OWASP, PHP, life and universe
Upcoming SlideShare
Loading in...5
×
 

OWASP, PHP, life and universe

on

  • 531 views

Présentation pour l'AFUP de l'OWASP et de projets concrets pour sécuriser une application PHP

Présentation pour l'AFUP de l'OWASP et de projets concrets pour sécuriser une application PHP

Statistics

Views

Total Views
531
Views on SlideShare
349
Embed Views
182

Actions

Likes
2
Downloads
11
Comments
0

3 Embeds 182

http://www.scoop.it 157
https://twitter.com 23
https://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    OWASP, PHP, life and universe OWASP, PHP, life and universe Presentation Transcript

    • AFUP/MOZILLA/OWASP     Mee/ng  @Mozilla  Paris   5th  June  2014Sébas&en  Gioria   Sebas/en.Gioria@owasp.org   Chapter  Leader  &  Evangelist  OWASP  France OWASP,  the   Life,the  Universe   and  the   ElePHPhants  
    • 2
    • http://www.google.fr/#q=sebastien gioria ‣OWASP France Leader & Founder & Evangelist ‣Innovation and Technology @Advens && Application Security Expert Twitter :@SPoint/@OWASP_France ‣Application Security group leader for the CLUSIF ‣Proud father of youngs kids trying to hack my digital life.
    • Agenda • Applica/on  Security  :   – where  we  are  (no  bullshit)   – where  we  are  (hopefully)  going  ?   • Open  Web  Applica/on  Security  Project  ?   • Major  projects  you  can  use 4
    • Why  Applica/on  Security  ? 5 4
    • Why  Applica/on  Security  ? 5 4 Your Application has been Hacked
    • Why  Applica/on  Security  ? 5 4 Your Application has been Hacked YES
    • Why  Applica/on  Security  ? 5 4 Your Application has been Hacked NO YES
    • Why  Applica/on  Security  ? 5 4 Your Application will be Hacked ;) Your Application has been Hacked NO YES
    • Why  Applica/on  Security  ? 5 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO YES
    • Why  Applica/on  Security  ? 5 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES
    • Why  Applica/on  Security  ? 5 ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES
    • Why  Applica/on  Security  ? 5 My Application will be hacked ! ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES
    • Why  Applica/on  Security  ? 5 My Application will be hacked ! ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES Next Step
    • First  form  in  PHP 6
    • First  form  in  PHP 6
    • First  form  in  PHP 6 <?php      $email  =  $_REQUEST['email']  ;      $message  =  $_REQUEST['message']  ;   !    mail(  "yourname@example.com",  "Feedback  Form  Results",          $message,  "From:  $email"  );      header(  "Loca/on:  hgp://www.example.com/thankyou.html"  );   ?>
    • 7
    • 7
    • 7
    • How  to  create  a  login  page  in  PHP   and  Mysql 8
    • 9
    • 9 <?php ! define('DB_HOST', 'localhost'); ! define('DB_NAME', 'practice');! define('DB_USER','root'); ! define('DB_PASSWORD','');! ! $con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Failed to connect to MySQL: " . mysql_error()); ! $db=mysql_select_db(DB_NAME,$con) or die("Failed to connect to MySQL: " . mysql_error()); ! /* $ID = $_POST['user']; $Password = $_POST['pass']; */! ! function SignIn() {! ! session_start(); //starting the session for user profile page! ! if(!empty($_POST['user'])) //checking the 'user' name which is from Sign-In.html, is it empty or have some text ! ! { ! ! $query = mysql_query("SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(mysql_error());! ! $row = mysql_fetch_array($query) or die(mysql_error());! ! ! ! ! if(!empty($row['userName']) AND !empty($row['pass'])) ! ! ! {! ! ! $_SESSION['userName'] = $row['pass']; ! ! ! ! echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE...";! ! ! } else { ! ! ! echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...";! ! ! } ! ! } ! } ! ! if(isset($_POST['submit'])) ! {! SignIn(); ! } ?>!
    • 10
    • 10
    • 10
