This presentation was by Hans Zaunere, Managing Member, and it is entitled “PHundamental Security – Ecosystem Review, Coding Secure with PHP, and Best Practices”.\u00a0 Take a look at http:\/\/www.nyphp.org\/phundamentals\/ for the ongoing guide and best practices.\u00a0 Guru Stefan Esser recently presented an excellent talk at Zendcon.<\/p>\n
Security fundamentals are common across the board.\u00a0 Different environments have different requirements (desktop apps different from web\/internet apps).\u00a0 Web\/internet have a huge number of touch points.\u00a0 PHP isn’t responsible for all of them, but the developer is.\u00a0 Different languages handle in different ways.\u00a0 PHP is no different except “More internet applications speak PHP than any other”.\u00a0 PHP gets a bad rap.\u00a0 Low point of entry and great flexibility.\u00a0 There’s been some mistakes like weak default configuration, too forgiving for amateurs, the infamous magic_* of PHP, PHP Group argues what’s a security flaw.<\/p>\n
It’s easy to shoot yourself in the foot with C.\u00a0 In C++ it’s harder to shoot yourself in the foot, but when you do, you blow off your whole leg. – Bjarne Stroustrup, Inventor of C++<\/p><\/blockquote>\n
Three zones of responsibility.\u00a0 PHP is effectively a wrapper around libraries and data sources.\u00a0 Many external dependencies and touch points.<\/p>\n
\n
- Poorly written code by amateur developers with no programming background.\u00a0 Primary cause for the security ecosystem around PHP.\u00a0 Laziness – letting PHP do it’s magic_*.\u00a0 “Program smart”<\/li>\n
- Extensions and external libraries.\u00a0 PHP’s greatest asset.\u00a0 Sometimes library binding is faulty.\u00a0 Sometimes the external library has faults, or behaves in an unforeseen way when in a web environment – possible in any environment.\u00a0 Know what extensions you’re using, use the minimal number of extensions, and be aware of the environment they were originally designed for.\u00a0 “Know thy extensions”<\/li>\n
- PHP Core – “PHP”.\u00a0 Secunia says 19 advisories for PHP between 2003-2008.\u00a0 Java had 38+ and Ruby 11+.\u00a0 “The list goes on – PHP is not alone”.\u00a0 One advisory in 2008.\u00a0 “More internet applications speak PHP than any other”<\/li>\n<\/ol>\n
Best Practices<\/strong><\/span><\/p>\n
\n
- Best practices are common to any well run enterprise environment.\u00a0 PHP is growing into this environment very quickly.<\/li>\n
- Web security is largely about your data and less about exploits in the underlying platform.\u00a0 Buffer overflows aren’t so much the hot-topic.<\/li>\n
- Installation – Avoid prepackaged installs, including RPMs, .deb, etc.\u00a0 If you use them, review their default deployment.\u00a0 Installation touch points also typically include MySQL\/Apache.<\/li>\n
- Configuration – Use php.ini-recommended.\u00a0 Better yet, take the time to know what you’re doing and tune configuration files yourself.<\/li>\n
- Don’t make PHP guess what you mean.\u00a0 Be explicit with variables and types.\u00a0 Don’t abuse scope – know where your variables come from.\u00a0 Avoid magic_* and implicitness – BE EXPLICIT.<\/li>\n
- Keep code small, organized, and maintainable.\u00a0 Use OOP techniques to enforce code execution paths.\u00a0 Use includes to keep things organized.<\/li>\n
- Don’t use super-globals directly – wrap for protection.<\/li>\n<\/ul>\n
Be aggressive – B.E. aggressive<\/p><\/blockquote>\n
\n
- It’s always about data<\/li>\n
- One of PHP’s greatest strengths – loosely typed.\u00a0 Also it’s biggest weakness.\u00a0 Don’t make PHP guess what you mean.<\/li>\n
- Cast variables, know their type and the data you expect.\u00a0 Let PHP do it’s magic only when you want it to – not by chance.<\/li>\n
- Keep tabs on your data’s path, lifecycle and type.\u00a0 Know where it’s come from, what it’s doing, and where it’s going.\u00a0 Filter\/escape\/cast and throw exceptions every step of the way.<\/li>\n
- Input validation, output validation, CASTING.<\/li>\n
- Don’t be lazy, be explicit, use OOP.<\/li>\n<\/ul>\n
Casting isn’t just for movie producers<\/p><\/blockquote>\n
\n
- No system has a single security pressure point<\/li>\n
- Don’t take the easy way out just because you can<\/li>\n
- Put PHP in the same well managed enterprise environment as other technologies<\/li>\n
- PHP\/AMP respond very well to TLC<\/li>\n<\/ul>\n
Conclusions<\/strong><\/span><\/p>\n
PHP is just part of the ecosystem and there is awareness and experience on the PHP side.\u00a0 The ying\/yang of PHP’s history overshadows reality.\u00a0 Stand by PHP and it’ll stand by you.\u00a0 Web\/internet applications are deep and complex.\u00a0 Users, interoperability, data, architecture, support, compliance.\u00a0 Phishing, hijacking, spam, sopcial engineering – BROWSERS!<\/p>\n
PHP is the least of your worries<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"
This presentation was by Hans Zaunere, Managing Member, and it is entitled “PHundamental Security – Ecosystem Review, Coding Secure with PHP, and Best Practices”.\u00a0 Take a look at http:\/\/www.nyphp.org\/phundamentals\/ for the ongoing guide and best practices.\u00a0 Guru Stefan Esser recently presented an excellent talk at Zendcon. Security fundamentals are common across the board.\u00a0 Different environments […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[127,4],"tags":[76,128,91,154,12,161,90,622],"class_list":["post-106","post","type-post","status-publish","format-standard","hentry","category-owasp-appsec-nyc-2008","category-web-app-sec","tag-application","tag-appsec","tag-code","tag-coding","tag-owasp","tag-php","tag-secure","tag-security"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-1I","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/106","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=106"}],"version-history":[{"count":1,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/106\/revisions"}],"predecessor-version":[{"id":107,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/106\/revisions\/107"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=106"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=106"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=106"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}