Secure the lamp application stack
Upcoming SlideShare
Loading in...5
×
 

Secure the lamp application stack

on

  • 2,226 views

 

Statistics

Views

Total Views
2,226
Views on SlideShare
2,225
Embed Views
1

Actions

Likes
0
Downloads
6
Comments
0

1 Embed 1

http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • PHP is used in a lot of environments where security is a good idea, like banks, credit data, porn sites etc. Who is working with personal data? who is working with credit card data? Medical information? information with personal sexual information (like a dating site)? \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Sorry i can‘t go into depth \n
  • Sorry i can‘t go into depth \n
  • Sorry i can‘t go into depth \n
  • Sorry i can‘t go into depth \n
  • Sorry i can‘t go into depth \n
  • Sorry i can‘t go into depth \n
  • Sorry i can‘t go into depth \n
  • \n
  • Der Angreifer ist also keineswegs mehr der Amateur zuhause, sondern Dienstleister in einem funktionierenden Markt. „Für 40.000 Euro bekommt man die Daten jeder Firma“\n
  • Der Angreifer ist also keineswegs mehr der Amateur zuhause, sondern Dienstleister in einem funktionierenden Markt. „Für 40.000 Euro bekommt man die Daten jeder Firma“\n
  • Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  • Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  • Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  • Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  • Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  • Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  • Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  • Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  • Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  • Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Nowadays you could start with the layer above, too - but don‘t ask me, ask the ajax in action guys about that. \n
  • \n
  • \n
  • \n
  • \n
  • There is a big dark area when it comes to blackmail. \nHappens usually on christmans\n
  • There is a big dark area when it comes to blackmail. \nHappens usually on christmans\n
  • There is a big dark area when it comes to blackmail. \nHappens usually on christmans\n
  • There is a big dark area when it comes to blackmail. \nHappens usually on christmans\n
  • There is a big dark area when it comes to blackmail. \nHappens usually on christmans\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • services: sun-rpc, ftp, ssh, etc \n
  • services: sun-rpc, ftp, ssh, etc \n
  • services: sun-rpc, ftp, ssh, etc \n
  • services: sun-rpc, ftp, ssh, etc \n
  • services: sun-rpc, ftp, ssh, etc \n
  • services: sun-rpc, ftp, ssh, etc \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

Secure the lamp application stack Secure the lamp application stack Presentation Transcript

