PHP & The secure development lifecycle
-
Upload
guestaaf017 -
Category
Technology
-
view
2.788 -
download
0
description
Transcript of PHP & The secure development lifecycle
![Page 1: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/1.jpg)
PHP & The Secure Application Development
Life-cycle“The art of building secure PHPyramids”
Robert van der LindeSanta Clara, 16 september 2008
![Page 2: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/2.jpg)
Who’s that dude?
• Robert van der Linde• 5 years of PHP
experience• Team lead PaSS-PHP• Sogeti’s PHP training
coordinator• Zend Certified
Engineer
![Page 3: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/3.jpg)
Secure PHPyramids
![Page 4: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/4.jpg)
• An application is secure if does exactly what is expected at all times
What is a secure application?
Design Implementation
![Page 5: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/5.jpg)
So what do we do?
• Applications are information• Threats are everywhere• Creating secure applications need
a standardized approach• There is tooling available to help
you
![Page 6: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/6.jpg)
Application === Information
IntegrityAvailability Confidentiality
Information security
![Page 7: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/7.jpg)
Where do you implement security?
![Page 8: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/8.jpg)
Where do threats come from?
• Conciously
![Page 9: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/9.jpg)
Where do threats come from?
• Unconsciously
![Page 10: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/10.jpg)
Approach
![Page 11: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/11.jpg)
Requirements
![Page 12: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/12.jpg)
Test plans
• Training• Awareness• Outside-the-box thinking• Codified security test plans• Tools
>OWASP WebScarab>Ratproxy>NTO Spider
![Page 13: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/13.jpg)
Test results
• Review with programmers• Reporting and analysis• End goal: clean bill of health
![Page 14: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/14.jpg)
Code
• Owasp PHP top 5>Remote code execution>Cross site scripting>SQL Injection>PHP Configuration>File system attacks
• Best practices>Whitelisting vs. blacklisting>Filter input, escape output>Keep errors to yourself
![Page 15: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/15.jpg)
Feedback
• Consciously handle found issues• Praise, not prey• Handle proactively
![Page 16: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/16.jpg)
The key to all this
• Awareness
![Page 17: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/17.jpg)
Implementation at Sogeti
• PaSS (Pro-active Security Strategy)• Workgroup per expertise
>PHP>Design>Testing>Etc.
• Added value
![Page 18: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/18.jpg)
Tooling example
Finally.... some code!
![Page 19: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/19.jpg)
Setting it up
![Page 20: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/20.jpg)
The result
![Page 21: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/21.jpg)
Working with the result
![Page 22: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/22.jpg)
What’s next?
• Logging attacks>File>MySQL>Email
• Reporting and analysis
![Page 23: PHP & The secure development lifecycle](https://reader036.fdocuments.in/reader036/viewer/2022081414/5492272dac79592a288b46e3/html5/thumbnails/23.jpg)
Thank you for watching
• Referenties:> www.php.net> www.owasp.com> www.php-ids.org> www.sogeti.nl> www.zend.com
• Contact:E: [email protected]: [email protected]: linderobBlog: http://php.linde002.nl/