SlideShare a Scribd company logo

Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)

Download as PPTX, PDF
Andrew Carr
Andrew Carr

Php 7 has been released and your production environment needs to be upgraded. Apache 2.4 came out 10 years ago, yet you are running Apache 2.2. OpenSSL 1.1.0f is the current GA version, your servers use OpenSSL 0.9.8. A lot of companies have outdated software running in live environments, making them vulnerable to commonly exploitable weaknesses. Based on the information I have gathered working with dozens of companies, it is commonplace to see servers running open source software that is 5, 10 or even 15 years old. A simple google search for vulnerabilities on these older versions produces exploits and kits that any person can use to wreck your company’s share prices, data and reputation. Learn how to protect yourself, your team and your company from threats by these methods. We will use some common techniques to upgrade and harden our servers, concentrating on PHP, Apache, and OpenSSL. Hardening the operating system needs to happen as well, but this talk will be centered on the software. Bringing your coworkers, employers and colleagues on board with your migration plan will allow you to more easily move from the old to the new. Here we will cover the skills you need to learn, the resources available to assist you, and the methods to accomplish a migration that will result in a secure and robust production environment.

Technology
1 of 30
1© 2017 Rogue Wave Software, Inc. All Rights Reserved. 1
2© 2017 Rogue Wave Software, Inc. All Rights Reserved. 2 Overview Date Location Agenda Php, Apache and OpenSSL Vulnerabilities
3© 2017 Rogue Wave Software, Inc. All Rights Reserved. 3 OPENSSL
4© 2017 Rogue Wave Software, Inc. All Rights Reserved. 4 OpenSSL OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols • Provides encyrption tools • Allows Apache / Other web servers to encrypt traffic • Provides a lot of other tools
5© 2017 Rogue Wave Software, Inc. All Rights Reserved. 5 OpenSSL • Between 1998 and 2010 - 0.9.1 – 0.9.8 • Current version, released 1.1.0, releaased 2016 • Companies currently run production with 0.9.8, 7-12 years old
6© 2017 Rogue Wave Software, Inc. All Rights Reserved. 6 OpenSSL - CLI • ‘openssl version’ • ‘openssl version –a’ • ’openssl ciphers –v’ (Cipher list, use ’man cipher’ for more information) • ‘openssl speed’ (Benchmark Tool)
7© 2017 Rogue Wave Software, Inc. All Rights Reserved. 7 Heartbleed • Bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server. • "Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.” • Affects – OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable – OpenSSL 1.0.1g is NOT vulnerable – OpenSSL 1.0.0 branch is NOT vulnerable – OpenSSL 0.9.8 branch is NOT vulnerable • Mitigation – 1.0.1g or newer should be used. – -DOPENSSL_NO_HEARTBEATS.
8© 2017 Rogue Wave Software, Inc. All Rights Reserved. 8 Heartbleed in the Community • Venafi Scan – 1 year later (2015) – Of Forbes global 2000, 1642 have not done anything to remidiate • What should they do? – Upgrade SSL – Create new keys – Reissue certs
9© 2017 Rogue Wave Software, Inc. All Rights Reserved. 9 OpenSSL - DOS • CVE-2017-3733 • What is DOS? • Affected versions include 0.9.8 – 1.1.0 (not 1.0.2) • Mitigation – Upgrade SSL – 1.1.0e – Use OpenSSL 1.0.2 • 0.9.8 EOL – Dec 2015 (DO NOT USE)
10© 2017 Rogue Wave Software, Inc. All Rights Reserved. 10 OpenSSL – How to avoid vulnerabilities • Stay current - https://www.openssl.org/news/ • CVEs - https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openssl • OpenUpdate from Roguewave • Ensure your OpenSSL is up-2-date
11© 2017 Rogue Wave Software, Inc. All Rights Reserved. 11 OpenSSL Vulnerabilities • DROWN – A serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third- parties being able to read the communication. • HEARTBLEED – M-I-T-M Attack • DOS Vulnerabilities • Other M-I-T-M – Symatec discovers vulnerability that affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n, and 1.0.1o. Users of versions 1.0.2b and 1.0.2c are advised to immediately upgrade to 1.0.2d. Users of versions 1.0.1n and 1.0.1o are advised to immediately upgrade to 1.0.1p.
12© 2017 Rogue Wave Software, Inc. All Rights Reserved. 12 OpenSSL Installation • OpenSSL is preinstalled on a lot of operating systems. • Building is simple – Get the source – Configure – Compile – Install – Reference new SSL when building other products
13© 2017 Rogue Wave Software, Inc. All Rights Reserved. 13 Apache Web Server
14© 2017 Rogue Wave Software, Inc. All Rights Reserved. 14 Apache Web Server • A community webserver with prolific implementation • Current versions – 2.4.29 – 2.2.34 (FINAL) • 2.2 was EOL’d June 2017 with security updates to December 2017 • Appx 68 million public instances of Apache Web in use (builtwith.com) – More than 70% use vulnerable versions