  • High Security LAMPsDutch PHP Conference 2008
  • The guy in the front Johann-Peter Hartmann
  • The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4 View slide
  • The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4 likes PHP because people are nice and PHP is fun View slide
  • The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4 likes PHP because people are nice and PHP is fun likes Security because Security is fun
  • The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4 likes PHP because people are nice and PHP is fun likes Security because Security is fun Founder and CTO of Mayflower GmbH
  • The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4 likes PHP because people are nice and PHP is fun likes Security because Security is fun Founder and CTO of Mayflower GmbH CEO of SektionEins GmbH, founded with Stefan Esser
  • AgendaWhere Security happens
  • AgendaWhere Security happensDistributed Denial of Service Attacks
  • AgendaWhere Security happensDistributed Denial of Service AttacksServer Hardening
  • AgendaWhere Security happensDistributed Denial of Service AttacksServer HardeningApache Hardening
  • AgendaWhere Security happensDistributed Denial of Service AttacksServer HardeningApache HardeningMySQL Hardening
  • AgendaWhere Security happensDistributed Denial of Service AttacksServer HardeningApache HardeningMySQL HardeningPHP Hardening
  • AgendaWhere Security happensDistributed Denial of Service AttacksServer HardeningApache HardeningMySQL HardeningPHP HardeningApplication Hardening
  • PHP Security - where arewe right now?
  • PHP Security - where arewe right now?
  • Know your enemy Profit FunSource: Breach 2007
  • Know your enemy 67 % Profit FunSource: Breach 2007
  • Know your enemy 33 % 67 % Profit FunSource: Breach 2007
  • Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail Link Spam Worms Phishing Information WarfareSource: Breach 2007
  • Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail Link Spam Worms Phishing 42 % Information WarfareSource: Breach 2007
  • Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail Link Spam Worms Phishing 42 % Information Warfare 23 %Source: Breach 2007
  • Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail Link Spam Worms Phishing 42 % Information Warfare 15 % 23 %Source: Breach 2007
  • Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 %Source: Breach 2007
  • Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 %Source: Breach 2007
  • Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud 3 % Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 %Source: Breach 2007
  • Why they attack You Informationsdiebstahl Defacement Malware 3 % Unknown Fraud 3 % Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 %Source: Breach 2007
  • Why they attack You Informationsdiebstahl Defacement Malware 3 % Unknown Fraud 3 % 1 % Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 %Source: Breach 2007
  • Why they attack You Informationsdiebstahl Defacement Malware 3 % Unknown Fraud 3 % 1 % 1 % Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 %Source: Breach 2007
  • Why they attack You Informationsdiebstahl Defacement Malware 3 % Unknown Fraud 3 % 1 % 1 % Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 %Source: Breach 2007
  • How they attack You SQL Injection Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution Wrong configurations Missing Anti-Automation Denial Of Service Redirect Wrong Session-Timeout CSRFSource: NSI 2006
  • How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution Wrong configurations Missing Anti-Automation Denial Of Service Redirect Wrong Session-Timeout CSRFSource: NSI 2006
  • How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations Missing Anti-Automation Denial Of Service Redirect Wrong Session-Timeout CSRFSource: NSI 2006
  • How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations Missing Anti-Automation Denial Of Service Redirect Wrong Session-Timeout 15 % CSRFSource: NSI 2006
  • How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRFSource: NSI 2006
  • How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRFSource: NSI 2006
  • How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRFSource: NSI 2006
  • How they attack You SQL Injection 20 % Information Disclosure Known Exploits 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRFSource: NSI 2006
  • How they attack You SQL Injection 20 % Information Disclosure Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRFSource: NSI 2006
  • How they attack You SQL Injection 3 % 20 % Information Disclosure Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRFSource: NSI 2006
  • How they attack You 3 % SQL Injection 3 % 20 % Information Disclosure Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRFSource: NSI 2006
  • How they attack You 3 % SQL Injection 2 % 20 % Information Disclosure 3 % Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRFSource: NSI 2006
  • How they attack You 2 % 3 % SQL Injection 2 % 20 % Information Disclosure 3 % Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRFSource: NSI 2006
  • How they attack You 2 % 3 % 2 % SQL Injection 2 % 20 % Information Disclosure 3 % Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRFSource: NSI 2006
  • A simple view on ourfavourite platforms stack PHP-ApplicationApache MySQL PHP Linux Network
  • Network Attacks: DDoSDistributed Denial of Service Attacken Network
  • Network Attacks: DDoSDistributed Denial of Service Attacken from hundreds to millions of compromised computers (BotNet) Network
  • Network Attacks: DDoSDistributed Denial of Service Attacken from hundreds to millions of compromised computers (BotNet) sending out udp, icmp, tcp packet love, reflected DNS, smart attacks with http Network
