Slide 1

Slide 1 text

Denis Brumann // PHPers Summit 2024 // 2024-06-21 ISO-27001, EU-CRA and beyond Secure Development with PHP 1

Slide 2

Slide 2 text

Who am I • Denis Brumann • Solutions Architect @ Next Kraftwerke • [email protected] 2

Slide 3

Slide 3 text

Agenda 1. Common & proposed security standards 2. DevSecOps lifecycle 3. Overview of common security measures along the lifecycle: Build & Deployment, Implementation, Information Gathering, Testing 4. Summary What will I talk about? 3

Slide 4

Slide 4 text

Important Notes • We will not cover the full standards, focusing on technical controls for development. I will go into cherry-picked topics, which I find relevant for (PHP) devs • The procedures described in this talk are not enough to become certified. They are meant to show that the PHP ecosystem provides many helpful tools & libraries to establish a secure development cycle. • I am not a subject matter expert. Please verify the code snippets, check the sources and use your own brain • Feel free to ask questions during the talk. 4

Slide 5

Slide 5 text

ISO-27001 Requirements 5

Slide 6

Slide 6 text

1. User endpoint devices 2. Privileged access rights 3. Information access restriction 4. Access to source code 5. Secure authentication 6. Capacity management 7. Protection against malware 8. Management of technical vulnerabilities 9. Configuration management 10. Information deletion 11. Data masking 12. Data leakage prevention 13. Information backup 14. Redundancy of information processing facilities 15. Logging 16. Monitoring activities Technical Controls 17. Clock synchronization 18. Use of privileged utility programs 19. Installation of software on operational systems 20. Network security 21. Security of network services 22. Segregation of networks 23. Web filtering 24. Use of cryptography 25. Secure development lifecycle 26. Application security requirements 27. Secure system architecture & engineering principles 28. Secure coding 29. Security, testing in development & acceptance 30.Outsourced development 31. Separation of dev, test & prod ends 32. Change management 33. Test information 34. Protection of information systems during audit testing 6

Slide 7

Slide 7 text

ISO-27002 Controls 7

Slide 8

Slide 8 text

BSI “IT-Grundschutz” 8

Slide 9

Slide 9 text

EU-CRA Cyber Resilience Act 9

Slide 10

Slide 10 text

EU-CRA Cyber Resilience Act 9

Slide 11

Slide 11 text

EU NIS2 Security requirements for essential or important organizations 10

Slide 12

Slide 12 text

Do any of these apply to you? 11

Slide 13

Slide 13 text

OWASP 12

Slide 14

Slide 14 text

Maturity Model DevSecOps 5 Dimensions with 5 maturity levels: 1. Build & Deployment 2. Culture & Organization 3. Implementation 4. Information Gathering 5. Test & Verification See: https://dsomm.owasp.org/ 13

Slide 15

Slide 15 text

ISO 27001 EU CRA OWASP Cheatsheet BSI Grundschutz A.8.8 Management of technical vulnerabilities A.8.25 Secure development lifecycle A1.2.1 identify and document vulnerabilities and components contained in the product A1.2.2 …address and remediate vulnerabilities without delay Supply Chain Security Vulnerable Dependency Management CI/CD Security PHP Configuration OPS.1.1.3: Patch- & Änderungsmanagement CON.8: Software-Entwicklung Build & Deployment 14

Slide 16

Slide 16 text

Supply Chain • Source code threats Access control, logging & monitoring, security automation • Build environment threats Build cache poisoning, building untrusted code • Dependency related threats • Deployment & runtime threats 15

Slide 17

Slide 17 text

Dependencies • Assess suppliers • Monitor dependencies • SAST (Static analysis) → (Private) Packagist → roave/security-advisories → phpstan, psalm, … 16

