Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

Share

Securing PHP Application

Download to read offline

Webinar topic: Securing PHP Application
Presenter: Achmad Mardiansyah

In this webinar series, We are discussing Securing PHP Application

Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/en/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram

Recording available on Youtube
https://youtu.be/OgUxwPz0Igc

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Securing PHP Application

  1. 1. www.glcnetworks.com Securing PHP application GLC Webinar, 10 Jun 2021 Achmad Mardiansyah achmad@glcnetworks.com GLC Networks, Indonesia 1
  2. 2. www.glcnetworks.com Agenda ● Introduction ● Review prerequisite knowledge ● PHP security layers ● Tips and trick ● Live practice ● Q & A 2
  3. 3. www.glcnetworks.com introduction 3
  4. 4. www.glcnetworks.com What is GLC? ● Garda Lintas Cakrawala (www.glcnetworks.com) ● Based in Bandung, Indonesia ● Areas: Training, IT Consulting ● Certified partner for: Mikrotik, Ubiquity, Linux foundation ● Product: GLC radius manager ● Regular event 4
  5. 5. www.glcnetworks.com Trainer Introduction ● Name: Achmad Mardiansyah ● Base: bandung, Indonesia ● Linux user since 1999, mikrotik user since 2007, UBNT 2011 ● Mikrotik Certified Trainer (MTCNA/RE/WE/UME/INE/TCE/IPv6) ● Mikrotik/Linux Certified Consultant ● Website contributor: achmadjournal.com, mikrotik.tips, asysadmin.tips ● More info: http://au.linkedin.com/in/achmadmardiansyah 5
  6. 6. www.glcnetworks.com Past experience 6 ● 2021 (Congo DRC, Malaysia): network support, radius/billing integration ● 2020 (Congo DRC, Malaysia): IOT integration, network automation ● 2019, Congo (DRC): build a wireless ISP from ground-up ● 2018, Malaysia: network revamp, develop billing solution and integration, setup dynamic routing ● 2017, Libya (north africa): remote wireless migration for a new Wireless ISP ● 2016, United Kingdom: workshop for wireless ISP, migrating a bridged to routed network
  7. 7. www.glcnetworks.com About GLC webinar? ● First webinar: january 1, 2010 (title: tahun baru bersama solaris - new year with solaris OS) ● As a sharing event with various topics: linux, networking, wireless, database, programming, etc ● Regular schedule ● Irregular schedule: as needed ● Checking schedule: http://www.glcnetworks.com/schedule ● You are invited to be a presenter ○ No need to be an expert ○ This is a forum for sharing: knowledge, experiences, information 7
  8. 8. www.glcnetworks.com Please introduce yourself ● Your name ● Your company/university? ● Your networking experience? ● Your mikrotik experience? ● Your expectation from this course? 8
  9. 9. www.glcnetworks.com Prerequisite ● This presentation some prerequisite knowledge ● We assume you already know: ○ How HTTP works ○ How PHP application works ○ Computer networks ○ Linux system administration 9
  10. 10. www.glcnetworks.com Review prerequisite knowledge 10
  11. 11. www.glcnetworks.com What is Cyber security Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information. Security is a very subjective terms. Every person has their own definition of security, that’s why there are many standards in security 11
  12. 12. www.glcnetworks.com Types of Security ● Computer Security - generic name for the collection of tools designed to protect data and to thwart hackers ● Network Security - measures to protect data during their transmission ● Internet Security - measures to protect data during their transmission over a collec)on of interconnected networks 12
  13. 13. www.glcnetworks.com Goals of Information Security (CIA) ● Confidentiality. prevents unauthorized use or disclosure of information ● Integrity. safeguards the accuracy and completeness of information ● Availability. authorized users have reliable and timely access to information 13
  14. 14. www.glcnetworks.com 7 OSI layer & protocol 14 ● OSI layer Is a conceptual model from ISO (International Standard Organization) for project OSI (Open System Interconnection) ● When you send a message with a courier, you need to add more info to get your message arrived at the destination (This process is called encapsulation) ● What is protocol ○ Is a set of rules for communication ○ Available on each layer ● Communication consist of series encapsulation ○ SDU: service data unit (before PDU) ○ PDU: protocol data unit (after header is added)
  15. 15. www.glcnetworks.com Layered model (TCP/IP vs ISO) and encapsulation 15 / datagram
  16. 16. www.glcnetworks.com 16
  17. 17. www.glcnetworks.com Website stack 17 Source: http://developer.mozilla.org/
  18. 18. www.glcnetworks.com PHP application flow 18
  19. 19. www.glcnetworks.com web server vs application server? (static vs dynamic content) 19
  20. 20. www.glcnetworks.com Application components 1. Network 2. Operating system (linux) 3. Web server (e.g. apache) 4. Application server (e.g. PHP) 5. Code execution 20
  21. 21. www.glcnetworks.com PHP security layers 21
  22. 22. www.glcnetworks.com Network ● Implement network firewall ○ Opnsense, pfsense ○ Sophos, fortigate ● Features: ○ Country filtering ○ Support IDS ○ Support DPI (deep packet inspection) ■ Malware detection ○ Support DDOS prevention 22
  23. 23. www.glcnetworks.com OS layer ● Implement OS firewall ○ nftables/iptables ● Activate MAC (mandatory access control) ○ selinux ● 23
  24. 24. www.glcnetworks.com Web server layer (apache) ● Implement HTTPS ● Use MPM event/worker to save resources ● Activate log ● Implementing access_list ● Use additional plugins: ○ dos_evasive ○ mod_security 24
  25. 25. www.glcnetworks.com Application server (PHP) layer ● Update PHP version regularly ● PHP configuration (php.ini): ○ Limit access directory access → use open_base_dir ○ Disable some functions ○ Disable display_error option ● Run PHP application in chroot environment 25
  26. 26. www.glcnetworks.com Code layer ● Input sanitation ○ Always check incoming data ○ Some issues: ■ SQL injection → use prepared statemennt ■ XSS (cross site scripting) → escape input ● Dont upload framework folder on webroot ● Use hash + salt 26
  27. 27. www.glcnetworks.com Tips trick 27
  28. 28. www.glcnetworks.com Tips and trick ● Implement all security layers above as much as you can ● 28
  29. 29. www.glcnetworks.com LIVE practice 29
  30. 30. www.glcnetworks.com preparation ● SSH client ● SSH parameters ○ SSH address ○ SSH port ○ SSH username ○ SSH password 30
  31. 31. www.glcnetworks.com Q & A 31
  32. 32. www.glcnetworks.com Interested? Just come to our training... ● Topics are arranged in systematic and logical way ● You will learn from experienced teacher ● Not only learn the materials, but also sharing experiences, best-practices, and networking 32
  33. 33. www.glcnetworks.com End of slides ● Thank you for your attention ● Please submit your feedback: http://bit.ly/glcfeedback ● Find our further event on our website : https://www.glcnetworks.com/en/ ● Like our facebook page: https://www.facebook.com/glcnetworks ● Slide: https://www.slideshare.net/glcnetworks/ ● Recording (youtube): https://www.youtube.com/c/GLCNetworks ● Stay tune with our schedule ● Any questions? 33

Webinar topic: Securing PHP Application Presenter: Achmad Mardiansyah In this webinar series, We are discussing Securing PHP Application Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback Check our schedule for future events: https://www.glcnetworks.com/en/schedule/ Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram Recording available on Youtube https://youtu.be/OgUxwPz0Igc

Views

Total views

56

On Slideshare

0

From embeds

0

Number of embeds

19

Actions

Downloads

1

Shares

0

Comments

0

Likes

0

×