me as we work through it! git clone git@github.com:ericmann/notes-tutorial.git

Credentials Management

Environment Variables CREDENTIALS MANAGEMENT One way to manage server credentials is with a .env file. These files will keep credentials on the server in flat files that are easy to keep from being leaked to viewers. You can use multiple .env files to segregate environments - dev vs staging vs - production. Utilities like the PHP dotenv project automatically load your .env file into the system environment at runtime, making all of your credentials accessible to the application.

Environment Variables CREDENTIALS MANAGEMENT

Static Configuration File CREDENTIALS MANAGEMENT

Module 1 Credentials Management

Authentication

No content

No content

No content

No content

No content

YOUR TITLE HERE Lorem ipsum dolor sit amet, consectetur adipiscing elit. Fusce elit ex, consequat et tincidunt non, pharetra non risus. Quisque ut leo pretium, eleifend lectus in, ultrices diam. Quisque ac congue urna, non finibus orci. Password Strength AUTHENTICATION

YOUR TITLE HERE Lorem ipsum dolor sit amet, consectetur adipiscing elit. Fusce elit ex, consequat et tincidunt non, pharetra non risus. Quisque ut leo pretium, eleifend lectus in, ultrices diam. Quisque ac congue urna, non finibus orci. Password Strength AUTHENTICATION

Password Strength - BCrypt AUTHENTICATION $cost]); $end = microtime(true); } while (($end - $start) < $timeTarget); echo "Appropriate Cost Found: " . $cost;

Password Strength - Argon2I AUTHENTICATION $cost]); $end = microtime(true); } while (($end - $start) < $timeTarget); echo "Appropriate Cost Found: " . $cost;

Module 2 Authentication

Session Management

Dos and Do Nots SESSION MANAGEMENT Don’t trust the user to store sensitive information Don’t trust information provided by the user Don’t store sensitive information with an untrusted party Don’t use cookies to store sensitive data (If you are using cookies, use secure cookies - but only store IDs)

Module 3 Session Management

Data Validation / Sanitization

FILTER_VALIDATE_* FILTER_SANITIZE_*

Module 4 Data - Validation / Sanitization

Encryption

At-Rest Encryption ENCRYPTION 1 Protects data written out to disk 2 Transparent to the application layer 3 (Usually) Provided by hosted DB solutions 4 (Often) Required for regulatory compliance

Tom Cruise in "Mission: Impossible — Rogue Nation." YouTube/Paramount

Application-level Data Encryption By allowing the application to manage its own encryption keys, the crypto operations lift up into the application stack itself. The database engine can’t read or manage the data, neither can any other process in memory. Your data’s security then relies on the security of your application’s authentication and access control systems.

Application-level Data Encryption By allowing the application to manage its own encryption keys, the crypto operations lift up into the application stack itself. The database engine can’t read or manage the data, neither can any other process in memory. Your data’s security then relies on the security of your application’s authentication and access control systems.

Module 5 Encryption

Tom Cruise in "Mission: Impossible." Paramount

CipherSweet by Paragon Initiative Enterprsies: Fast, searchable field-level encryption for PHP projects

Server Hardening

Why it Matters ... Server Hardening We ship MVPs loaded with technical debt SHIP OR DIE Dependencies might leak vulnerabilities COMPONENTS FAIL You’re always under attack if your system’s online ADVERSARIES LEARN CommitStrip: Stack Overflow Patchwork

PHP - Lock Down Functionality [PHP] ;;;;;;;;;;;;;;;;;;; ; About php.ini ; ;;;;;;;;;;;;;;;;;;; ; PHP's initialization file, generally called php.ini, is responsible for ; configuring many of the aspects of PHP's behavior. ; PHP attempts to find and load this configuration from a number of locations. ; The following is a summary of its search order: ; 1. SAPI module specific location. ; 2. The PHPRC environment variable. (As of PHP 5.2.0) ; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0) ; 4. Current working directory (except CLI)

PHP - Lock Down Functionality ; open_basedir, if set, limits all file operations to the defined directory ; and below. ; http://php.net/open-basedir ;open_basedir = ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes =

PHP - Lock Down Functionality ; open_basedir, if set, limits all file operations to the defined directory ; and below. ; http://php.net/open-basedir open_basedir = /var/www ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes =

PHP - Lock Down Functionality ; open_basedir, if set, limits all file operations to the defined directory ; and below. ; http://php.net/open-basedir ;open_basedir = ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = eval,shell_exec,exec,create_function,popen,system ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes =

PHP - Lock Down Functionality ; open_basedir, if set, limits all file operations to the defined directory ; and below. ; http://php.net/open-basedir ;open_basedir = ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = eval,shell_exec,exec,create_function,popen,system ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes = splfileobject

PHP - Lock Down Functionality ; Maximum allowed size for uploaded files. ; http://php.net/upload-max-filesize ;upload_max_filesize = ; Maximum number of files that can be uploaded via a single request ;max_file_uploads = ; Whether to allow the treatment of URLs as files. ; http://php.net/allow-url-fopen ;allow_url_fopen = ; Whether to allow include/require to open URLs as files. ; http://php.net/allow-url-include ;allow_url_include =

PHP - Lock Down Functionality ; Maximum allowed size for uploaded files. ; http://php.net/upload-max-filesize upload_max_filesize = 2M ; Maximum number of files that can be uploaded via a single request max_file_uploads = 20 ; Whether to allow the treatment of URLs as files. ; http://php.net/allow-url-fopen allow_url_fopen = On ; Whether to allow include/require to open URLs as files. ; http://php.net/allow-url-include allow_url_include = Off

PHP - Lock Down Functionality ; Maximum allowed size for uploaded files. ; http://php.net/upload-max-filesize upload_max_filesize = 2M ; Maximum number of files that can be uploaded via a single request max_file_uploads = 20 ; Whether to allow the treatment of URLs as files. ; http://php.net/allow-url-fopen allow_url_fopen = On ; Whether to allow include/require to open URLs as files. ; http://php.net/allow-url-include allow_url_include = Off

PHP Doesn’t Run in a Vacuum SERVER HARDENING Don’t display errors in production. Don’t leak server tokens. Define your system hostname. DISABLE DEBUGGING Disable directory traversal. Use proper TLS certificates. Return documented error codes. LOCK DOWN THE APP SERVER Use a cloud host if possible. Bind the server to the correct address for connections. Tighly scope permissions. PROPERLY CONFIGURE MySQL Close down unnecessary ports. Ensure only you have access to SSH. USE A FIREWALL Scan log files for illicit access and block malicious traffic entirely at the firewall. INSTALL fail2ban Leverage unattended upgrades to auto-install patches. Ensure you log everything to catch anomalies. KEEP SYSTEM PACKAGES UPDATED

Ongoing Study

Further Resources ONGOING STUDY ● Attend industry conferences to keep track of new advances ● Leverage security-focused blogs and websites like https://paragonie.com or https://securingphp.com to learn more ● Keep track of changes, conversations around security vulnerabilities, and new best practices “cheat sheets” created by groups like OWASP ● Subscribe to php[architect] and pick up their Web Security bundle Pick up my book on Security Principles for PHP

Thank you. Any Questions?