Denis Brumann // PHPers Summit 2024 // 2024-06-21 ISO-27001, EU-CRA and beyond Secure Development with PHP 1

Who am I • Denis Brumann • Solutions Architect @ Next Kraftwerke • [email protected] 2

Agenda 1. Common & proposed security standards 2. DevSecOps lifecycle 3. Overview of common security measures along the lifecycle: Build & Deployment, Implementation, Information Gathering, Testing 4. Summary What will I talk about? 3

Important Notes • We will not cover the full standards, focusing on technical controls for development. I will go into cherry-picked topics, which I find relevant for (PHP) devs • The procedures described in this talk are not enough to become certified. They are meant to show that the PHP ecosystem provides many helpful tools & libraries to establish a secure development cycle. • I am not a subject matter expert. Please verify the code snippets, check the sources and use your own brain • Feel free to ask questions during the talk. 4

ISO-27001 Requirements 5

1. User endpoint devices 2. Privileged access rights 3. Information access restriction 4. Access to source code 5. Secure authentication 6. Capacity management 7. Protection against malware 8. Management of technical vulnerabilities 9. Configuration management 10. Information deletion 11. Data masking 12. Data leakage prevention 13. Information backup 14. Redundancy of information processing facilities 15. Logging 16. Monitoring activities Technical Controls 17. Clock synchronization 18. Use of privileged utility programs 19. Installation of software on operational systems 20. Network security 21. Security of network services 22. Segregation of networks 23. Web filtering 24. Use of cryptography 25. Secure development lifecycle 26. Application security requirements 27. Secure system architecture & engineering principles 28. Secure coding 29. Security, testing in development & acceptance 30.Outsourced development 31. Separation of dev, test & prod ends 32. Change management 33. Test information 34. Protection of information systems during audit testing 6

ISO-27002 Controls 7

BSI “IT-Grundschutz” 8

EU-CRA Cyber Resilience Act 9

EU-CRA Cyber Resilience Act 9

EU NIS2 Security requirements for essential or important organizations 10

Do any of these apply to you? 11

OWASP 12

Maturity Model DevSecOps 5 Dimensions with 5 maturity levels: 1. Build & Deployment 2. Culture & Organization 3. Implementation 4. Information Gathering 5. Test & Verification See: https://dsomm.owasp.org/ 13

ISO 27001 EU CRA OWASP Cheatsheet BSI Grundschutz A.8.8 Management of technical vulnerabilities A.8.25 Secure development lifecycle A1.2.1 identify and document vulnerabilities and components contained in the product A1.2.2 …address and remediate vulnerabilities without delay Supply Chain Security Vulnerable Dependency Management CI/CD Security PHP Configuration OPS.1.1.3: Patch- & Änderungsmanagement CON.8: Software-Entwicklung Build & Deployment 14

Supply Chain • Source code threats Access control, logging & monitoring, security automation • Build environment threats Build cache poisoning, building untrusted code • Dependency related threats • Deployment & runtime threats 15

Dependencies • Assess suppliers • Monitor dependencies • SAST (Static analysis) → (Private) Packagist → roave/security-advisories → phpstan, psalm, … 16

Software Bill of Materials 17

18

18

18

19

20

20

21

22

ISO 27001 EU CRA OWASP Cheat Sheet BSI Grundschutz A.8.24 Use of cryptography A.8.26 Application security requirements A.8.27 Secure system architecture & engineering principles A1.1.3c protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, … A1.1.3d protect the integrity of stored, transmitted or otherwise processed data, personal or other, … Transport Layer Security Cryptographic Storage Injection Prevention Input Validation CON.8: Software-Entwicklung APP.7: Entwicklung von Individualsoftware Implementation 23

Encryption • Only support strong protocols “General purpose web applications should default to TLS 1.3 (support TLS 1.2 if necessary) with all other protocols disabled.” • Only support string ciphers • Use strong parameters • Tip: https://ssl-config.mozilla.org/ 24

25

25

TLSv1 & TLSv1.1! 25

26

Cryptography • Where to perform encryption • Algorithms • Key Management & Storage 27

28

28

28

28

SQL Injection • Use of prepared statements • Out of the box with Doctrine/ Eloquent • BUT beware when “bypassing” and doing SQL directly • Read the fine print 29

30

30

31

Input Validation • Frameworks offer safeguards and tools to make your life easier • Static code analysis can help here too 32

ISO 27001 EU CRA OWASP Cheat Sheet BSI Grundschutz A.8.2 Privileged Access Rights A.8.3 Information access restrictions A.8.5 Secure authentication A1.1.3b ensure protection from unauthorised access by appropriate control mechanisms, … Password Storage Authentication Authorization Session Management ORP.4: Identitäts- und Berechtigungsmanagement Identity & Access Management 33

