{"id":735,"date":"2016-11-03T18:46:40","date_gmt":"2016-11-03T16:46:40","guid":{"rendered":"https:\/\/community.virtono.com\/?p=735"},"modified":"2016-11-03T18:46:40","modified_gmt":"2016-11-03T16:46:40","slug":"phundamental-fundamental-security-environment","status":"publish","type":"post","link":"https:\/\/www.virtono.com\/community\/knowledgebase\/phundamental-fundamental-security-environment\/","title":{"rendered":"PHundamental Fundamental Security Environment"},"content":{"rendered":"<p><strong>Introduction<\/strong><\/p>\n<p>PHP is the <strong>P<\/strong>HP: <a href=\"http:\/\/www.nyphp.org\/phundamentals\/\" target=\"_blank\" rel=\"noopener\">Hypertext <strong>P<\/strong>reprocessor<\/a> \u2022<\/p>\n<p><strong>This is not YASIXSK \u2013 (Yet-Another-SQL-Injection-XSS-Script-Kid)<\/strong><\/p>\n<p>\u2022Numerous other excellent cut-paste resources for these ubiquitous attacks<\/p>\n<p>\u2022Ubiquitous means they can happen in any language<\/p>\n<p><strong>The Security Ecosystem<\/strong><\/p>\n<p>\u2022 Security fundamentals are common across the board<\/p>\n<p>\u2022 Different environments have different requirements \u2013 Desktop applications are different from web\/internet applications<\/p>\n<p>\u2022 Web\/Internet apps have a huge number of touch points \u2013 PHP isn\u201ft responsible for all of them \u2013 in fact, not most \u2013 The Developer\/Enterprise is &#8211; in ALL cases<\/p>\n<p>\u2022 Different languages handle in different ways \u2013 .NET, Java, Python, PHP all have their idiosyncrasies<\/p>\n<p>\u2022 PHP is no different&#8230; except&#8230; <strong>\u201cMore internet applications speak PHP than any other\u201d<\/strong><\/p>\n<p><strong>The PHP Ecosystem<\/strong><\/p>\n<p>\u2022 PHP gets a bad rap<\/p>\n<p>\u2013 Low point of entry and great flexibility \u201cGreatest strength and biggest weakness\u201d<\/p>\n<p>\u2022 And there\u201fve been some mistakes<\/p>\n<p>\u2013 Weak default configuration<\/p>\n<p>\u2013 Variable ease of use and scope<\/p>\n<p>\u2013 The infamous magic_* of PHP \u2013 PHP Group [rightfully] argues: \u201cWhat\u201fs a security flaw?\u201d<\/p>\n<p>\u201cIt&#8217;s easy to shoot yourself in the foot with C. In C++ it&#8217;s harder to shoot yourself in the foot, but when you do, you blow off your whole leg.\u201d Bjarne Stroustrup, Inventor of C++<\/p>\n<p><strong>Security Points-of-Entry<\/strong><\/p>\n<p>Three Zones of Responsibility<\/p>\n<p>\u2022 PHP is effectively a wrapper around libraries and data sources<\/p>\n<p>\u2013 Many external dependencies and touch points<\/p>\n<p>\u2022 There are many zones of responsibility<\/p>\n<p>\u2013 A language is not responsible for them \u2013 a developer\/enterprise is \u2013 A language should not go out of its way to save the developer<\/p>\n<p>\u2022 Frameworks\/foundations can be used for this<\/p>\n<ol class=\"j-transcripts transcripts no-bullet no-style\">\n<li>Developer<\/li>\n<li>\u2013 Poorly written code by amateurs<\/li>\n<li>\u2013 Primary cause for the security ecosystem around PHP<\/li>\n<li>\u2013 Easy to pick up for those with no programming background<\/li>\n<li>\u2013 Laziness &#8211; letting PHP do its magic_*<\/li>\n<li>\u2013 Doing things quick-n-dirty<\/li>\n<li>\u2013 Too forgiving \u2022 Resolutions:<\/li>\n<li>\u2013 Consider using code audit tools and professional services \u2013 Implement processes and proper project management <strong>\u201cProgram Smart\u201d<\/strong><\/li>\n<\/ol>\n<p>2. Extensions and external libraries<\/p>\n<p>\u2022 PHP\u201fs greatest asset<\/p>\n<p>\u2022 Sometimes library binding is faulty<\/p>\n<p>\u2013 There could be better extension certification, and it\u201fs getting better<\/p>\n<p>\u2022 Sometimes the external library has faults, or behaves in an unforeseen way when in a web environment<\/p>\n<p>\u2013 possible in any environment<\/p>\n<p>\u2022 Know what extensions you\u201fre using, use the minimal number of extensions, and be aware of the environment they were originally designed for. <strong>\u201cKnow Thy Extensions\u201d\u00a0<\/strong><\/p>\n<p>3. <strong>PHP Core<\/strong><\/p>\n<p>\u2013 \u201cPHP\u201d<\/p>\n<p>\u2022 This is PHP<\/p>\n<p>\u2022 Secunia: PHP: ~20 advisories between \u201e03-\u201f09 Java: 48+ between \u201e03-\u201f09 Ruby: 12+ between \u201e03-\u201f09 \u201cThe List Goes On \u2013 PHP is Not Alone\u201d<\/p>\n<p>\u2022 Often safe_* and magic_* related \u2013 Functions designed to protect developers from ignoring best practices.