    • Game  Over.... • Did  you  have  VoIP  Phone  ?     ! • Did  you  have  IP  Router  /  Broadband  box    ?     ! • Did  you  have  smartphone  ?   ! • Did  you  have  customers  /  partners  over   Internet  ? 11
    • Anything  else  ?   12
    • We  are  living  in  a  Digital  environment,  in  a  Connected  World v Most  of  websites  vulnerable  to  agacks   v Important  %  of  web-­‐based  Business  (Services,  Online  Store,  Self-­‐care,  Telcos,   SCADA,  ...) Why  Applica/on  Security  ?   Age  of  An/virus Age  of     Network  Security Age  of     Applica/on   Security 13
    • 14 (c)  Verizon  2014
    • 14 (c)  Verizon  2014
    • 14 (c)  Verizon  2014
    • 14 (c)  Verizon  2014
    • Who  win  ?   15 (c) WhiteHatSecurity 2013
    • Vulnerabili/es  ?   16 (c)  WhiteHatSecurity  2013
    • Mission  Driven Nonprofit  |  World  Wide  |  Unbiased   ! OWASP  does  not  endorse  or  recommend   commercial  products  or  services What  is  OWASP 17
    • Community  Driven 30,000  Mail  List  Par/cipants   200  Ac/ve  Chapters  in  70  countries     1600+  Members,  56  Corporate  Supporters     What  is  OWASP 18
    • 200  Chapters,  1  600+  Members,  20  000+  Builders,  Breakers  and  Defenders Around  the  World 19
    • Quality  Resources 200+  Projects   15,000+  downloads  of  tools,  documenta/on   What  is  OWASP 20
    • Documenta&on ToolsCode 50% 10% 40% Quality  Resources 21
    • Security  Lifecycle 22
    • Security  Resources 23
    •  NEWS   A  BLOG   A  PODCAST   MEMBERSHIPS   MAILING  LISTS   A  NEWSLETTER   APPLE  APP  STORE   VIDEO  TUTORIALS   TRAINING  SESSIONS   SOCIAL  NETWORKING 24
    • OWASP  Projects 25
    • OWASP  Top10  2013 26 A1:  Injec&on A2:  Viola&on  de   Ges&on   d’authen&fica&on  et  de   session A3:  Cross  Site  Scrip&ng   (XSS) A4:Référence  directe   non  sécurisée  à  un   objet A5:  Mauvaise   configura&on  sécurité   A6  :  Exposi&on  de   données  sensibles A8:  Cross  Site  Request   Forgery  (CSRF)   A10:    Redirec&ons    et   transferts  non  validés A7:  Manque  de   contrôle  d’accès   fonc&onnel A9:  U&lisa&on  de   composants  avec  des   vulnérabilités  connues
    • OWASP  Top10  2013 26 A1:  Injec&on A2:  Viola&on  de   Ges&on   d’authen&fica&on  et  de   session A3:  Cross  Site  Scrip&ng   (XSS) A4:Référence  directe   non  sécurisée  à  un   objet A5:  Mauvaise   configura&on  sécurité   A6  :  Exposi&on  de   données  sensibles A8:  Cross  Site  Request   Forgery  (CSRF)   A10:    Redirec&ons    et   transferts  non  validés A7:  Manque  de   contrôle  d’accès   fonc&onnel A9:  U&lisa&on  de   composants  avec  des   vulnérabilités  connues ex-­‐A9(transport  non  sécurisé)  +   A7(Stockage  crypto)
    • OWASP  Top10  2013 26 A1:  Injec&on A2:  Viola&on  de   Ges&on   d’authen&fica&on  et  de   session A3:  Cross  Site  Scrip&ng   (XSS) A4:Référence  directe   non  sécurisée  à  un   objet A5:  Mauvaise   configura&on  sécurité   A6  :  Exposi&on  de   données  sensibles A8:  Cross  Site  Request   Forgery  (CSRF)   A10:    Redirec&ons    et   transferts  non  validés A7:  Manque  de   contrôle  d’accès   fonc&onnel A9:  U&lisa&on  de   composants  avec  des   vulnérabilités  connues ex-­‐A9(transport  non  sécurisé)  +   A7(Stockage  crypto)
    • Developer  Cheat  Sheets   § PHP  Security  Cheat  Sheet   § OWASP  Top  Ten  Cheat  Sheet   § Authen/ca/on  Cheat  Sheet   § Cross-­‐Site  Request  Forgery  (CSRF)  Preven&on  Cheat   Sheet   § Cryptographic  Storage  Cheat  Sheet   § Input  Valida/on  Cheat  Sheet   § XSS  (Cross  Site  Scrip&ng)  Preven&on  Cheat  Sheet   § DOM  based  XSS  Preven/on  Cheat  Sheet   § Forgot  Password  Cheat  Sheet   § Query  Parameteriza&on  Cheat  Sheet   § SQL  Injec&on  Preven&on  Cheat  Sheet   § Session  Management  Cheat  Sheet   § HTML5  Security  Cheat  Sheet   § Transport  Layer  Protec/on  Cheat  Sheet   § Web  Service  Security  