Security by design
By Arne Blankerts
October 21st, ZendCon 2009
Copyright © 2009 thePHP.cc, Germany

Welcome

Design?

Design!
 Done before actual work
 Multiple aspects
 Infrastructure
 Architecture
 Software
 Visual Components

Infrastructure

Physical Access

The Server

Hardening

Firewalling

Firewalling
 IP Level
 Filter by source and destination
 Port (service) based
 Appplication Level
 Also called Proxy
 Can be used for performance and caching as well

Network layout
 Public Network
 Proxy
 Webserver
 Private Network
 Webserver
 Datebase
 Caches
 Storage

The Storage

Architecture!

Architecture
 Establish Privilege separation
 Work with least amount of privileges
 Do not run anything as root
 Separate Database access
 Read only access
 Write access

Software

Software
 Written from the ground to be secure
 Does not rely on secret implementations
 Perfect for open source
 Separation of concerns
 Familiar concept from OOP

Decouple

Validate Input
 Enforce types
 Do not repair broken data
 Sanitize input as needed
 And where needed

Keep it simple!

Deny by default

More rules?
 Enable E_STRICT and E_NOTICE
 Add E_DEPRECATED on PHP 5.3
 Split code into modules
 Allows for flexible security and access
policies
 Make sure your code can handle broken
input gracefully

Visual Feedback

Visual Feedback
Do not train users wrong
An “alert” is not a confirmation

Visual Design
Try to follow HIGs
Adopt to OS order of buttons and actions

Visual Design
Be specific in wording
Do not mix PIN, Password, Code, Token
for the same thing

Visual Design
Be aware of i18n / i10n
Some icons may not mean the same
all over the world

Everything done as told

Failure... or how to break it

Oops.

Man in the middle
 Technically a Proxy
 Quite a famous attack vector
 Can work like a proxy
 Even works with SSL
 Extended Security Certificates may help here
 Information disclosure

Phishing
 User is lurked to a cloned look-alike site
 Usually slightly modified to contain
 Additional input fields
 Overwritten target for form submits
 Hard to detect
 Check referrer in logs

Disallow image loading from 3rd party
 Implement anti csrf tokens
 Blocks the clone from “save” redirects

Click jacking
 Not an exploit
 Not a validation problem
 Invisible iframe
 Uses CSS to be made transparent
 Not detectable server side
 Only JavaScript to the rescue
 Compare location of top and self
 top.location.href == self.location.href

Click jacking demo
Copyright © 2009 thePHP.cc, Germany

And There Was Light..

100% Secure?
 Impossible to achieve
 Never underestimate bored kids ;)

Cost of security

Security is a process
A flexible process can be changed
A flexible software can adopt to new needs

Q & A

Congrats!

Thank you!

http://joind.in/talk/view/914

Contact
 Slides will be on slideshare
 http://slideshare.net/theseer
 http://www.slideshare.net/group/thephpcc
 Contact options
 Email: team@thePHP.cc / arne@thePHP.cc
 Follow us on twitter:
 @arneblankerts
 @thephpcc