  • Network Attacks: DDoSDistributed Denial of Service Attacken from hundreds to millions of compromised computers (BotNet) sending out udp, icmp, tcp packet love, reflected DNS, smart attacks with http up to 25Network GB/s
  • Distributed Denial of Service It‘s a business model Network
  • Distributed Denial of Service It‘s a business model Blackmail (in-ist-drin.de 7/2007, many more) Network
  • Distributed Denial of Service It‘s a business model Blackmail (in-ist-drin.de 7/2007, many more) Political Reasons (Estland 5/2007, more than 1.000.000 computer in the botnet) Network
  • Distributed Denial of Service It‘s a business model Blackmail (in-ist-drin.de 7/2007, many more) Political Reasons (Estland 5/2007, more than 1.000.000 computer in the botnet) criminal activities (Anti-419, Anti-Dialer-Sites) Network
  • Distributed Denial of Service It‘s a business model Blackmail (in-ist-drin.de 7/2007, many more) Political Reasons (Estland 5/2007, more than 1.000.000 computer in the botnet) criminal activities (Anti-419, Anti-Dialer-Sites) actually it was developped by and for script kiddies in Network IRC
  • How to protect againstDDosYou can‘t protect yourself Network
  • How to protect againstDDosYou can‘t protect yourself Your firewall won‘t help you if your uplink is smaller than 25 G/s Network
  • How to protect againstDDosYou can‘t protect yourself Your firewall won‘t help you if your uplink is smaller than 25 G/sYour Provider can, ask for „DDos Managed SecurityServices“ Network
  • How to protect againstDDosYou can‘t protect yourself Your firewall won‘t help you if your uplink is smaller than 25 G/sYour Provider can, ask for „DDos Managed SecurityServices“2 solutions: blackhole your traffic, or use cleaning Networkrouters
  • How to protect againstDDosYou can‘t protect yourself Your firewall won‘t help you if your uplink is smaller than 25 G/sYour Provider can, ask for „DDos Managed SecurityServices“2 solutions: blackhole your traffic, or use cleaning Networkroutersyou won‘t blackhole your christmas business, andcisco ddos cleaning infrastructure is expensive
  • Safety for your local network You got a firewall and a DMZ Network
  • Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed Network
  • Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed FTP, SSH, SUN-RPC, DNS, SMTP, IMAP, POP Network
  • Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed FTP, SSH, SUN-RPC, DNS, SMTP, IMAP, POP for non-public services you actually need Network
  • Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed FTP, SSH, SUN-RPC, DNS, SMTP, IMAP, POP for non-public services you actually need packet filtering, an own management ip Network
  • Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed FTP, SSH, SUN-RPC, DNS, SMTP, IMAP, POP for non-public services you actually need packet filtering, an own management ip Network better: use a vpn
  • How to secure LinuxDeactivate what you don‘t need Linux
  • How to secure LinuxDeactivate what you don‘t needUninstall what you don‘t need Linux
  • How to secure LinuxDeactivate what you don‘t needUninstall what you don‘t needHarden your kernel Linux
  • How to secure LinuxDeactivate what you don‘t needUninstall what you don‘t needHarden your kernel Linux deactivate unneeded kernel features
  • How to secure LinuxDeactivate what you don‘t needUninstall what you don‘t needHarden your kernel Linux deactivate unneeded kernel features deactivate loadable kernel modules
  • How to secure LinuxDeactivate what you don‘t needUninstall what you don‘t needHarden your kernel Linux deactivate unneeded kernel features deactivate loadable kernel modulesMandantory Access Control like SELinux or AppArmor
  • SELinuxSecurity Enhanced Linux Linux
  • SELinuxSecurity Enhanced Linuxdevelopped by the NSA Linux
  • SELinuxSecurity Enhanced Linuxdevelopped by the NSApretty secure from a technical point of view Linux
  • SELinuxSecurity Enhanced Linuxdevelopped by the NSApretty secure from a technical point of view Linuxpart of the mainline kernel 2.6 and Redhat/Fedora
  • SELinuxSecurity Enhanced Linuxdevelopped by the NSApretty secure from a technical point of view Linuxpart of the mainline kernel 2.6 and Redhat/Fedoramore than 700 different permission types
  • AppArmor - what it is Originally „SubDomain“ developped by Immunix Linux
  • AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Linux
  • AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Default part of Novell/SuSE Linux Linux
  • AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Default part of Novell/SuSE Linux Open Source, can easily be used within other linux Linux distributions
  • AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Default part of Novell/SuSE Linux Open Source, can easily be used within other linux Linux distributions SELinux for idiots
  • AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Default part of Novell/SuSE Linux Open Source, can easily be used within other linux Linux distributions SELinux for idiots We use it
  • AppArmor - what it doessimplified interface to Mandantory Access Control Linux
  • AppArmor - what it doessimplified interface to Mandantory Access Control based on file permissions and POSIX capabilities Linux
  • AppArmor - what it doessimplified interface to Mandantory Access Control based on file permissions and POSIX capabilities based on filenames Linux
  • AppArmor - what it doessimplified interface to Mandantory Access Control based on file permissions and POSIX capabilities based on filenamesrather simple Workflow Linux