15© 2017 Rogue Wave Software, Inc. All Rights Reserved. 15 Apache Vulnerabilities • 0-day – What is it? • 2.2 Vulnerabilities – OptionsBleed – CVE-2017-9798 • Ignore the htaccess file – Unitialized Memory Reflection – CVE-2017-9788 • Affects 2.2.0 – 2.2.32 (fixed in .34) • Reveals confidential information – Authentication Bypass – CVE-2017-3167
16© 2017 Rogue Wave Software, Inc. All Rights Reserved. 16 CVE Apache 2.2.22 Vulnerability DOS http://www.cvedetails.com/cve/CVE-2014-0098/ http://www.cvedetails.com/cve/CVE-2013-6438/ http://www.cvedetails.com/cve/CVE-2014-0231/ http://www.cvedetails.com/cve/CVE-2013-1896/ XSS http://www.cvedetails.com/cve/CVE-2012-4558/ http://www.cvedetails.com/cve/CVE-2012-3499/ Code-Exec http://www.cvedetails.com/cve/CVE-2013-1862/
17© 2017 Rogue Wave Software, Inc. All Rights Reserved. 17 Apache 2.2 Additional Vulnerabilities • important: Uninitialized memory reflection in mod_auth_digest (CVE-2017-9788) • important: ap_get_basic_auth_pw() Authentication Bypass (CVE-2017-3167) • important: mod_ssl Null Pointer Dereference (CVE- 2017-3169) • important: ap_find_token() Buffer Overread (CVE- 2017-7668) • important: mod_mime Buffer Overread (CVE-2017- 7679) • important: Apache HTTP Request Parsing Whitespace Defects (CVE-2016-8743) • n/a: HTTP_PROXY environment variable "httpoxy" mitigation (CVE-2016-5387) • low: HTTP request smuggling attack against chunked request parser (CVE-2015-3183) • important: mod_cgid denial of service (CVE-2014- 0231) • low: HTTP Trailers processing bypass (CVE-2013- 5704) • moderate: mod_deflate denial of service (CVE- 2014-0118) • moderate: mod_status buffer overflow (CVE-2014- 0226) • low: mod_log_config crash (CVE-2014-0098) • moderate: mod_dav crash (CVE-2013-6438) • low: mod_rewrite log escape filtering (CVE-2013- 1862) • moderate: mod_dav crash (CVE-2013-1896) • low: XSS due to unescaped hostnames (CVE-2012- 3499) • moderate: XSS in mod_proxy_balancer (CVE-2012- 4558) • low: XSS in mod_negotiation when untrusted uploads are supported (CVE-2012-2687) • Note: This issue is also known as CVE-2008-0455. • low: insecure LD_LIBRARY_PATH handling (CVE- 2012-0883) • low: mod_proxy_ajp remote DoS (CVE-2012-4557) • low: mod_setenvif .htaccess privilege escalation (CVE-2011-3607) • low: mod_log_config crash (CVE-2012-0021) • low: scoreboard parent DoS (CVE-2012-0031) • moderate: mod_proxy reverse proxy exposure (CVE-2011-4317) • moderate: error responses can expose cookies (CVE-2012-0053) • low: mod_deflate DoS (CVE-2009-1891) • low: AllowOverride Options handling bypass (CVE-2009-1195) • low: CRLF injection in mod_negotiation when untrusted uploads are supported (CVE-2008- 0456) • moderate: APR-util off-by-one overflow (CVE- 2009-1956) • moderate: APR-util XML DoS (CVE-2009- 1955) • moderate: APR-util heap underwrite (CVE- 2009-0023) • important: Timeout detection flaw (mod_proxy_http) (CVE-2010-2791) • low: mod_proxy_ftp globbing XSS (CVE-2008- 2939) • low: mod_proxy_balancer CSRF (CVE-2007- 6420) • moderate: mod_proxy_http DoS (CVE-2008- 2364) • low: mod_proxy_ftp UTF-7 XSS (CVE-2008- 0005) • low: mod_proxy_balancer DoS (CVE-2007- 6422) • low: mod_proxy_balancer XSS (CVE-2007- 6421) • moderate: mod_status XSS (CVE-2007-6388) • moderate: mod_imagemap XSS (CVE-2007- 5000) • moderate: mod_proxy crash (CVE-2007-3847) • moderate: mod_status cross-site scripting (CVE-2006-5752) • moderate: Signals to arbitrary processes (CVE-2007-3304) • moderate: mod_cache information leak (CVE- 2007-1862) • moderate: mod_cache proxy DoS (CVE-2007- 1863) • important: mod_rewrite off-by-one error (CVE- 2006-3747) • low: mod_ssl access control DoS (CVE-2005- 3357) • moderate: mod_imap Referer Cross-Site Scripting (CVE-2005-3352) • moderate: mod_proxy_ajp remote DoS (CVE-2011-3348) • important: Range header remote DoS (CVE-2011-3192) • Advisory: CVE-2011-3192.txt • moderate: apr_fnmatch flaw leads to mod_autoindex remote DoS (CVE-2011- 0419) • low: expat DoS (CVE-2009-3720) • low: expat DoS (CVE-2009-3560) • low: apr_bridage_split_line DoS (CVE- 2010-1623) • important: Timeout detection flaw (mod_proxy_http) (CVE-2010-2068) http://www.apache.org/dist/httpd/patches /apply_to_2.2.15/CVE-2010-2068- r953616.patch http://www.apache.org/dist/httpd/patches/ap ply_to_2.3.5/CVE-2010-2068-r953418.patch http://www.apache.org/dist/httpd/binaries/wi n32/mod_proxy_http-CVE-2010-2068.zip • low: mod_cache and mod_dav DoS (CVE-2010-1452) • important: mod_isapi module unload flaw (CVE-2010-0425) • low: Subrequest handling of request headers (mod_headers) (CVE-2010- 0434) • moderate: mod_proxy_ajp DoS (CVE- 2010-0408) • low: mod_proxy_ftp DoS (CVE-2009- 3094) low: mod_proxy_ftp FTP command injection (CVE-2009-3095) • moderate: Solaris pollset DoS (CVE- 2009-2699) • low: APR apr_palloc heap overflow (CVE-2009-2412) • important: mod_proxy reverse proxy DoS (CVE-2009-1890) • important: mod_proxy_ajp information disclosure (CVE-2009-1191)