Passwords Argon2id > scrypt > bcrypt Also look at the configuration: • Memory cost parameter • Work factor • Iterations Hashing 34

35

Authorization Enforce least privilege Deny by default Validate permissions on every request ReBAC | ABAC > RBAC Ensure lookup IDs are not accessible see: CWE-639 … Implement appropriate logging Create unit & integrations tests Recommendations 36

37

38 Last route is fallback: Deny all here Role based access control

39 Grant access based on an attribute e.g. a post is public or user is the author of the post Attribute based access control

Sessions Secure-attribute prevents MitM HttpOnly prevents XSS SameSite against CSRF & Cookies 40

41

42

Headers CSP X-Frame-Options X-XSS-Protection HSTS Access-Control-Allow-Origin … 43

ISO 27001 EU CRA OWASP BSI Grundschutz A.8.15 Logging A.8.16 Monitoring activities A1.3j provide security related information by recording and/or monitoring relevant internal activity, … Logging Logging Vocabulary OPS.1.1.5: Protokollierung OPS.1.1.1.A9 Durchführung von IT-Monitoring DER1.A6 Kontinuirliche Überwachung… Information Gathering Logging & Monitoring 44

Logging Attacks on logging infrastructure: • Attacker prevents writing or alters/ deletes logged data • Attacker floods logging to exceed capacity • Attacker reads logs to access sensitive data 45

46

46

46

46

Monitoring • Tip: OpenTelemetry standardises tracing across tech stacks and is well supported by most monitoring tools • PHP implementations have recently become stable 47

ISO 27001 EU CRA OWASP BSI Grundschutz A.8.28 Secure coding A.8.29 Security testing in development and acceptance A.8.31 Separation of development, test and production environments A.8.33 Test information A1.2.3 apply effective and regular tests and reviews CON.8: Software-Entwicklung OPS.1.1.6: Software-Tests und Freigaben Testing 48

Web Security Testing Guide WSTG Current Release: 4.2 GitHub main branch: 5.0-dev 49

Security Training Learning by doing 50

Summary 51

Thank You! 52

In order of first use References https://www.iso.org/standard/27001 https://www.iso.org/standard/75652.html https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Kompendium/ Zuordnung_ISO_und_IT_Grundschutz_Edit_6.html?nn=128568 https://www.cyberresilienceact.eu/the-cyber-resilience-act-annex-eu/ https://owasp.org/www-project-top-ten/ https://owasp.org/www-project-devsecops-maturity-model/ https://cheatsheetseries.owasp.org/cheatsheets/Software_Supply_Chain_Security.html https://blog.packagist.com/composer-2-7-7/ https://www.naderman.de/slippy/slides/2024-04-23-PHPTEK-Composer-Guide-To-Supply-Chain-Security.pdf 53

Continued References 54 https://docs.github.com/en/code-security/dependabot/working-with-dependabot https://docs.renovatebot.com/ https://phpstan.org https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html https://nginx.org/en/docs/http/configuring_https_servers.html https://ssl-config.mozilla.org/ https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html https://symfony.com/doc/current/configuration/secrets.html#generate-cryptographic-keys https://symfony.com/doc/current/cache.html#encrypting-the-cache https://symfony.com/doc/current/session.html#encryption-of-session-data https://symfony.com/doc/current/mailer.html#signing-and-encrypting-messages

Continued References https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html https://laravel.com/docs/11.x/queries https://www.doctrine-project.org/projects/doctrine-dbal/en/4.0/reference/data-retrieval-and-manipulation.html https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html https://symfony.com/doc/current/security/passwords.html#passwordhasher-supported-algorithms https://laravel.com/docs/10.x/hashing#configuration https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html https://cwe.mitre.org/data/definitions/639.html https://laravel.com/docs/11.x/authorization https://symfony.com/doc/current/security.html#access-control-authorization 55

Continued References https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html https://symfony.com/doc/current/session.html#configuration https://symfony.com/doc/current/reference/configuration/framework.html#cookie-samesite https://github.com/symfony/recipes/blob/main/symfony/monolog-bundle/3.7/config/packages/monolog.yaml https://github.com/Seldaek/monolog/blob/main/doc/02-handlers-formatters-processors.md https://opentelemetry.io/docs/languages/php/ https://sentry.io/for/opentelemetry/ https://tideways.com/ https://github.com/OWASP/wstg/tree/master/document https://github.com/juice-shop/juice-shop https://leanpub.com/juice-shop 56