Security in PHP Applications: An absolute must!
Is you application secure? What does securely written code look like? In this presentation we will talk about what it takes to make a PHP application be written securely. We will focus on secure coding practices and discuss vulnerabilities that must be addressed, including SQL injection, XSS, user authentication and authorization, data validation, and data integrity. There will be example code and working examples to show you what works and what doesn't. We will also discuss how to bake security into system development life cycle and how to convince management that security issues must be addressed. You will come out of this presentation ready to become the Security Hero you've always wanted to be!
1. Security in PHP Applications:
An absolute must!
Mark Niebergall
2. About Mark Niebergall
● PHP since 2005
● MS degree in MIS
● Senior Software Engineer
● UPHPU President
● SSCP, CSSLP Certified and SME for (ISC)2
● Drones, fishing, skiing, father, husband
3.
4. Security Landscape
● Constant attacks: http://map.norsecorp.com/
● Targeting all organizations
● Script kiddies, collectives, nation states,
crackers, thieves, colleagues, insiders,
creative users, and many more
5.
6. Notable Attacks
● IHG hotels
● Tax returns
● Card skimmers, chip-based cards
● DNC, NRSC
● San Francisco Rail
● UK NHS
7. Notable Attacks
● Target
● Home Depot
● Sony Pictures
● Anthem
● JP Morgan Chase
● MySpace
● Sony PSN
● Xbox Live
10. PHP Version
● December 2014: only 25.94% of PHP
installs were secure based on PHP version
● Check your version, upgrade to safe version
● Anthony Ferrara
http://blog.ircmaxell.com/2014/12/php-install-
statistics.html
19. XSS
● Form of code injection
● Attacker injects malicious script into a site
● Malicious script is sent to different user
● Persistent vs Reflected (non-persistent)
● Server vs Client
25. CSRF
● Attacker causes unauthorized code
execution on a web browser against a target
● Target user is unaware of attack
● Target site performs an action
26. CSRF
● Target logged in on different browser tab
● Hidden form to transfer money to a bank
account
● API to delete accounts
● Perform desired actions that only
authenticated and authorized users can
34. ● Considerations for authorization
○ Can user gain access to personal or sensitive data
○ Can user change user ‘admin’ email and password
○ Can user manipulate DOM
○ Can user use SQL injection to get unauthorized data
○ Can user use XSS or CSRF
○ Can user see detailed technical errors
Authentication and Authorization
42. Data Integrity
● Foreign keys to ensure relational data is
created and kept accurately
● Unique keys to prevent data duplication
● Avoid data corruption and data loss
● Normalization
43. Data Integrity
● Stability
● Performance
● Re-usability
● Maintainability
● Applies to both database and application
45. Development Life Cycle
● Analyze application security needs
● Threat modeling
● Risk acceptance level
● Security considerations in requirements
● Project management and developers need
to work closely
46. Development Life Cycle
● Security testing for acceptance
● Code reviews
● Regular review of security landscape and
emerging threats
● Identify weakest points and make a plan to
strengthen those areas
48. Convince Management to Invest
● Explain benefits of investment
○ Brand value
○ Customer loyalty
○ Selling point
● Discuss applicable regulations
● Visibility into current security posture
● Plans and goals
● Get the right people involved