Slide 18

Slide 18 text

Software Bill of Materials 17

Slide 19

Slide 19 text

18

Slide 20

Slide 20 text

18

Slide 21

Slide 21 text

18

Slide 22

Slide 22 text

19

Slide 23

Slide 23 text

20

Slide 24

Slide 24 text

20

Slide 25

Slide 25 text

21

Slide 26

Slide 26 text

22

Slide 27

Slide 27 text

ISO 27001 EU CRA OWASP Cheat Sheet BSI Grundschutz A.8.24 Use of cryptography A.8.26 Application security requirements A.8.27 Secure system architecture & engineering principles A1.1.3c protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, … A1.1.3d protect the integrity of stored, transmitted or otherwise processed data, personal or other, … Transport Layer Security Cryptographic Storage Injection Prevention Input Validation CON.8: Software-Entwicklung APP.7: Entwicklung von Individualsoftware Implementation 23

Slide 28

Slide 28 text

Encryption • Only support strong protocols “General purpose web applications should default to TLS 1.3 (support TLS 1.2 if necessary) with all other protocols disabled.” • Only support string ciphers • Use strong parameters • Tip: https://ssl-config.mozilla.org/ 24

Slide 29

Slide 29 text

25

Slide 30

Slide 30 text

25

Slide 31

Slide 31 text

TLSv1 & TLSv1.1! 25

Slide 32

Slide 32 text

26

Slide 33

Slide 33 text

Cryptography • Where to perform encryption • Algorithms • Key Management & Storage 27

Slide 34

Slide 34 text

28

Slide 35

Slide 35 text

28

Slide 36

Slide 36 text

28

Slide 37

Slide 37 text

28

Slide 38

Slide 38 text

SQL Injection • Use of prepared statements • Out of the box with Doctrine/ Eloquent • BUT beware when “bypassing” and doing SQL directly • Read the fine print 29

Slide 39

Slide 39 text

30

Slide 40

Slide 40 text

30

Slide 41

Slide 41 text

31

Slide 42

Slide 42 text

Input Validation • Frameworks offer safeguards and tools to make your life easier • Static code analysis can help here too 32

Slide 43

Slide 43 text

ISO 27001 EU CRA OWASP Cheat Sheet BSI Grundschutz A.8.2 Privileged Access Rights A.8.3 Information access restrictions A.8.5 Secure authentication A1.1.3b ensure protection from unauthorised access by appropriate control mechanisms, … Password Storage Authentication Authorization Session Management ORP.4: Identitäts- und Berechtigungsmanagement Identity & Access Management 33

Slide 44

Slide 44 text

Passwords Argon2id > scrypt > bcrypt Also look at the configuration: • Memory cost parameter • Work factor • Iterations Hashing 34

Slide 45

Slide 45 text

35

Slide 46

Slide 46 text

Authorization Enforce least privilege Deny by default Validate permissions on every request ReBAC | ABAC > RBAC Ensure lookup IDs are not accessible see: CWE-639 … Implement appropriate logging Create unit & integrations tests Recommendations 36

Slide 47

Slide 47 text

37

Slide 48

Slide 48 text

38 Last route is fallback: Deny all here Role based access control

Slide 49

Slide 49 text

39 Grant access based on an attribute e.g. a post is public or user is the author of the post Attribute based access control

Slide 50

Slide 50 text

Sessions Secure-attribute prevents MitM HttpOnly prevents XSS SameSite against CSRF & Cookies 40

Slide 51

Slide 51 text

41

Slide 52

Slide 52 text

42

Slide 53

Slide 53 text

Headers CSP X-Frame-Options X-XSS-Protection HSTS Access-Control-Allow-Origin … 43

Slide 54

Slide 54 text

ISO 27001 EU CRA OWASP BSI Grundschutz A.8.15 Logging A.8.16 Monitoring activities A1.3j provide security related information by recording and/or monitoring relevant internal activity, … Logging Logging Vocabulary OPS.1.1.5: Protokollierung OPS.1.1.1.A9 Durchführung von IT-Monitoring DER1.A6 Kontinuirliche Überwachung… Information Gathering Logging & Monitoring 44