18© 2017 Rogue Wave Software, Inc. All Rights Reserved. 18 Apache - Upgrading • UPGRADE TO 2.4 – Not that complicated – Most setups that run 2.2 will run 2.4 • http://httpd.apache.org/docs/2.4/upgrading.html • 2.2 configuration – Order deny,allow Deny from al – TO-> Require all denied • 2.2 configuration: – Order allow,deny Allow from all – TO-> Require all granted
19© 2017 Rogue Wave Software, Inc. All Rights Reserved. 19 Hardening Apache 2 • What is hardening? • ServerSignature – Turn off – Prevents pages from displaying information about the server • Turn off directory listings – Options • Check for unused modules – Httpd conf • Use groups / users – Httpd conf – user / group
20© 2017 Rogue Wave Software, Inc. All Rights Reserved. 20 Hardening Apache 2 - Cont – Use Allow and Deny on directories • <Directory> Deny from all – Install mod_security • Yum install libapache2-modsecurity – Use mod_evasive – Disable Symlinks • -FollowSymLinks – Turn off serverside includes • -Includes
21© 2017 Rogue Wave Software, Inc. All Rights Reserved. 21 Apache 2 Hardening • The web is your friend!!! • https://geekflare.com/10-best-practices-to-secure-and-harden-your- apache-web-server/f
22© 2017 Rogue Wave Software, Inc. All Rights Reserved. 22 PHP
23© 2017 Rogue Wave Software, Inc. All Rights Reserved. 23 PHP 5 – 7 • PHP is in use everywhere • PHP 5 has over 500 vulnerabilites (Mitre.org) • Upgrade to PHP 7 – Lots of information on migration – http://php.net/manual/en/migration70.php • If you have to use 5, harden it
24© 2017 Rogue Wave Software, Inc. All Rights Reserved. 24 Php 5.5.9 Exploit – Moadmin Mongo Admin tool • Allows execution of code • Not PHP’s fault • Large negative impact
25© 2017 Rogue Wave Software, Inc. All Rights Reserved. 25 Hardening PHP • Prevent fOpen wrappers – Allow_url_fopen • Limit process time / input time – Max_input_time – Max_execution_time • Limit script memory – Memory_limit • Turn Register Globals off – Register_globals
26© 2017 Rogue Wave Software, Inc. All Rights Reserved. 26 Hardening PHP - Cont • Don’t expose PHP in response – Expose_php • Only use redirect – Cgi.force_redirect • Impose input restrictions – Post_max_size – Max_input_vars • Do not display error information – Display_errors=0 – Display_startup_errors
27© 2017 Rogue Wave Software, Inc. All Rights Reserved. 27 Hardening PHP - Cont • Log errors – Log_errors – Error_log • Restrict File Access – Open_basedir • File Uploads – File_uploads – Upload_max_filesize • Session Security • Cookie Security
28© 2017 Rogue Wave Software, Inc. All Rights Reserved. 28 Building PHP 7 How to build PHP 7 • sudo yum install git gcc gcc-c++ libxml2-devel pkgconfig openssl-devel bzip2-devel curl-devel libpng-devel libjpeg-devel libXpm-devel freetype-devel gmp-devel libmcrypt-devel mariadb-devel aspell-devel recode-devel autoconf bison re2c libicu-develsudo mkdir /usr/local/php7git clone https://github.com/php/php-src.gitcd php-srcgit checkout PHP-7.0.2./buildconf --force./configure --prefix=/usr/local/php7 --with-config-file-path=/usr/local/php7/etc --with-config-file-scan- dir=/usr/local/php7/etc/conf.d --enable-bcmath --with-bz2 --with-curl --enable-filter - -enable-fpm --with-gd --enable-gd-native-ttf --with-freetype-dir --with-jpeg-dir -- with-png-dir --enable-intl --enable-mbstring --with-mcrypt --enable-mysqlnd --with- mysql-sock=/var/lib/mysql/mysql.sock --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd --with-pdo-sqlite --disable-phpdbg --disable-phpdbg-webhelper --enable-opcache -- with-openssl --enable-simplexml --with-sqlite3 --enable-xmlreader --enable-xmlwriter --enable-zip --with-zlibmake -j2Make installsudo mkdir /usr/local/php7/etc/conf.dsudo cp -v ./php.ini-production /usr/local/php7/lib/php.inisudo cp -v ./sapi/fpm/www.conf /usr/local/php7/etc/php-fpm.d/www.confsudo cp -v ./sapi/fpm/php-fpm.conf /usr/local/php7/etc/php-fpm.conf#Or Debug##sudo vi /usr/local/php7/etc/conf.d/modules.ini## OPcache#zend_extension=opcache.sosudo vi /usr/local/php7/etc/php-fpm.d/www.confuser = centosgroup = centos listen = /var/run/php-fpm.sock listen.owner = apachelisten.group = apachesudo ln -s /usr/local/php7/sbin/php-fpm /usr/sbin/php-fpm#. /usr/lib/systemd/system/php- fpm.service[Unit]Description=The PHP FastCGI Process ManagerAfter=syslog.target network.target[Service]Type=simplePIDFile=/run/php-fpm/php-fpm.pidExecStart=/usr/sbin/php- fpm --nodaemonize --fpm-config /usr/local/php7/etc/php-fpm.confExecReload=/bin/kill -USR2 $MAINPID[Install]WantedBy=multi-user.target sudo mkdir /run/php-fpmchkconfig --levels 235 php-fpm onsystemctl start php-fpm#Put in test.php<?php phpinfo(); ?>
29© 2017 Rogue Wave Software, Inc. All Rights Reserved. 29 Building PHP 7 How To Build • Get the source • Get the dependencies • Grab additional files for anything you want to enable • ./configure –help is your friend • Ask Roguewave experts
30© 2017 Rogue Wave Software, Inc. All Rights Reserved. 30 Questions…?

