Your SlideShare is downloading. ×
Securing the PHP Environment with PHPSecInfo
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Securing the PHP Environment with PHPSecInfo

1,374
views

Published on

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,374
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
32
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Securing the PHP Environment with PHPSecInfo Ed Finkler coj@funkatron.com 20080523
  • 2. The ubiquity of PHP PHP is very, very popular Nearly impossible to find a hosting service that doesn’t support PHP in some form About 34% of all domains report using PHP PHP is very easy to learn PHP provides results quickly Time between setup and seeing results is very short
  • 3. The ubiquity of PHP PHP powers many busy, high-profile sites Wikipedia Facebook Wordpress.com Digg Flickr Yahoo!
  • 4. NIST NVD: 2006 data PHP Language PHP Apps: remote file inclusion 13.6% PHP Apps: other 0.5% Other 28.9% 6604 total entries 2803 PHP applications 57.1% 895 PHP app remote file inclusion Almost blocked by disabling allow_url_fopen (allow_url_include in 5.2+)
  • 5. What does this tell us? How popular PHP is How much a target web apps are How many PHP developers are incapable of writing secure apps How many sysadmins don’t secure their PHP environments
  • 6. The parties involved The System Administrator Directly responsible for PHP environment security Tendency to lower security of environment to reduce application compatibility complaints
  • 7. The parties involved •The PHP Developer • Must be aware of the environment and how it impacts app development • Will write apps assuming certain features are enabled, despite security risks
  • 8. The parties involved The PHP “Deployer” By far the largest portion of the audience Uses PHP apps on a web site, but not a coder Not capable of assessing security of an app At the mercy of the SysAdmin and Developer
  • 9. Requirements of PHPSecInfo A security auditing tool accessible to the “Deployer” Compatible Support PHP4 (63%) and PHP5 (37%) Easy to install Unzip and Upload Easy to execute (little or no config) Runs upon upload; single function call
  • 10. Requirements of PHPSecInfo Easy to understand Clear, unambiguous results; color coding Encourage further exploration Offer extended explanations with links to more info
  • 11. Executing PHPSecInfo 1.Unzip 2.Upload 3.View in Browser
  • 12. Test Suite 17 tests for commonly exploited security vulnerabilities in PHP environment Each test result shows: Current Setting Recommended Setting Result (color-coded) Explanation Link to further info Simple metrics output
  • 13. PHPSecInfo encourages accountability Sorry, we can’t support your Developers app because it requires an Here’s what’s wrong with your insecure config! PHP setup – fix it before you run our app! Sysadmins Why does your application Why doesn’t your hosting require an insecure Our hosting is secure – service provide a secure PHP configuration? PHPSecInfo says so! environment? Deployers
  • 14. For advanced users Still a useful tool for evaluating PHP environments Part of an auditing toolkit for web app security experts Extensible test framework Create custom tests specific to an environment Full generated documentation available
  • 15. Zend_Environment Security Module Part of Zend Framework PHP5-only Zend_Environment offers programatic access to PHP environment information Z_E security module based on PHPSecInfo Offers better (for now) programatic access to test results More flexible output (HTML, Text, etc) Part of a full-featured development framework
  • 16. What the future may bring Phar & PEAR installs New view system & new output formats (xml, console, html themes, etc) Better IIS support Instantiate and obtain results programatically for embedding in apps Security testing during installation process, et al
  • 17. What is needed Help! Developers and Documenters Both PSI and ZFW sides
  • 18. More Information phpsecinfo.com phpsec.org cerias.purdue.edu framework.zend.com

×