Your SlideShare is downloading. ×
0
Securing the
PHP Environment
with PHPSecInfo
Ed Finkler
coj@funkatron.com




                20080523
The ubiquity of PHP
PHP is very, very popular
 Nearly impossible to find a hosting service that doesn’t
 support PHP in som...
The ubiquity of PHP
PHP powers many busy, high-profile sites
 Wikipedia
 Facebook
 Wordpress.com
 Digg
 Flickr
 Yahoo!
NIST NVD: 2006 data
      PHP Language
      PHP Apps: remote file inclusion
                                          13.6...
What does this tell us?

How popular PHP is
How much a target web apps are
How many PHP developers are incapable of writin...
The parties involved


The System Administrator
 Directly responsible for
 PHP environment security
 Tendency to lower sec...
The parties involved

             •The PHP Developer
              • Must be aware of the environment
                and...
The parties involved
The PHP “Deployer”
 By far the largest portion of
 the audience
 Uses PHP apps on a web
 site, but no...
Requirements of PHPSecInfo
 A security auditing tool accessible to the “Deployer”
  Compatible
    Support PHP4 (63%) and ...
Requirements of
PHPSecInfo

Easy to understand
 Clear, unambiguous results; color coding
Encourage further exploration
 Of...
Executing PHPSecInfo

 1.Unzip
 2.Upload
 3.View in Browser
Test Suite
  17 tests for commonly exploited security
  vulnerabilities in PHP environment
  Each test result shows:
   Cu...
PHPSecInfo encourages
 accountability
      Sorry, we can’t support your
                                                 ...
For advanced users
Still a useful tool for evaluating
PHP environments
  Part of an auditing toolkit for
  web app securit...
Zend_Environment Security
Module
 Part of Zend Framework
 PHP5-only
 Zend_Environment offers programatic access to PHP
 en...
What the future may bring

Phar & PEAR installs
New view system & new output formats (xml, console, html
themes, etc)
Bett...
What is needed


Help! Developers and Documenters
 Both PSI and ZFW sides
More Information
phpsecinfo.com
phpsec.org
cerias.purdue.edu
framework.zend.com
Securing the PHP Environment with PHPSecInfo
Securing the PHP Environment with PHPSecInfo
Securing the PHP Environment with PHPSecInfo
Securing the PHP Environment with PHPSecInfo
Upcoming SlideShare
Loading in...5
×

Securing the PHP Environment with PHPSecInfo

1,387

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,387
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
33
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Securing the PHP Environment with PHPSecInfo"

  1. 1. Securing the PHP Environment with PHPSecInfo Ed Finkler coj@funkatron.com 20080523
  2. 2. The ubiquity of PHP PHP is very, very popular Nearly impossible to find a hosting service that doesn’t support PHP in some form About 34% of all domains report using PHP PHP is very easy to learn PHP provides results quickly Time between setup and seeing results is very short
  3. 3. The ubiquity of PHP PHP powers many busy, high-profile sites Wikipedia Facebook Wordpress.com Digg Flickr Yahoo!
  4. 4. NIST NVD: 2006 data PHP Language PHP Apps: remote file inclusion 13.6% PHP Apps: other 0.5% Other 28.9% 6604 total entries 2803 PHP applications 57.1% 895 PHP app remote file inclusion Almost blocked by disabling allow_url_fopen (allow_url_include in 5.2+)
  5. 5. What does this tell us? How popular PHP is How much a target web apps are How many PHP developers are incapable of writing secure apps How many sysadmins don’t secure their PHP environments
  6. 6. The parties involved The System Administrator Directly responsible for PHP environment security Tendency to lower security of environment to reduce application compatibility complaints
  7. 7. The parties involved •The PHP Developer • Must be aware of the environment and how it impacts app development • Will write apps assuming certain features are enabled, despite security risks
  8. 8. The parties involved The PHP “Deployer” By far the largest portion of the audience Uses PHP apps on a web site, but not a coder Not capable of assessing security of an app At the mercy of the SysAdmin and Developer
  9. 9. Requirements of PHPSecInfo A security auditing tool accessible to the “Deployer” Compatible Support PHP4 (63%) and PHP5 (37%) Easy to install Unzip and Upload Easy to execute (little or no config) Runs upon upload; single function call
  10. 10. Requirements of PHPSecInfo Easy to understand Clear, unambiguous results; color coding Encourage further exploration Offer extended explanations with links to more info
  11. 11. Executing PHPSecInfo 1.Unzip 2.Upload 3.View in Browser
  12. 12. Test Suite 17 tests for commonly exploited security vulnerabilities in PHP environment Each test result shows: Current Setting Recommended Setting Result (color-coded) Explanation Link to further info Simple metrics output
  13. 13. PHPSecInfo encourages accountability Sorry, we can’t support your Developers app because it requires an Here’s what’s wrong with your insecure config! PHP setup – fix it before you run our app! Sysadmins Why does your application Why doesn’t your hosting require an insecure Our hosting is secure – service provide a secure PHP configuration? PHPSecInfo says so! environment? Deployers
  14. 14. For advanced users Still a useful tool for evaluating PHP environments Part of an auditing toolkit for web app security experts Extensible test framework Create custom tests specific to an environment Full generated documentation available
  15. 15. Zend_Environment Security Module Part of Zend Framework PHP5-only Zend_Environment offers programatic access to PHP environment information Z_E security module based on PHPSecInfo Offers better (for now) programatic access to test results More flexible output (HTML, Text, etc) Part of a full-featured development framework
  16. 16. What the future may bring Phar & PEAR installs New view system & new output formats (xml, console, html themes, etc) Better IIS support Instantiate and obtain results programatically for embedding in apps Security testing during installation process, et al
  17. 17. What is needed Help! Developers and Documenters Both PSI and ZFW sides
  18. 18. More Information phpsecinfo.com phpsec.org cerias.purdue.edu framework.zend.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×