Recommended

OpenStack Enabling DevOps
OpenStack Enabling DevOpsOpenStack Enabling DevOps
OpenStack Enabling DevOpsCisco DevNet
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinarWolfgang Kandek
 
How to Contribute to Ansible
How to Contribute to AnsibleHow to Contribute to Ansible
How to Contribute to AnsibleCisco DevNet
 
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...Cisco DevNet
 
DEVNET-1007 Network Infrastructure as Code with Chef and Cisco
DEVNET-1007 Network Infrastructure as Code with Chef and CiscoDEVNET-1007 Network Infrastructure as Code with Chef and Cisco
DEVNET-1007 Network Infrastructure as Code with Chef and CiscoCisco DevNet
 
Alfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYAlfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYToni de la Fuente
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for PentestersNotSoSecure Global Services
 
Down by the Docker
Down by the DockerDown by the Docker
Down by the DockerNotSoSecure Global Services
 

Recommended

OpenStack Enabling DevOps
OpenStack Enabling DevOpsOpenStack Enabling DevOps
OpenStack Enabling DevOpsCisco DevNet
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinarWolfgang Kandek
 
How to Contribute to Ansible
How to Contribute to AnsibleHow to Contribute to Ansible
How to Contribute to AnsibleCisco DevNet
 
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...Cisco DevNet
 
DEVNET-1007 Network Infrastructure as Code with Chef and Cisco
DEVNET-1007 Network Infrastructure as Code with Chef and CiscoDEVNET-1007 Network Infrastructure as Code with Chef and Cisco
DEVNET-1007 Network Infrastructure as Code with Chef and CiscoCisco DevNet
 
Alfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYAlfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYToni de la Fuente
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for PentestersNotSoSecure Global Services
 
Down by the Docker
Down by the DockerDown by the Docker
Down by the DockerNotSoSecure Global Services
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Darren Duke
 
The State of WebSockets in Django
The State of WebSockets in DjangoThe State of WebSockets in Django
The State of WebSockets in DjangoRami Sayar
 
Oracle WebLogic Multitenancy, Partitions and Resource Sharing... How it works?
Oracle WebLogic Multitenancy, Partitions and Resource Sharing... How it works?Oracle WebLogic Multitenancy, Partitions and Resource Sharing... How it works?
Oracle WebLogic Multitenancy, Partitions and Resource Sharing... How it works?M. Fevzi Korkutata
 
Securely Publishing Azure Services
Securely Publishing Azure ServicesSecurely Publishing Azure Services
Securely Publishing Azure ServicesBizTalk360
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit - wolfSSL
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEANGINX, Inc.
 