  • AppArmor - what it doessimplified interface to Mandantory Access Control based on file permissions and POSIX capabilities based on filenamesrather simple Workflow Linux you profile your softwares permissions while using it
  • AppArmor - what it doessimplified interface to Mandantory Access Control based on file permissions and POSIX capabilities based on filenamesrather simple Workflow Linux you profile your softwares permissions while using it the profile defines the permissions needed (needs some rework, though)
  • AppArmor - what it doessimplified interface to Mandantory Access Control based on file permissions and POSIX capabilities based on filenamesrather simple Workflow Linux you profile your softwares permissions while using it the profile defines the permissions needed (needs some rework, though)
  • Why AppArmor works foridiotsupload.php should be able to write to „/images/“ Linux
  • Why AppArmor works foridiotsupload.php should be able to write to „/images/“ Default is always deny, so you need to enable it Linux
  • Why AppArmor works foridiotsupload.php should be able to write to „/images/“ Default is always deny, so you need to enable itSELinux: Linux
  • Why AppArmor works foridiotsupload.php should be able to write to „/images/“ Default is always deny, so you need to enable itSELinux: docroot label is /var/www/html is http_sys_content_t Linux -> allow writing for the whole /var/www/html
  • Why AppArmor works foridiotsupload.php should be able to write to „/images/“ Default is always deny, so you need to enable itSELinux: docroot label is /var/www/html is http_sys_content_t Linux -> allow writing for the whole /var/www/htmlAppArmor:
  • Why AppArmor works foridiotsupload.php should be able to write to „/images/“ Default is always deny, so you need to enable itSELinux: docroot label is /var/www/html is http_sys_content_t Linux -> allow writing for the whole /var/www/htmlAppArmor: /var/www/html/config.inc.php w
  • Why AppArmor works foridiotsupload.php should be able to write to „/images/“ Default is always deny, so you need to enable itSELinux: docroot label is /var/www/html is http_sys_content_t Linux -> allow writing for the whole /var/www/htmlAppArmor: /var/www/html/config.inc.php w
  • Hardening Apache Disable every module you don‘t need.Apache
  • Hardening Apache Disable every module you don‘t need. mod_parmguardApache set validation rules for every parameter
  • Hardening Apache Disable every module you don‘t need. mod_parmguardApache set validation rules for every parameter mod_security
  • Hardening Apache Disable every module you don‘t need. mod_parmguardApache set validation rules for every parameter mod_security a free, small web application firewall
  • Hardening Apache Disable every module you don‘t need. mod_parmguardApache set validation rules for every parameter mod_security a free, small web application firewall filters by regular expressions for every part of the request
  • Hardening Apache Disable every module you don‘t need. mod_parmguardApache set validation rules for every parameter mod_security a free, small web application firewall filters by regular expressions for every part of the request default rulesets (gotroot)
  • mod_securityApache
  • mod_security bought by Breach Security, dual-licensedApache
  • mod_security bought by Breach Security, dual-licensed filtering the low hanging fruitsApache
  • mod_security bought by Breach Security, dual-licensed filtering the low hanging fruitsApache Code Executions, Inclusions, SQL-Injections, XSS
  • mod_security bought by Breach Security, dual-licensed filtering the low hanging fruitsApache Code Executions, Inclusions, SQL-Injections, XSS if a security issue is found, an error message (usually an error 500) is returned to the user
  • mod_security bought by Breach Security, dual-licensed filtering the low hanging fruitsApache Code Executions, Inclusions, SQL-Injections, XSS if a security issue is found, an error message (usually an error 500) is returned to the user mod_security 2.0 is stateful and implements session support
  • Web Application Firewalls granular security rules custom tailored for your application
  • Web Application Firewalls granular security rules custom tailored for your application bridge, router, reverse proxy or embedded in your webserver, appliance or software
  • Web Application Firewalls granular security rules custom tailored for your application bridge, router, reverse proxy or embedded in your webserver, appliance or software brute force mitigation, cookie encryption, url mapping
  • Web Application Firewalls granular security rules custom tailored for your application bridge, router, reverse proxy or embedded in your webserver, appliance or software brute force mitigation, cookie encryption, url mapping can learn the default behavior of your application
  • Web Application Firewalls granular security rules custom tailored for your application bridge, router, reverse proxy or embedded in your webserver, appliance or software brute force mitigation, cookie encryption, url mapping can learn the default behavior of your application http parameters are normalized
  • MySQL Security MySQL
  • MySQL Security run MySQL in SELinux/AppArmor MySQL
  • MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL
  • MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0
  • MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0 remove all unneeded things:
  • MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0 remove all unneeded things: test databases
  • MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0 remove all unneeded things: test databases default users, default rights
  • MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0 remove all unneeded things: test databases default users, default rights only the needed user rights for a certain task
  • MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0 remove all unneeded things: test databases default users, default rights only the needed user rights for a certain task
  • PHP Security PHP
  • PHP SecuritySecure PHP configuration: PHP
  • PHP SecuritySecure PHP configuration: Deactivate: allow_url_fopen, allow_url_include, PHP display_errors, expose_php, file_support, file_uploads, force_redirect, magic_quotes_gpc, register_globals, use_trans_id
  • PHP SecuritySecure PHP configuration: Deactivate: allow_url_fopen, allow_url_include, PHP display_errors, expose_php, file_support, file_uploads, force_redirect, magic_quotes_gpc, register_globals, use_trans_id Activate: memory_limit, post_max_size, session.save_path, upload_max_filesize, upload_tmp_dir
  • Suhosin Engine PatchesGlobal protection for Low-Level-Bugs in PHP PHP
  • Suhosin Engine PatchesGlobal protection for Low-Level-Bugs in PHP PHP Memory Manager Hardening (Canary/Safe-Unlink)
  • Suhosin Engine PatchesGlobal protection for Low-Level-Bugs in PHP PHP Memory Manager Hardening (Canary/Safe-Unlink) Hashtable Destructor Protection
  • Suhosin Engine PatchesGlobal protection for Low-Level-Bugs in PHP PHP Memory Manager Hardening (Canary/Safe-Unlink) Hashtable Destructor Protection Protection against Format String Vulnerabilities
  • Suhosin Engine PatchesGlobal protection for Low-Level-Bugs in PHP PHP Memory Manager Hardening (Canary/Safe-Unlink) Hashtable Destructor Protection Protection against Format String VulnerabilitiesRealpath() Hardening
  • Suhosin ExtensionProtection against unknown php core level bugs PHP
  • Suhosin ExtensionProtection against unknown php core level bugsforbidden methods byPHP vhost
  • Suhosin ExtensionProtection against unknown php core level bugsforbidden methods byPHP vhostProtection against Remote Inclusion
  • Suhosin ExtensionProtection against unknown php core level bugsforbidden methods byPHP vhostProtection against Remote InclusionTransparent Session/Cookie Encryption
  • Suhosin ExtensionProtection against unknown php core level bugsforbidden methods byPHP vhostProtection against Remote InclusionTransparent Session/Cookie EncryptionVariable and Upload Filtering(poor mans WAF)
  • Suhosin Loggingfor intrusion detection and configuration PHP
  • Suhosin Loggingfor intrusion detection and configurationsupports several output channels PHP
  • Suhosin Loggingfor intrusion detection and configurationsupports several output channels PHP syslog, shell script, PHP script, file
  • Suhosin Loggingfor intrusion detection and configurationsupports several output channels PHP syslog, shell script, PHP script, fileseveral impact levels
  • Suhosin Loggingfor intrusion detection and configurationsupports several output channels PHP syslog, shell script, PHP script, fileseveral impact levels Log Message with file, line and remote IP
  • Suhosin Loggingfor intrusion detection and configurationsupports several output channels PHP syslog, shell script, PHP script, fileseveral impact levels Log Message with file, line and remote IPSimulation mode to tune suhosin
  • Coding GuidelinesE_ALL/E_STRICT safe coding PHP
  • Coding GuidelinesE_ALL/E_STRICT safe codingno global variables, no variable scope overwriting PHP
  • Coding GuidelinesE_ALL/E_STRICT safe codingno global variables, no variable scope overwriting PHPforbidden functions
  • Coding GuidelinesE_ALL/E_STRICT safe codingno global variables, no variable scope overwriting PHPforbidden functionsconstants are used where they can be used
  • Coding GuidelinesE_ALL/E_STRICT safe codingno global variables, no variable scope overwriting PHPforbidden functionsconstants are used where they can be usedParameter Binding Datenbank-API
  • Coding GuidelinesE_ALL/E_STRICT safe codingno global variables, no variable scope overwriting PHPforbidden functionsconstants are used where they can be usedParameter Binding Datenbank-APILibraries for CSRF protection, input validation, filtering,escaping, database access
  • Input / Output Flow in PHPInput check: PHP
  • Input / Output Flow in PHPInput check: Validation is done based on the knowledge of the expected content PHP
  • Input / Output Flow in PHPInput check: Validation is done based on the knowledge of the expected content PHP If the input isn‘t valid, it should be deleted or sanitized
  • Input / Output Flow in PHPInput check: Validation is done based on the knowledge of the expected content PHP If the input isn‘t valid, it should be deleted or sanitizedOutput Escaping:
  • Input / Output Flow in PHPInput check: Validation is done based on the knowledge of the expected content PHP If the input isn‘t valid, it should be deleted or sanitizedOutput Escaping: there are 5 escape methods for HTML, 1 for SQL, 2 for Shell usage. No Default escape.
  • PHP-IDSIt‘s an IDS, not an XSS filter PHP
  • PHP-IDSIt‘s an IDS, not an XSS filterBetter-than-nothing solution, like mod_security PHP
  • PHP-IDSIt‘s an IDS, not an XSS filterBetter-than-nothing solution, like mod_security PHPthere has always been a IDS evasion
  • PHP-IDSIt‘s an IDS, not an XSS filterBetter-than-nothing solution, like mod_security PHPthere has always been a IDS evasionno excuse to abandon proper validation, filtering andescaping
  • PHP-IDSIt‘s an IDS, not an XSS filterBetter-than-nothing solution, like mod_security PHPthere has always been a IDS evasionno excuse to abandon proper validation, filtering andescapingCan be used to detect attacks and react in theapplication
  • Questions?
  • Questions? Contact me at: johann-peter.hartmann@sektioneins.de