<\/p>\n<p>\u2013 Or deal with shared environment where incorrect security expectations are prevalent. \u201cMore internet applications speak PHP than any other\u201d<\/p>\n<p><strong>Best Practices<\/strong><\/p>\n<p>\u2022 Best practices are common to any well run enterprise environment<\/p>\n<p>\u2013 Yes, PHP has grown\/is growing into this environment very quickly<\/p>\n<p>\u2022 Web security is largely about your data and less about exploits in the underlying platform \u2013 Buffer overflows aren\u201ft so much the hot topic \u2013 &#8230; and those who know, don\u201ft talk<\/p>\n<p>\u2022 Installation<\/p>\n<p>\u2013 Avoid prepackaged installs, including RPMs, .deb, etc.<\/p>\n<p>\u2013 If you use them, review their default deployment<\/p>\n<p>\u2013 Installation touch points also typically include Apache\/MySQL \u2022 Configuration<\/p>\n<p>\u2013 Use php.ini-recommended or php.ini-production \u2013 Better yet, take the time to know what you\u201fre doing and tune configuration files yourself, for your specific needs and remembering how your system is most vulnerable \u2022 Implement consistent deployment (virtualization, cloud)<\/p>\n<p>\u2022 Consider certified stacks<\/p>\n<p><strong>Best Practices Be Fashionable<\/strong><\/p>\n<p>\u2013 Style and Design<\/p>\n<p>\u2022 Don\u201ft make PHP guess what you mean<\/p>\n<p>\u2013 Be explicit with variables and types<\/p>\n<p>\u2013 Don\u201ft abuse scope<\/p>\n<p>\u2013 know where your variables come from<\/p>\n<p>\u2013 Avoid magic_* and implicitness<\/p>\n<p>\u2013 BE EXPLICIT<\/p>\n<p>\u2022 Keep code small, organized and maintainable<\/p>\n<p>\u2013 Keep code\/logic chunks small<\/p>\n<p>\u2013 Use OOP techniques to enforce code execution paths \u2013 Use includes to keep things organized<\/p>\n<p>\u2022 Don\u201ft use super-globals directly \u2013 wrap for protection \u201cBe aggressive \u2013 B.E. aggressive\u201d<\/p>\n<p>\u2022Know Your Data<\/p>\n<p>\u2013 Love Your Data<\/p>\n<p>\u2022 It\u201fs always about data<\/p>\n<p>\u2022 One of PHP\u201fs greatest strengths<\/p>\n<p>\u2013 loosely typed \u2013 &#8230; and you guessed it<\/p>\n<p>\u2013 biggest weaknesses<\/p>\n<p>\u2013 Don\u201ft make PHP guess what you mean<\/p>\n<p>\u2022 Cast variables, know their types and the data you expect<\/p>\n<p>\u2013 Let PHP do its magic only when you want it to \u2013 not by chance<\/p>\n<p>\u2013 Majority \u201cPHP security flaws\u201d could be avoided by casting to int 02\/02\/2010 14<\/p>\n<p>\u2022 Keep tabs on your data\u201fs path, lifecycle and type \u2013 Know where it\u201fs come from, what it\u201fs doing, and where it\u201fs going \u2013 Filter\/escape\/cast and throw exceptions every step of the way \u2022 Input validation, output validation, CASTING \u2022 Don\u201ft be lazy \u2013 be explicit \u2013 use OOP \u201cCasting isn\u2019t just for movie producers\u201d<\/p>\n<p>\u201cIt\u201fs the System, Stupid\u201d Networks, Systems, and Databases, Oh My \u2022 No system has a single security weakness \u2022 Put PHP in the same well managed enterprise environment as other technologies \u2022 Don\u201ft take the easy way out just because you can \u2022 PHP\/AMP respond very well to TLC<\/p>\n<p><strong>Conclusions Goal:<\/strong> PHP is Just One of the Boys<\/p>\n<p>\u2022 PHP is just part of the ecosystem<\/p>\n<p>\u2022 &#8230; and there is awareness and experience on the PHP side<\/p>\n<p>\u2022 The yin\/yang of PHP\u201fs history overshadows reality<\/p>\n<p>\u2022 Stand by PHP and it\u201fll stand by you<\/p>\n<p>\u2022 Program it &#8211; don\u201ft hack it \u201cWith great power comes great responsibility.