RedisConf 2016 - Redis usage and ecosystem
RedisConf 2016 - Redis usage and ecosystemRedisConf 2016 - Redis usage and ecosystem
RedisConf 2016 - Redis usage and ecosystemFrançois-Guillaume Ribreau
 
replic8 - Replication in MySQL 8
replic8 - Replication in MySQL 8replic8 - Replication in MySQL 8
replic8 - Replication in MySQL 8Sven Sandberg
 
Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)Ontico
 
Web Server Hardening
Web Server HardeningWeb Server Hardening
Web Server Hardeningn|u - The Open Security Community
 
Microsoft Windows 10 Bootcamp - Active directory
Microsoft Windows 10 Bootcamp - Active directoryMicrosoft Windows 10 Bootcamp - Active directory
Microsoft Windows 10 Bootcamp - Active directoryOlav Tvedt
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
wolfSSL Performance Improvements 2018
wolfSSL Performance Improvements 2018wolfSSL Performance Improvements 2018
wolfSSL Performance Improvements 2018wolfSSL
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetNGINX, Inc.
 
Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012Toni de la Fuente
 
High Availability in MySQL 8 using InnoDB Cluster
High Availability in MySQL 8 using InnoDB ClusterHigh Availability in MySQL 8 using InnoDB Cluster
High Availability in MySQL 8 using InnoDB ClusterSven Sandberg
 
Considerations for Operating An OpenStack Cloud
Considerations for Operating An OpenStack CloudConsiderations for Operating An OpenStack Cloud
Considerations for Operating An OpenStack CloudMark Voelker
 
Webinar Slides: MySQL HA/DR/Geo-Scale - High Noon #5: Oracle’s InnoDB Cluster
Webinar Slides: MySQL HA/DR/Geo-Scale - High Noon #5: Oracle’s InnoDB ClusterWebinar Slides: MySQL HA/DR/Geo-Scale - High Noon #5: Oracle’s InnoDB Cluster
Webinar Slides: MySQL HA/DR/Geo-Scale - High Noon #5: Oracle’s InnoDB ClusterContinuent
 
Apache web-server-security
Apache web-server-securityApache web-server-security
Apache web-server-securityAndrew Carr
 
Apache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security ConsiderationsApache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security ConsiderationsAndrew Carr
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year laterGiovanni Bechis
 

More Related Content

What's hot

Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Darren Duke
 
The State of WebSockets in Django
The State of WebSockets in DjangoThe State of WebSockets in Django
The State of WebSockets in DjangoRami Sayar
 
Oracle WebLogic Multitenancy, Partitions and Resource Sharing... How it works?
Oracle WebLogic Multitenancy, Partitions and Resource Sharing... How it works?Oracle WebLogic Multitenancy, Partitions and Resource Sharing... How it works?
Oracle WebLogic Multitenancy, Partitions and Resource Sharing... How it works?M. Fevzi Korkutata
 
Securely Publishing Azure Services
Securely Publishing Azure ServicesSecurely Publishing Azure Services
Securely Publishing Azure ServicesBizTalk360
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit - wolfSSL
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEANGINX, Inc.
 
replic8 - Replication in MySQL 8
replic8 - Replication in MySQL 8replic8 - Replication in MySQL 8
replic8 - Replication in MySQL 8Sven Sandberg
 
Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)Ontico
 
Microsoft Windows 10 Bootcamp - Active directory
Microsoft Windows 10 Bootcamp - Active directoryMicrosoft Windows 10 Bootcamp - Active directory
Microsoft Windows 10 Bootcamp - Active directoryOlav Tvedt
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
wolfSSL Performance Improvements 2018
wolfSSL Performance Improvements 2018wolfSSL Performance Improvements 2018
wolfSSL Performance Improvements 2018wolfSSL
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetNGINX, Inc.
 
Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012Toni de la Fuente
 
High Availability in MySQL 8 using InnoDB Cluster
High Availability in MySQL 8 using InnoDB ClusterHigh Availability in MySQL 8 using InnoDB Cluster
High Availability in MySQL 8 using InnoDB ClusterSven Sandberg
 
Considerations for Operating An OpenStack Cloud
Considerations for Operating An OpenStack CloudConsiderations for Operating An OpenStack Cloud
Considerations for Operating An OpenStack CloudMark Voelker
 
Webinar Slides: MySQL HA/DR/Geo-Scale - High Noon #5: Oracle’s InnoDB Cluster
Webinar Slides: MySQL HA/DR/Geo-Scale - High Noon #5: Oracle’s InnoDB ClusterWebinar Slides: MySQL HA/DR/Geo-Scale - High Noon #5: Oracle’s InnoDB Cluster
Webinar Slides: MySQL HA/DR/Geo-Scale - High Noon #5: Oracle’s InnoDB ClusterContinuent
 

What's hot (19)

Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)
 
The State of WebSockets in Django
The State of WebSockets in DjangoThe State of WebSockets in Django
The State of WebSockets in Django
 
Oracle WebLogic Multitenancy, Partitions and Resource Sharing... How it works?
Oracle WebLogic Multitenancy, Partitions and Resource Sharing... How it works?Oracle WebLogic Multitenancy, Partitions and Resource Sharing... How it works?
Oracle WebLogic Multitenancy, Partitions and Resource Sharing... How it works?
 
Securely Publishing Azure Services
Securely Publishing Azure ServicesSecurely Publishing Azure Services
Securely Publishing Azure Services
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
 
RedisConf 2016 - Redis usage and ecosystem
RedisConf 2016 - Redis usage and ecosystemRedisConf 2016 - Redis usage and ecosystem
RedisConf 2016 - Redis usage and ecosystem
 
replic8 - Replication in MySQL 8
replic8 - Replication in MySQL 8replic8 - Replication in MySQL 8
replic8 - Replication in MySQL 8
 
Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)
 
Web Server Hardening
Web Server HardeningWeb Server Hardening
Web Server Hardening
 
Microsoft Windows 10 Bootcamp - Active directory
Microsoft Windows 10 Bootcamp - Active directoryMicrosoft Windows 10 Bootcamp - Active directory
Microsoft Windows 10 Bootcamp - Active directory
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
wolfSSL Performance Improvements 2018
wolfSSL Performance Improvements 2018wolfSSL Performance Improvements 2018
wolfSSL Performance Improvements 2018
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
 
Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012
 
High Availability in MySQL 8 using InnoDB Cluster
High Availability in MySQL 8 using InnoDB ClusterHigh Availability in MySQL 8 using InnoDB Cluster
High Availability in MySQL 8 using InnoDB Cluster
 
Considerations for Operating An OpenStack Cloud
Considerations for Operating An OpenStack CloudConsiderations for Operating An OpenStack Cloud
Considerations for Operating An OpenStack Cloud
 
Webinar Slides: MySQL HA/DR/Geo-Scale - High Noon #5: Oracle’s InnoDB Cluster
Webinar Slides: MySQL HA/DR/Geo-Scale - High Noon #5: Oracle’s InnoDB ClusterWebinar Slides: MySQL HA/DR/Geo-Scale - High Noon #5: Oracle’s InnoDB Cluster
Webinar Slides: MySQL HA/DR/Geo-Scale - High Noon #5: Oracle’s InnoDB Cluster
 

Similar to Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)

Apache web-server-security
Apache web-server-securityApache web-server-security
Apache web-server-securityAndrew Carr
 
Apache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security ConsiderationsApache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security ConsiderationsAndrew Carr
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year laterGiovanni Bechis
 
WinOps meetup April 2016 DevOps lessons from Microsoft \\Build\
WinOps meetup April 2016 DevOps lessons from Microsoft \\Build\WinOps meetup April 2016 DevOps lessons from Microsoft \\Build\
WinOps meetup April 2016 DevOps lessons from Microsoft \\Build\DevOpsGroup
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and bestERPScan
 
POCO C++ Libraries Intro and Overview
POCO C++ Libraries Intro and OverviewPOCO C++ Libraries Intro and Overview
POCO C++ Libraries Intro and OverviewGünter Obiltschnig
 
SUSE - performance analysis-with_ceph
SUSE - performance analysis-with_cephSUSE - performance analysis-with_ceph
SUSE - performance analysis-with_cephinwin stack
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21drewz lin
 
OpenStack - JobShop @Iași, 2016
OpenStack - JobShop @Iași, 2016OpenStack - JobShop @Iași, 2016
OpenStack - JobShop @Iași, 2016Alexandru Coman
 
Plan a successful enterprise Linux migration
Plan a successful enterprise Linux migrationPlan a successful enterprise Linux migration
Plan a successful enterprise Linux migrationRogue Wave Software
 
Desktop interview qestions & answer
Desktop interview qestions & answerDesktop interview qestions & answer
Desktop interview qestions & answermandarshetye45
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL ProcessRocket Software
 