Slide 55

Slide 55 text

Logging Attacks on logging infrastructure: • Attacker prevents writing or alters/ deletes logged data • Attacker floods logging to exceed capacity • Attacker reads logs to access sensitive data 45

Slide 56

Slide 56 text

46

Slide 57

Slide 57 text

46

Slide 58

Slide 58 text

46

Slide 59

Slide 59 text

46

Slide 60

Slide 60 text

Monitoring • Tip: OpenTelemetry standardises tracing across tech stacks and is well supported by most monitoring tools • PHP implementations have recently become stable 47

Slide 61

Slide 61 text

ISO 27001 EU CRA OWASP BSI Grundschutz A.8.28 Secure coding A.8.29 Security testing in development and acceptance A.8.31 Separation of development, test and production environments A.8.33 Test information A1.2.3 apply effective and regular tests and reviews CON.8: Software-Entwicklung OPS.1.1.6: Software-Tests und Freigaben Testing 48

Slide 62

Slide 62 text

Web Security Testing Guide WSTG Current Release: 4.2 GitHub main branch: 5.0-dev 49

Slide 63

Slide 63 text

Security Training Learning by doing 50

Slide 64

Slide 64 text

Summary 51

Slide 65

Slide 65 text

Thank You! 52

Slide 66

Slide 66 text

In order of first use References https://www.iso.org/standard/27001 https://www.iso.org/standard/75652.html https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Kompendium/ Zuordnung_ISO_und_IT_Grundschutz_Edit_6.html?nn=128568 https://www.cyberresilienceact.eu/the-cyber-resilience-act-annex-eu/ https://owasp.org/www-project-top-ten/ https://owasp.org/www-project-devsecops-maturity-model/ https://cheatsheetseries.owasp.org/cheatsheets/Software_Supply_Chain_Security.html https://blog.packagist.com/composer-2-7-7/ https://www.naderman.de/slippy/slides/2024-04-23-PHPTEK-Composer-Guide-To-Supply-Chain-Security.pdf 53

Slide 67

Slide 67 text

Continued References 54 https://docs.github.com/en/code-security/dependabot/working-with-dependabot https://docs.renovatebot.com/ https://phpstan.org https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html https://nginx.org/en/docs/http/configuring_https_servers.html https://ssl-config.mozilla.org/ https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html https://symfony.com/doc/current/configuration/secrets.html#generate-cryptographic-keys https://symfony.com/doc/current/cache.html#encrypting-the-cache https://symfony.com/doc/current/session.html#encryption-of-session-data https://symfony.com/doc/current/mailer.html#signing-and-encrypting-messages

Slide 68

Slide 68 text

Continued References https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html https://laravel.com/docs/11.x/queries https://www.doctrine-project.org/projects/doctrine-dbal/en/4.0/reference/data-retrieval-and-manipulation.html https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html https://symfony.com/doc/current/security/passwords.html#passwordhasher-supported-algorithms https://laravel.com/docs/10.x/hashing#configuration https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html https://cwe.mitre.org/data/definitions/639.html https://laravel.com/docs/11.x/authorization https://symfony.com/doc/current/security.html#access-control-authorization 55

Slide 69

Slide 69 text

Continued References https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html https://symfony.com/doc/current/session.html#configuration https://symfony.com/doc/current/reference/configuration/framework.html#cookie-samesite https://github.com/symfony/recipes/blob/main/symfony/monolog-bundle/3.7/config/packages/monolog.yaml https://github.com/Seldaek/monolog/blob/main/doc/02-handlers-formatters-processors.md https://opentelemetry.io/docs/languages/php/ https://sentry.io/for/opentelemetry/ https://tideways.com/ https://github.com/OWASP/wstg/tree/master/document https://github.com/juice-shop/juice-shop https://leanpub.com/juice-shop 56