\u201d Spiderman\u2019s Uncle<\/p>\n<p>\u2022 Web\/Internet applications are deep and complex \u2013 Users, interoperability, data, architecture, support, compliance \u2013 PHising, hijacking, spam, social engineering \u2013 BROWSERS! \u201cPHP is the least of your worries\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction PHP is the PHP: Hypertext Preprocessor \u2022 This is not YASIXSK \u2013 (Yet-Another-SQL-Injection-XSS-Script-Kid) \u2022Numerous other excellent cut-paste resources for these ubiquitous attacks \u2022Ubiquitous means they can happen in any language The Security Ecosystem \u2022 Security fundamentals are common across the board \u2022 Different environments have different requirements \u2013 Desktop<\/p>\n","protected":false},"author":3,"featured_media":736,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[5],"tags":[],"class_list":["post-735","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-knowledgebase"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/CRS-14.png?fit=400%2C277&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7ISfL-bR","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":1036,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/installing-lamp-linux-apache-mysql-php-stack-on-debian-7-server\/","url_meta":{"origin":735,"position":0},"title":"INSTALLING LAMP (LINUX, APACHE, MYSQL &amp; PHP) STACK ON DEBIAN 7 SERVER","author":"Daniel Draga","date":"September 25, 2017","format":false,"excerpt":"LAMP STANDS FOR: L:Linux A:Apache M:MySQL P:PHP What is LAMP? LAMP is a shorthand term for a\u00a0web application platform\u00a0consisting of Linux, Apache, MySQL and one of Perl or PHP. Lamp is an\u00a0\u00a0OPENSOURCE Together, these open source tools provide a world-class platform for deploying web applications TECHNOLOGIES USED IN LAMP: For\u2026","rel":"","context":"In &quot;Tutorials&quot;","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/09\/maxresdefault.jpg?fit=1200%2C750&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/09\/maxresdefault.jpg?fit=1200%2C750&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/09\/maxresdefault.jpg?fit=1200%2C750&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/09\/maxresdefault.jpg?fit=1200%2C750&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/09\/maxresdefault.jpg?fit=1200%2C750&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":3507,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/how-to-install-lemp-stack-linux-nginx-mysql-and-php-on-ubuntu-22-04\/","url_meta":{"origin":735,"position":1},"title":"How to install LEMP stack (Linux, Nginx, MySQL, and PHP) on Ubuntu 22.04","author":"George B.","date":"June 20, 2023","format":false,"excerpt":"Introduction The LEMP stack is a popular software stack for web development and hosting. It includes four major components: Linux, Nginx, MySQL, and PHP. Each component serves a specific purpose in powering dynamic websites and web applications. Linux is the operating system that serves as the LEMP stack's foundation. In\u2026","rel":"","context":"In &quot;Tutorials&quot;","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/06\/How-to-install-LEMP-stack-Linux-Nginx-MySQL-PHP-on-Ubuntu-22-04.png?fit=600%2C330&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/06\/How-to-install-LEMP-stack-Linux-Nginx-MySQL-PHP-on-Ubuntu-22-04.png?fit=600%2C330&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/06\/How-to-install-LEMP-stack-Linux-Nginx-MySQL-PHP-on-Ubuntu-22-04.png?fit=600%2C330&ssl=1&resize=525%2C300 1.5x"},"classes":[]},{"id":235,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/lamp-technology\/","url_meta":{"origin":735,"position":2},"title":"LAMP TECHNOLOGY","author":"Daniel Draga","date":"July 30, 2016","format":false,"excerpt":"LAMP STANDS FOR: L:Linux A:Apache M:MySQL P:PHP What is LAMP? LAMP is a shorthand term for a web application platform consisting of Linux, Apache, MySQL and one of Perl or PHP. Lamp is an\u00a0 OPENSOURCE Together, these open source tools provide a world-class platform for