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack
 
Automation and Developer Infrastructure — Empowering Engineers to Move from I...
Automation and Developer Infrastructure — Empowering Engineers to Move from I...Automation and Developer Infrastructure — Empowering Engineers to Move from I...
Automation and Developer Infrastructure — Empowering Engineers to Move from I...indeedeng
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Sqreen
 
April 2017 patch tuesday ivanti
April 2017 patch tuesday ivantiApril 2017 patch tuesday ivanti
April 2017 patch tuesday ivantiChris Goettl
 

Similar to Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk) (20)

Apache web-server-security
Apache web-server-securityApache web-server-security
Apache web-server-security
 
Apache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security ConsiderationsApache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security Considerations
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year later
 
WinOps meetup April 2016 DevOps lessons from Microsoft \\Build\
WinOps meetup April 2016 DevOps lessons from Microsoft \\Build\WinOps meetup April 2016 DevOps lessons from Microsoft \\Build\
WinOps meetup April 2016 DevOps lessons from Microsoft \\Build\
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and best
 
Liberty Deep Dive
Liberty Deep DiveLiberty Deep Dive
Liberty Deep Dive
 
POCO C++ Libraries Intro and Overview
POCO C++ Libraries Intro and OverviewPOCO C++ Libraries Intro and Overview
POCO C++ Libraries Intro and Overview
 
SUSE - performance analysis-with_ceph
SUSE - performance analysis-with_cephSUSE - performance analysis-with_ceph
SUSE - performance analysis-with_ceph
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
 
OpenStack - JobShop @Iași, 2016
OpenStack - JobShop @Iași, 2016OpenStack - JobShop @Iași, 2016
OpenStack - JobShop @Iași, 2016
 
Plan a successful enterprise Linux migration
Plan a successful enterprise Linux migrationPlan a successful enterprise Linux migration
Plan a successful enterprise Linux migration
 
Desktop interview qestions & answer
Desktop interview qestions & answerDesktop interview qestions & answer
Desktop interview qestions & answer
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL Process
 
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
 
IPv6 Security und Hacking
IPv6 Security und HackingIPv6 Security und Hacking
IPv6 Security und Hacking
 
Automation and Developer Infrastructure — Empowering Engineers to Move from I...
Automation and Developer Infrastructure — Empowering Engineers to Move from I...Automation and Developer Infrastructure — Empowering Engineers to Move from I...
Automation and Developer Infrastructure — Empowering Engineers to Move from I...
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
 
Hyper-V Networking
Hyper-V NetworkingHyper-V Networking
Hyper-V Networking
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
 
April 2017 patch tuesday ivanti
April 2017 patch tuesday ivantiApril 2017 patch tuesday ivanti
April 2017 patch tuesday ivanti
 

Recently uploaded

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Recently uploaded (20)

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)

