fbpx

Introduction

PHP is the PHP: Hypertext Preprocessor

This is not YASIXSK – (Yet-Another-SQL-Injection-XSS-Script-Kid)

•Numerous other excellent cut-paste resources for these ubiquitous attacks

•Ubiquitous means they can happen in any language

The Security Ecosystem

• Security fundamentals are common across the board

• Different environments have different requirements – Desktop applications are different from web/internet applications

• Web/Internet apps have a huge number of touch points – PHP isn‟t responsible for all of them – in fact, not most – The Developer/Enterprise is – in ALL cases

• Different languages handle in different ways – .NET, Java, Python, PHP all have their idiosyncrasies

• PHP is no different… except… “More internet applications speak PHP than any other”

The PHP Ecosystem

• PHP gets a bad rap

– Low point of entry and great flexibility “Greatest strength and biggest weakness”

• And there‟ve been some mistakes

– Weak default configuration

– Variable ease of use and scope

– The infamous magic_* of PHP – PHP Group [rightfully] argues: “What‟s a security flaw?”

“It’s easy to shoot yourself in the foot with C. In C++ it’s harder to shoot yourself in the foot, but when you do, you blow off your whole leg.” Bjarne Stroustrup, Inventor of C++

Security Points-of-Entry

Three Zones of Responsibility

• PHP is effectively a wrapper around libraries and data sources

– Many external dependencies and touch points

• There are many zones of responsibility

– A language is not responsible for them – a developer/enterprise is – A language should not go out of its way to save the developer

• Frameworks/foundations can be used for this

  1. Developer
  2. – Poorly written code by amateurs
  3. – Primary cause for the security ecosystem around PHP
  4. – Easy to pick up for those with no programming background
  5. – Laziness – letting PHP do its magic_*
  6. – Doing things quick-n-dirty
  7. – Too forgiving • Resolutions:
  8. – Consider using code audit tools and professional services – Implement processes and proper project management “Program Smart”

2. Extensions and external libraries

• PHP‟s greatest asset

• Sometimes library binding is faulty

– There could be better extension certification, and it‟s getting better

• Sometimes the external library has faults, or behaves in an unforeseen way when in a web environment

– possible in any environment

• Know what extensions you‟re using, use the minimal number of extensions, and be aware of the environment they were originally designed for. “Know Thy Extensions” 

3. PHP Core

– “PHP”

• This is PHP

• Secunia: PHP: ~20 advisories between „03-‟09 Java: 48+ between „03-‟09 Ruby: 12+ between „03-‟09 “The List Goes On – PHP is Not Alone”

• Often safe_* and magic_* related – Functions designed to protect developers from ignoring best practices.

– Or deal with shared environment where incorrect security expectations are prevalent. “More internet applications speak PHP than any other”

Best Practices

• Best practices are common to any well run enterprise environment

– Yes, PHP has grown/is growing into this environment very quickly

• Web security is largely about your data and less about exploits in the underlying platform – Buffer overflows aren‟t so much the hot topic – … and those who know, don‟t talk

• Installation

– Avoid prepackaged installs, including RPMs, .deb, etc.

– If you use them, review their default deployment

– Installation touch points also typically include Apache/MySQL • Configuration

– Use php.ini-recommended or php.ini-production – Better yet, take the time to know what you‟re doing and tune configuration files yourself, for your specific needs and remembering how your system is most vulnerable • Implement consistent deployment (virtualization, cloud)

• Consider certified stacks

Best Practices Be Fashionable

– Style and Design

• Don‟t make PHP guess what you mean

– Be explicit with variables and types

– Don‟t abuse scope

– know where your variables come from

– Avoid magic_* and implicitness

– BE EXPLICIT

• Keep code small, organized and maintainable

– Keep code/logic chunks small

– Use OOP techniques to enforce code execution paths – Use includes to keep things organized

• Don‟t use super-globals directly – wrap for protection “Be aggressive – B.E. aggressive”

•Know Your Data

– Love Your Data

• It‟s always about data

• One of PHP‟s greatest strengths

– loosely typed – … and you guessed it

– biggest weaknesses

– Don‟t make PHP guess what you mean

• Cast variables, know their types and the data you expect

– Let PHP do its magic only when you want it to – not by chance

– Majority “PHP security flaws” could be avoided by casting to int 02/02/2010 14

• Keep tabs on your data‟s path, lifecycle and type – Know where it‟s come from, what it‟s doing, and where it‟s going – Filter/escape/cast and throw exceptions every step of the way • Input validation, output validation, CASTING • Don‟t be lazy – be explicit – use OOP “Casting isn’t just for movie producers”

“It‟s the System, Stupid” Networks, Systems, and Databases, Oh My • No system has a single security weakness • Put PHP in the same well managed enterprise environment as other technologies • Don‟t take the easy way out just because you can • PHP/AMP respond very well to TLC

Conclusions Goal: PHP is Just One of the Boys

• PHP is just part of the ecosystem

• … and there is awareness and experience on the PHP side

• The yin/yang of PHP‟s history overshadows reality

• Stand by PHP and it‟ll stand by you

• Program it – don‟t hack it “With great power comes great responsibility.” Spiderman’s Uncle

• Web/Internet applications are deep and complex – Users, interoperability, data, architecture, support, compliance – PHising, hijacking, spam, social engineering – BROWSERS! “PHP is the least of your worries”

Categories: Knowledgebase

0 Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.