Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Evolution of PHP Security

Eric Mann
October 26, 2024

Evolution of PHP Security

Regardless of reports to the contrary, PHP is a modern, scalable, secure programming language suitable for any number of applications. As with any other language or tool, PHP can only be used securely if the developers using it wield their tools safely.

This training class will walk through best practices in:

Password management (including hashing)
Credentials management (API keys)
Data encryption (both local and remote)
Data integrity (i.e., signing and authentication)
Server hardening
Attendees will leave with a better understanding of PHP and how to use it in secure applications.

Attendees should have an operable PHP environment before arriving. They will be given a code repo to use during the training class which will demonstrate the principles being discussed and allows them to practice from-scratch implementations in code.

Eric Mann

October 26, 2024
Tweet

More Decks by Eric Mann

Other Decks in Technology

Transcript

  1. Today’s Plan … Introductions Environment Credentials Management Authentication Session Management

    Data - Validation / Sanitization Encryption Server Hardening Ongoing Study Questions? Lunch
  2. I’ll be working through each module on the main screen.

    Feel free to follow along with your own computer, but coding is not required A COMPUTER IS NOT REQUIRED A modern PHP environment is required. I’ll be using newer features like strict typing and haven’t tested older versions FIRST: I ASSUME YOU HAVE PHP 8.3 To avoid the complexity of a MySQL or Postgres environment, the project leverages SQLite - You’ll need the PHP extension enabled SECOND: SQLITE IS A MUST You can follow along OUR WORKSHOP ENVIRONMENT Clone the project repository locally and code along with me as we work through it! git clone [email protected]:ericmann/notes-tutorial.git
  3. Environment Variables CREDENTIALS MANAGEMENT One way to manage server credentials

    is with a .env file. These files will keep credentials on the server in flat files that are easy to keep from being leaked to viewers. You can use multiple .env files to segregate environments - dev vs staging vs - production. Utilities like the PHP dotenv project automatically load your .env file into the system environment at runtime, making all of your credentials accessible to the application.
  4. YOUR TITLE HERE Lorem ipsum dolor sit amet, consectetur adipiscing

    elit. Fusce elit ex, consequat et tincidunt non, pharetra non risus. Quisque ut leo pretium, eleifend lectus in, ultrices diam. Quisque ac congue urna, non finibus orci. Password Strength AUTHENTICATION
  5. YOUR TITLE HERE Lorem ipsum dolor sit amet, consectetur adipiscing

    elit. Fusce elit ex, consequat et tincidunt non, pharetra non risus. Quisque ut leo pretium, eleifend lectus in, ultrices diam. Quisque ac congue urna, non finibus orci. Password Strength AUTHENTICATION
  6. Password Strength - BCrypt AUTHENTICATION <?php $timeTarget = 0.05; //

    50 milliseconds $cost = 8; do { $cost++; $start = microtime(true); password_hash("test", PASSWORD_BCRYPT , ["cost" => $cost]); $end = microtime(true); } while (($end - $start) < $timeTarget); echo "Appropriate Cost Found: " . $cost;
  7. Password Strength - Argon2I AUTHENTICATION <?php $timeTarget = 0.05; //

    50 milliseconds $cost = 1; do { $cost++; $start = microtime(true); password_hash("test", PASSWORD_ARGON2I , ["time_cost" => $cost]); $end = microtime(true); } while (($end - $start) < $timeTarget); echo "Appropriate Cost Found: " . $cost;
  8. Dos and Do Nots SESSION MANAGEMENT Don’t trust the user

    to store sensitive information Don’t trust information provided by the user Don’t store sensitive information with an untrusted party Don’t use cookies to store sensitive data (If you are using cookies, use secure cookies - but only store IDs)
  9. At-Rest Encryption ENCRYPTION 1 Protects data written out to disk

    2 Transparent to the application layer 3 (Usually) Provided by hosted DB solutions 4 (Often) Required for regulatory compliance
  10. Application-level Data Encryption By allowing the application to manage its

    own encryption keys, the crypto operations lift up into the application stack itself. The database engine can’t read or manage the data, neither can any other process in memory. Your data’s security then relies on the security of your application’s authentication and access control systems.
  11. Application-level Data Encryption By allowing the application to manage its

    own encryption keys, the crypto operations lift up into the application stack itself. The database engine can’t read or manage the data, neither can any other process in memory. Your data’s security then relies on the security of your application’s authentication and access control systems.
  12. Why it Matters ... Server Hardening We ship MVPs loaded

    with technical debt SHIP OR DIE Dependencies might leak vulnerabilities COMPONENTS FAIL You’re always under attack if your system’s online ADVERSARIES LEARN CommitStrip: Stack Overflow Patchwork
  13. PHP - Lock Down Functionality [PHP] ;;;;;;;;;;;;;;;;;;; ; About php.ini

