Introduction
PHP is the PHP: Hypertext Preprocessor •
This is not YASIXSK – (Yet-Another-SQL-Injection-XSS-Script-Kid)
•Numerous other excellent cut-paste resources for these ubiquitous attacks
•Ubiquitous means they can happen in any language
The Security Ecosystem
• Security fundamentals are common across the board
• Different environments have different requirements – Desktop applications are different from web/internet applications
• Web/Internet apps have a huge number of touch points – PHP isn‟t responsible for all of them – in fact, not most – The Developer/Enterprise is – in ALL cases
• Different languages handle in different ways – .NET, Java, Python, PHP all have their idiosyncrasies
• PHP is no different… except… “More internet applications speak PHP than any other”
The PHP Ecosystem
• PHP gets a bad rap
– Low point of entry and great flexibility “Greatest strength and biggest weakness”
• And there‟ve been some mistakes
– Weak default configuration
– Variable ease of use and scope
– The infamous magic_* of PHP – PHP Group [rightfully] argues: “What‟s a security flaw?”
“It’s easy to shoot yourself in the foot with C. In C++ it’s harder to shoot yourself in the foot, but when you do, you blow off your whole leg.” Bjarne Stroustrup, Inventor of C++
Security Points-of-Entry
Three Zones of Responsibility
• PHP is effectively a wrapper around libraries and data sources
– Many external dependencies and touch points
• There are many zones of responsibility
– A language is not responsible for them – a developer/enterprise is – A language should not go out of its way to save the developer
• Frameworks/foundations can be used for this
- Developer
- – Poorly written code by amateurs
- – Primary cause for the security ecosystem around PHP
- – Easy to pick up for those with no programming background
- – Laziness – letting PHP do its magic_*
- – Doing things quick-n-dirty
- – Too forgiving • Resolutions:
- – Consider using code audit tools and professional services – Implement processes and proper project management “Program Smart”
2. Extensions and external libraries
• PHP‟s greatest asset
• Sometimes library binding is faulty
– There could be better extension certification, and it‟s getting better
• Sometimes the external library has faults, or behaves in an unforeseen way when in a web environment
– possible in any environment
• Know what extensions you‟re using, use the minimal number of extensions, and be aware of the environment they were originally designed for. “Know Thy Extensions”
3. PHP Core
– “PHP”
• This is PHP
• Secunia: PHP: ~20 advisories between „03-‟09 Java: 48+ between „03-‟09 Ruby: 12+ between „03-‟09 “The List Goes On – PHP is Not Alone”
• Often safe_* and magic_* related – Functions designed to protect developers from ignoring best practices.
– Or deal with shared environment where incorrect security expectations are prevalent. “More internet applications speak PHP than any other”
Best Practices
• Best practices are common to any well run enterprise environment
– Yes, PHP has grown/is growing into this environment very quickly
• Web security is largely about your data and less about exploits in the underlying platform – Buffer overflows aren‟t so much the hot topic – … and those who know, don‟t talk
• Installation
– Avoid prepackaged installs, including RPMs, .deb, etc.
– If you use them, review their default deployment
– Installation touch points also typically include Apache/MySQL • Configuration
– Use php.ini-recommended or php.ini-production – Better yet, take the time to know what you‟re doing and tune configuration files yourself, for your specific needs and remembering how your system is most vulnerable • Implement consistent deployment (virtualization, cloud)
• Consider certified stacks
Best Practices Be Fashionable
– Style and Design
• Don‟t make PHP guess what you mean
– Be explicit with variables and types
– Don‟t abuse scope
– know where your variables come from
– Avoid magic_* and implicitness
– BE EXPLICIT
• Keep code small, organized and maintainable
– Keep code/logic chunks small
– Use OOP techniques to enforce code execution paths – Use includes to keep things organized
• Don‟t use super-globals directly – wrap for protection “Be aggressive – B.E. aggressive”
•Know Your Data
– Love Your Data
• It‟s always about data
• One of PHP‟s greatest strengths
– loosely typed – … and you guessed it
– biggest weaknesses
– Don‟t make PHP guess what you mean
• Cast variables, know their types and the data you expect
– Let PHP do its magic only when you want it to – not by chance
– Majority “PHP security flaws” could be avoided by casting to int 02/02/2010 14
• Keep tabs on your data‟s path, lifecycle and type – Know where it‟s come from, what it‟s doing, and where it‟s going – Filter/escape/cast and throw exceptions every step of the way • Input validation, output validation, CASTING • Don‟t be lazy – be explicit – use OOP “Casting isn’t just for movie producers”
“It‟s the System, Stupid” Networks, Systems, and Databases, Oh My • No system has a single security weakness • Put PHP in the same well managed enterprise environment as other technologies • Don‟t take the easy way out just because you can • PHP/AMP respond very well to TLC
Conclusions Goal: PHP is Just One of the Boys
• PHP is just part of the ecosystem
• … and there is awareness and experience on the PHP side
• The yin/yang of PHP‟s history overshadows reality
• Stand by PHP and it‟ll stand by you
• Program it – don‟t hack it “With great power comes great responsibility.” Spiderman’s Uncle
• Web/Internet applications are deep and complex – Users, interoperability, data, architecture, support, compliance – PHising, hijacking, spam, social engineering – BROWSERS! “PHP is the least of your worries”
0 Comments