Build Security In Chris Cornutt - @enygma Sunshine PHP 2017.02 composer create-project enygma/sunphp17 app 

“Secure from the start” 

Security is not 100% Security is not an “add on” Security is not as hard as you think… 

Risk Not just a four letter word… 

Basic Concepts 

Threat Modeling Threat modeling is a procedure for optimizing network security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system. - searchsecurity.techtarget.com Sounds complicated, right? It’s not. 

Threat Modeling Entity People Other systems Remote sites Process Components Internal services Command line tools Data Flow Function calls Network traffic Data Store Database Files Registry Trust Boundary Where data changes hands 

Threat Modeling Web App Browser MySQL Database 

Threat Modeling Web App Browser MySQL Database 

Threat Modeling Web App Browser MySQL Database REST Interface Stripe API 

Least Privilege In information security, computer science, and other fields, the principle of least privilege (also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose. - Wikipedia 

Least Privilege - Start at “nothing” and work up - Going from very open to closed is much harder - Makes audits so much easier 

Least Privilege Anonymous “User” HR group HR group admin Administrator Super Administrator 

Separation of Privilege In computer programming and computer security, privilege separation is a technique in which a program is divided into parts which are limited to the specific privileges they require in order to perform a specific task. This is used to mitigate the potential damage of a computer security attack. - A generic “user” is okay, but don’t let them run amok - Different kinds of “users”? - Should the admin even be in the same application? 

Economy of Mechanism One factor in evaluating a system's security is its complexity. If the design, implementation, or security mechanisms are highly complex, then the likelihood of security vulnerabilities increases. Subtle problems in complex systems may be difficult to find, especially in copious amounts of code. For instance, analyzing the source code that is responsible for the normal execution of a functionality can be a difficult task, but checking for alternate behaviors in the remaining code that can achieve the same functionality can be even more difficult. One strategy for simplifying code is the use of choke points, where shared functionality reduces the amount of source code required for an operation. Simplifying design or code is not always easy, but developers should strive for implementing simpler systems when possible. - US-CERT (Computer Emergency Readiness Team) 

Economy of Mechanism One factor in evaluating a system's security is its complexity. If the design, implementation, or security mechanisms are highly complex, then the likelihood of security vulnerabilities increases. Subtle problems in complex systems may be difficult to find, especially in copious amounts of code. For instance, analyzing the source code that is responsible for the normal execution of a functionality can be a difficult task, but checking for alternate behaviors in the remaining code that can achieve the same functionality can be even more difficult. One strategy for simplifying code is the use of choke points, where shared functionality reduces the amount of source code required for an operation. Simplifying design or code is not always easy, but developers should strive for implementing simpler systems when possible. - US-CERT (Computer Emergency Readiness Team) 

Economy of Mechanism - Keep it Simple (Stupid) - Don’t Reinvent, Reuse - “What if”s are dangerous - Think MVSP (Minimum Viable Security Protection) 

Complete Mediation A software system that requires access checks to an object each time a subject requests access, especially for security-critical objects, decreases the chances of mistakenly giving elevated permissions to that subject. A system that checks the subject's permissions to an object only once can invite attackers to exploit that system. If the access control rights of a subject are decreased after the first time the rights are granted and the system does not check the next access to that object, then a permissions violation can occur. Caching permissions can increase the performance of a system, but at the cost of allowing secured objects to be accessed. - US-CERT (Computer Emergency Readiness Team) 

Complete Mediation A software system that requires access checks to an object each time a subject requests access, especially for security-critical objects, decreases the chances of mistakenly giving elevated permissions to that subject. A system that checks the subject's permissions to an object only once can invite attackers to exploit that system. If the access control rights of a subject are decreased after the first time the rights are granted and the system does not check the next access to that object, then a permissions violation can occur. Caching permissions can increase the performance of a system, but at the cost of allowing secured objects to be accessed. - US-CERT (Computer Emergency Readiness Team) 

Complete Mediation - Check every time, don’t assume - Security through obscurity - Think about the security of the data/functionality - Weigh performance against enforcement 

Least Common Mechanism - Endpoints shared between users - Protected according to access level - Does it show more for admins? - Split versus combined 

Psychological Acceptability Accessibility to resources should not be inhibited by security mechanisms. If security mechanisms hinder the usability or accessibility of resources, then users may opt to turn off those mechanisms. Where possible, security mechanisms should be transparent to the users of the system or at most introduce minimal obstruction. Security mechanisms should be user friendly to facilitate their use and understanding in a software application. - US-CERT (Computer Emergency Readiness Team) 

Psychological Acceptability Accessibility to resources should not be inhibited by security mechanisms. If security mechanisms hinder the usability or accessibility of resources, then users may opt to turn off those mechanisms. Where possible, security mechanisms should be transparent to the users of the system or at most introduce minimal obstruction. Security mechanisms should be user friendly to facilitate their use and understanding in a software application. - US-CERT (Computer Emergency Readiness Team) 

Psychological Acceptability - Transparent security - Usability vs Security (constant struggle) - Example: 2FA - Example: Reauthentication - Secure defaults, then disable 

Who’s ready for a break? 

composer create-project enygma/sunphp17 ./setup 

No content

Authentication 

Authentication Proof of Identity 

Authorization 

Authorization Proof of Access 

Secure State 

Secure State Safe Storage 

Secure State Prevention and Protection 

Input Validation 

Input Validation Proof of Validity 

Output Escaping 

The Aftermath 

Thanks! Chris Cornutt @enygma https://websec.io https://securingphp.com https://joind.in/talk/8cf8b