Cheat  Sheet   § Logging  Cheat  Sheet   § JAAS  Cheat  Sheet Mobile  Cheat  Sheets   § IOS  Developer  Cheat  Sheet   § Mobile  Jailbreaking  Cheat  Sheet   Drax  Cheat  Sheets   § Access  Control  Cheat  Sheet   § REST  Security  Cheat  Sheet   § Abridged  XSS  Preven/on  Cheat  Sheet   § Password  Storage  Cheat  Sheet   § Secure  Coding  Cheat  Sheet   § Threat  Modeling  Cheat  Sheet   § Clickjacking  Cheat  Sheet   § Virtual  Patching  Cheat  Sheet   § Secure  SDLC  Cheat  Sheet   § Web  Applica/on  Security  Tes/ng  Cheat   Sheet   § Applica/on  Security  Architecture  Cheat   Sheet Cheat  Sheets 27
    • Project  Leader:  Chris  Schmidt,  Chris.Schmidt@owasp.org   Purpose:  A  free,  open  source,  web  applica/on  security  control  library  that   makes  it  easier  for  programmers  to  write  lower-­‐risk  applica/ons   ! ! ! ! ! ! ! ! ! ! ! hgps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Enterprise  Security  API 28 PHP Version : https://code.google.com/p/ owasp-esapi-php/
    • Project Leader: Abbas Naderi, Abbas.Naderi@owasp.org Purpose:  OWASP  PHP  Security  Project  is  an  effort   by   a   group   of   PHP   developers   in   securing   PHP   web   applica/ons,   using   a   collec&on   of   decoupled  flexible  secure  PHP  libraries,  as  well   as  a  collec&on  of  PHP  tools.   OWASP  PHP  Security  Project 29 hgps://www.owasp.org/index.php/OWASP_PHP_Security_Project
    • Development   Guide:   comprehensive   manual   for   designing,   developing   and   deploying  secure  Web  Applica/ons  and  Web  Services   Code   Review   Guide:   mechanics   of   reviewing   code   for   certain   vulnerabili/es   &   valida/on  of  proper  security  controls   Tes/ng  Guide:  understand  the  what,  why,  when,  where,  and  how  of  tes/ng  web   applica/ons   ! ! hgps://www.owasp.org/index.php/Category:OWASP_Guide_Project   hgps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project   hgps://www.owasp.org/index.php/Category:OWASP_Tes/ng_Project Guides 30
    • Zed  Agack  Proxy Project  Leader:  Simon  Bennegs  (aka  Psiinon),  psiinon@gmail.com   Purpose:  The  Zed  Agack  Proxy  (ZAP)  provides  automated  scanners  as  well   as  a  set  of  tools  that  allow  you  to  find  security  vulnerabili/es  manually  in   web  applica/ons.   Last  Release:  ZAP  2.3.1  (21  May  2014)   ! ! ! ! ! ! ! ! ! ! hgps://www.owasp.org/index.php/OWASP_Zed_Agack_Proxy_Project 31
    • Intended   to   help   soxware   developers   and   their   clients   nego/ate   important   contractual  terms  and  condi/ons  related  to  the  security  of  the  soxware  to  be   developed  or  delivered.   CONTEXT:  Most  contracts  are  silent  on  these  issues,  and  the  par/es  frequently   have  drama/cally  different  views  on  what  has  actually  been  agreed  to.     OBJECTIVE:   Clearly   define   these   terms   is   the   best   way   to   ensure   that   both   par/es  can  make  informed  decisions  about  how  to  proceed.   hgps://www.owasp.org/index.php/OWASP_Secure_Soxware_Contract_Annex The  OWASP  Secure  Soxware     Contract  Annex 32
    • Dates • RSSIA  Bordeaux  :  20  Juin   – HeartBleed  revisited     • AppSec  Europe  2014  -­‐  Cambridge  :   ! ! ! ! ! • Java  User  Groupe  Lille  &  Paris     – Secure  Coding  for  Java    a  la  rentrée  2014   • Club  27001  /Paris  -­‐  25  Septembre  2014   –Présenta/on  de  la  norme  ISO  27034 33
    • Soutenir  l’OWASP • Différentes  solu/ons  :     – Membre  Individuel  :  50  $   – Membre  Entreprise  :  5000  $   – Dona/on  Libre   • Soutenir  uniquement    le  chapitre  France  :   – Single  Mee/ng  supporter     • Nous  offrir  une  salle  de  mee/ng  !     • Par/ciper  par  un  talk  ou  autre  !     • Dona/on  simple     – Local  Chapter  supporter  :     • 500  $  à  2000  $   34
    • License 35 @SPoint   ! sebas/en.gioria@owasp.org