deploying web applications TECHNOLOGIES USED\u2026","rel":"","context":"In &quot;Knowledgebase&quot;","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic-1.png?fit=1200%2C750&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic-1.png?fit=1200%2C750&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic-1.png?fit=1200%2C750&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic-1.png?fit=1200%2C750&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic-1.png?fit=1200%2C750&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":651,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/how-to-install-froxlor-on-centos-server\/","url_meta":{"origin":735,"position":3},"title":"HOW TO INSTALL FROXLOR ON CENTOS SERVER","author":"Daniel Draga","date":"September 28, 2016","format":false,"excerpt":"If you've come here from this article, great! if not do check it out and compare Web Panels, before settling for one. So if you've already decided lets begin! Froxlor is a multilingual Server Management panel for ISP (ISP) that their customers a web interface for managing e-mailaddresses, domains ,\u2026","rel":"","context":"In &quot;Tutorials&quot;","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/SW7VuraJf4Q\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":527,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/host-your-own-speedtest-server-on-centos-7-vps\/","url_meta":{"origin":735,"position":4},"title":"HOST YOUR OWN SPEEDTEST SERVER ON CENTOS 7 VPS","author":"Daniel Draga","date":"August 25, 2016","format":false,"excerpt":"\u00a0 SpeedTest.net has been recently being a global standard for broadband speed test. Many users use their service to test how fast their internet connection is. You know that you can even host your own Speedtest webapp using its Mini version? Well, you can! Simply follow very easy steps below:\u2026","rel":"","context":"In &quot;Tutorials&quot;","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/maxresdefault.jpg?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/maxresdefault.jpg?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/maxresdefault.jpg?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/maxresdefault.jpg?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/maxresdefault.jpg?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":2976,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/setup-linux-apache-mysql-phplamp-ubuntu-20-04\/","url_meta":{"origin":735,"position":5},"title":"Setup Linux Apache MySQL PHP(LAMP) &#8211; Ubuntu 20.04","author":"George B.","date":"August 5, 2022","format":false,"excerpt":"What is LAMP? LAMP (Linux, Apache, MySQL, PHP\/Perl\/Python) is an acronym that refers to one of the most widely used software stacks for many of the web's most popular applications. Step 1 - Update\/Upgrade your package index sudo apt update sudo apt upgrade Step 2 - Install Apache apt-get install\u2026","rel":"","context":"In &quot;Tutorials&quot;","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2022\/08\/lamp_stack.webp?fit=800%2C432&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2022\/08\/lamp_stack.webp?fit=800%2C432&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2022\/08\/lamp_stack.webp?fit=800%2C432&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2022\/08\/lamp_stack.webp?fit=800%2C432&ssl=1&resize=700%2C400 2x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/735","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/comments?post=735"}],"version-history":[{"count":1,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/735\/revisions"}],"predecessor-version":[{"id":737,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/735\/revisions\/737"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/media\/736"}],"wp:attachment":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/media?parent=735"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/categories?post=735"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/tags?post=735"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}