    ; ;;;;;;;;;;;;;;;;;;; ; PHP's initialization file, generally called php.ini, is responsible for ; configuring many of the aspects of PHP's behavior. ; PHP attempts to find and load this configuration from a number of locations. ; The following is a summary of its search order: ; 1. SAPI module specific location. ; 2. The PHPRC environment variable. (As of PHP 5.2.0) ; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0) ; 4. Current working directory (except CLI)
  14. PHP - Lock Down Functionality ; open_basedir, if set, limits

    all file operations to the defined directory ; and below. ; http://php.net/open-basedir ;open_basedir = ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes =
  15. PHP - Lock Down Functionality ; open_basedir, if set, limits

    all file operations to the defined directory ; and below. ; http://php.net/open-basedir open_basedir = /var/www ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes =
  16. PHP - Lock Down Functionality ; open_basedir, if set, limits

    all file operations to the defined directory ; and below. ; http://php.net/open-basedir ;open_basedir = ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = eval,shell_exec,exec,create_function,popen,system ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes =
  17. PHP - Lock Down Functionality ; open_basedir, if set, limits

    all file operations to the defined directory ; and below. ; http://php.net/open-basedir ;open_basedir = ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = eval,shell_exec,exec,create_function,popen,system ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes = splfileobject
  18. PHP - Lock Down Functionality ; Maximum allowed size for

    uploaded files. ; http://php.net/upload-max-filesize ;upload_max_filesize = ; Maximum number of files that can be uploaded via a single request ;max_file_uploads = ; Whether to allow the treatment of URLs as files. ; http://php.net/allow-url-fopen ;allow_url_fopen = ; Whether to allow include/require to open URLs as files. ; http://php.net/allow-url-include ;allow_url_include =
  19. PHP - Lock Down Functionality ; Maximum allowed size for

    uploaded files. ; http://php.net/upload-max-filesize upload_max_filesize = 2M ; Maximum number of files that can be uploaded via a single request max_file_uploads = 20 ; Whether to allow the treatment of URLs as files. ; http://php.net/allow-url-fopen allow_url_fopen = On ; Whether to allow include/require to open URLs as files. ; http://php.net/allow-url-include allow_url_include = Off
  20. PHP - Lock Down Functionality ; Maximum allowed size for

    uploaded files. ; http://php.net/upload-max-filesize upload_max_filesize = 2M ; Maximum number of files that can be uploaded via a single request max_file_uploads = 20 ; Whether to allow the treatment of URLs as files. ; http://php.net/allow-url-fopen allow_url_fopen = On ; Whether to allow include/require to open URLs as files. ; http://php.net/allow-url-include allow_url_include = Off
  21. PHP Doesn’t Run in a Vacuum SERVER HARDENING Don’t display

    errors in production. Don’t leak server tokens. Define your system hostname. DISABLE DEBUGGING Disable directory traversal. Use proper TLS certificates. Return documented error codes. LOCK DOWN THE APP SERVER Use a cloud host if possible. Bind the server to the correct address for connections. Tighly scope permissions. PROPERLY CONFIGURE MySQL Close down unnecessary ports. Ensure only you have access to SSH. USE A FIREWALL Scan log files for illicit access and block malicious traffic entirely at the firewall. INSTALL fail2ban Leverage unattended upgrades to auto-install patches. Ensure you log everything to catch anomalies. KEEP SYSTEM PACKAGES UPDATED
  22. Further Resources ONGOING STUDY • Attend industry conferences to keep

    track of new advances • Leverage security-focused blogs and websites like https://paragonie.com or https://securingphp.com to learn more • Keep track of changes, conversations around security vulnerabilities, and new best practices “cheat sheets” created by groups like OWASP • Subscribe to php[architect] and pick up their Web Security bundle Pick up my book on Security Principles for PHP