PHP & The Secure Application Development Life-cycle “The art of building secure PHPyramids” Robert van der Linde Santa Clara, 16 september 2008

Robert van der Linde

Santa Clara, 16 september 2008

Who’s that dude? Robert van der Linde 5 years of PHP experience Team lead PaSS-PHP Sogeti’s PHP training coordinator Zend Certified Engineer

Robert van der Linde

5 years of PHP experience

Team lead PaSS-PHP

Sogeti’s PHP training coordinator

Zend Certified Engineer

Secure PHPyramids

What is a secure application? An application is secure if does exactly what is expected at all times Design Implementation

An application is secure if does exactly what is expected at all times

So what do we do? Applications are information Threats are everywhere Creating secure applications need a standardized approach There is tooling available to help you

Applications are information

Threats are everywhere

Creating secure applications need a standardized approach

There is tooling available to help you

Application === Information Integrity Availability Confidentiality Information security

Where do you implement security?

Where do threats come from? Conciously

Conciously

Where do threats come from? Unconsciously

Unconsciously

Approach

Requirements

Test plans Training Awareness Outside-the-box thinking Codified security test plans Tools OWASP WebScarab Ratproxy NTO Spider

Training

Awareness

Outside-the-box thinking

Codified security test plans

Tools

OWASP WebScarab

Ratproxy

NTO Spider

Test results Review with programmers Reporting and analysis End goal: clean bill of health

Review with programmers

Reporting and analysis

End goal: clean bill of health

Code Owasp PHP top 5 Remote code execution Cross site scripting SQL Injection PHP Configuration File system attacks Best practices Whitelisting vs. blacklisting Filter input, escape output Keep errors to yourself

Owasp PHP top 5

Remote code execution

Cross site scripting

SQL Injection

PHP Configuration

File system attacks

Best practices

Whitelisting vs. blacklisting

Filter input, escape output

Keep errors to yourself

Feedback Consciously handle found issues Praise, not prey Handle proactively

Consciously handle found issues

Praise, not prey

Handle proactively

The key to all this Awareness

Awareness

Implementation at Sogeti PaSS (Pro-active Security Strategy) Workgroup per expertise PHP Design Testing Etc. Added value

PaSS (Pro-active Security Strategy)

Workgroup per expertise

PHP

Design

Testing

Etc.

Added value

Tooling example Finally.... some code!

Setting it up

The result

Working with the result

What’s next? Logging attacks File MySQL Email Reporting and analysis

Logging attacks

File

MySQL

Email

Reporting and analysis

Thank you for watching Referenties: www.php.net www.owasp.com www.php-ids.org www.sogeti.nl www.zend.com Contact: E: [email_address] IM: [email_address] Skype: linderob Blog: http://php.linde002.nl/

Referenties:

www.php.net

www.owasp.com

www.php-ids.org

www.sogeti.nl

www.zend.com

Contact:

E: [email_address] IM: [email_address] Skype: linderob Blog: http://php.linde002.nl/