Writing Secure PHP Applications

Slide 1

Slide 1 text

Writing Secure PHP Applications Chris Cornutt Confoo 2013 @enygma Wednesday, February 27, 2013

Slide 2

Slide 2 text

Secure development is broken. Let’s ﬁx that... Wednesday, February 27, 2013

Slide 3

Slide 3 text

SQL injection is ten years old. XSS is eleven years old. why are they still a problem? Wednesday, February 27, 2013

Slide 4

Slide 4 text

Conﬁdentiality Integrity Availability Wednesday, February 27, 2013

Slide 5

Slide 5 text

Conﬁdentiality Integrity Availability Wednesday, February 27, 2013

Slide 6

Slide 6 text

Conﬁdentiality Integrity Availability Wednesday, February 27, 2013

Slide 7

Slide 7 text

Conﬁdentiality Integrity Availability Wednesday, February 27, 2013

Slide 8

Slide 8 text

We need to ﬁx [insert exploit name here] Wednesday, February 27, 2013

Slide 9

Slide 9 text

WRONG Wednesday, February 27, 2013

Slide 10

Slide 10 text

Build security in from the start Wednesday, February 27, 2013

Slide 11

Slide 11 text

Security Standards Wednesday, February 27, 2013

Slide 12

Slide 12 text

Security Standards Security Testing Wednesday, February 27, 2013

Slide 13

Slide 13 text

Security Standards Security Testing Threat Modeling Wednesday, February 27, 2013

Slide 14

Slide 14 text

Security Standards Security Testing Threat Modeling Secure Architecture Wednesday, February 27, 2013

Slide 15

Slide 15 text

Security 101 Wednesday, February 27, 2013

Slide 16

Slide 16 text

Defense in Depth Wednesday, February 27, 2013

Slide 17

Slide 17 text

Reduce Attack Surface Wednesday, February 27, 2013

Slide 18

Slide 18 text

Effective Auditing & Logging Wednesday, February 27, 2013

Slide 19

Slide 19 text

Simple > Complex Wednesday, February 27, 2013

Slide 20

Slide 20 text

Obscurity !== Security Wednesday, February 27, 2013

Slide 21

Slide 21 text

And now, the speciﬁcs... Wednesday, February 27, 2013

Slide 22

Slide 22 text

Input validation noWhitespace->length(1,15); var_dump($validator->validate(‘thisisatest’); // true ?> https://github.com/Respect/Validation Wednesday, February 27, 2013

Slide 23

Slide 23 text

Return fast Wednesday, February 27, 2013

Slide 24

Slide 24 text

Password hashing 12]); /* Prior to PHP 5.5+ */ $lib = new \PasswordLib\PasswordLib(); $hash = $lib->createPasswordHash($input); \phpSec\Crypt\Hash::$_method = \phpSec\Crypt\Hash::BCRYPT; $hash = \phpSec\Crypt\Hash::create($input); $bcrypt = new \Zend\Crypt\Password\Bcrypt(); $hash = $bcrypt->create($input); ?> https://github.com/icrmaxell/password_compat Wednesday, February 27, 2013

Slide 25

Slide 25 text

Encrypted sessions https://github.com/enygma/shieldframework/blob/master/Shield/Session.php Wednesday, February 27, 2013

Slide 26

Slide 26 text

Least privilege allowed($resource) { return false; } /* Other permission checking here */ } /* “Fail least” for user handling */ function checkAccess($user, $resource) { if ($user == null) { return false; } if ($resource == null) { return false; } /* Other permission checking here */ } ?> Wednesday, February 27, 2013

Slide 27

Slide 27 text

Fail securely getMessage(); }); ?> Wednesday, February 27, 2013

Slide 28

Slide 28 text

Planning for the Future Wednesday, February 27, 2013

Slide 29

Slide 29 text

Developer Training Wednesday, February 27, 2013

Slide 30

Slide 30 text

Code Evaluation Wednesday, February 27, 2013

Slide 31

Slide 31 text

Secure Coding Standard Wednesday, February 27, 2013

Slide 32

Slide 32 text

Fixing secure development takes more than just knowing the problems. Wednesday, February 27, 2013

Slide 33

Slide 33 text

Thanks! @enygma http://websec.io https://joind.in/7911 Wednesday, February 27, 2013