  • 1. 1© 2017 Rogue Wave Software, Inc. All Rights Reserved. 1
  • 2. 2© 2017 Rogue Wave Software, Inc. All Rights Reserved. 2 Overview Date Location Agenda Php, Apache and OpenSSL Vulnerabilities
  • 3. 3© 2017 Rogue Wave Software, Inc. All Rights Reserved. 3 OPENSSL
  • 4. 4© 2017 Rogue Wave Software, Inc. All Rights Reserved. 4 OpenSSL OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols • Provides encyrption tools • Allows Apache / Other web servers to encrypt traffic • Provides a lot of other tools
  • 5. 5© 2017 Rogue Wave Software, Inc. All Rights Reserved. 5 OpenSSL • Between 1998 and 2010 - 0.9.1 – 0.9.8 • Current version, released 1.1.0, releaased 2016 • Companies currently run production with 0.9.8, 7-12 years old
  • 6. 6© 2017 Rogue Wave Software, Inc. All Rights Reserved. 6 OpenSSL - CLI • ‘openssl version’ • ‘openssl version –a’ • ’openssl ciphers –v’ (Cipher list, use ’man cipher’ for more information) • ‘openssl speed’ (Benchmark Tool)
  • 7. 7© 2017 Rogue Wave Software, Inc. All Rights Reserved. 7 Heartbleed • Bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server. • "Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.” • Affects – OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable – OpenSSL 1.0.1g is NOT vulnerable – OpenSSL 1.0.0 branch is NOT vulnerable – OpenSSL 0.9.8 branch is NOT vulnerable • Mitigation – 1.0.1g or newer should be used. – -DOPENSSL_NO_HEARTBEATS.
  • 8. 8© 2017 Rogue Wave Software, Inc. All Rights Reserved. 8 Heartbleed in the Community • Venafi Scan – 1 year later (2015) – Of Forbes global 2000, 1642 have not done anything to remidiate • What should they do? – Upgrade SSL – Create new keys – Reissue certs
  • 9. 9© 2017 Rogue Wave Software, Inc. All Rights Reserved. 9 OpenSSL - DOS • CVE-2017-3733 • What is DOS? • Affected versions include 0.9.8 – 1.1.0 (not 1.0.2) • Mitigation – Upgrade SSL – 1.1.0e – Use OpenSSL 1.0.2 • 0.9.8 EOL – Dec 2015 (DO NOT USE)
  • 10. 10© 2017 Rogue Wave Software, Inc. All Rights Reserved. 10 OpenSSL – How to avoid vulnerabilities • Stay current - https://www.openssl.org/news/ • CVEs - https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openssl • OpenUpdate from Roguewave • Ensure your OpenSSL is up-2-date
  • 11. 11© 2017 Rogue Wave Software, Inc. All Rights Reserved. 11 OpenSSL Vulnerabilities • DROWN – A serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third- parties being able to read the communication. • HEARTBLEED – M-I-T-M Attack • DOS Vulnerabilities • Other M-I-T-M – Symatec discovers vulnerability that affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n, and 1.0.1o. Users of versions 1.0.2b and 1.0.2c are advised to immediately upgrade to 1.0.2d. Users of versions 1.0.1n and 1.0.1o are advised to immediately upgrade to 1.0.1p.
  • 12. 12© 2017 Rogue Wave Software, Inc. All Rights Reserved. 12 OpenSSL Installation • OpenSSL is preinstalled on a lot of operating systems. • Building is simple – Get the source – Configure – Compile – Install – Reference new SSL when building other products
  • 13. 13© 2017 Rogue Wave Software, Inc. All Rights Reserved. 13 Apache Web Server
  • 14. 14© 2017 Rogue Wave Software, Inc. All Rights Reserved. 14 Apache Web Server • A community webserver with prolific implementation • Current versions – 2.4.29 – 2.2.34 (FINAL) • 2.2 was EOL’d June 2017 with security updates to December 2017 • Appx 68 million public instances of Apache Web in use (builtwith.com) – More than 70% use vulnerable versions
  • 15. 15© 2017 Rogue Wave Software, Inc. All Rights Reserved. 15 Apache Vulnerabilities • 0-day – What is it? • 2.2 Vulnerabilities – OptionsBleed – CVE-2017-9798 • Ignore the htaccess file – Unitialized Memory Reflection – CVE-2017-9788 • Affects 2.2.0 – 2.2.32 (fixed in .34) • Reveals confidential information – Authentication Bypass – CVE-2017-3167
  • 16. 16© 2017 Rogue Wave Software, Inc. All Rights Reserved. 16 CVE Apache 2.2.22 Vulnerability DOS http://www.cvedetails.com/cve/CVE-2014-0098/ http://www.cvedetails.com/cve/CVE-2013-6438/ http://www.cvedetails.com/cve/CVE-2014-0231/ http://www.cvedetails.com/cve/CVE-2013-1896/ XSS http://www.cvedetails.com/cve/CVE-2012-4558/ http://www.cvedetails.com/cve/CVE-2012-3499/ Code-Exec http://www.cvedetails.com/cve/CVE-2013-1862/
  • 17. 17© 2017 Rogue Wave Software, Inc. All Rights Reserved. 17 Apache 2.2 Additional Vulnerabilities • important: Uninitialized memory reflection in mod_auth_digest (CVE-2017-9788) • important: ap_get_basic_auth_pw() Authentication Bypass (CVE-2017-3167) • important: mod_ssl Null Pointer Dereference (CVE- 2017-3169) • important: ap_find_token() Buffer Overread (CVE- 2017-7668) • important: mod_mime Buffer Overread (CVE-2017- 7679) • important: Apache HTTP Request Parsing Whitespace Defects (CVE-2016-8743) • n/a: HTTP_PROXY environment variable "httpoxy" mitigation (CVE-2016-5387) • low: HTTP request smuggling attack against chunked request parser (CVE-2015-3183) • important: mod_cgid denial of service (CVE-2014- 0231) • low: HTTP Trailers processing bypass (CVE-2013- 5704) • moderate: mod_deflate denial of service (CVE- 2014-0118) • moderate: mod_status buffer overflow (CVE-2014- 0226) • low: mod_log_config crash (CVE-2014-0098) • moderate: mod_dav crash (CVE-2013-6438) • low: mod_rewrite log escape filtering (CVE-2013- 1862) • moderate: mod_dav crash (CVE-2013-1896) • low: XSS due to unescaped hostnames (CVE-2012- 3499) • moderate: XSS in mod_proxy_balancer (CVE-2012- 4558) • low: XSS in mod_negotiation when untrusted uploads are supported (CVE-2012-2687) • Note: This issue is also known as CVE-2008-0455. • low: insecure LD_LIBRARY_PATH handling (CVE- 2012-0883) • low: mod_proxy_ajp remote DoS (CVE-2012-4557) • low: mod_setenvif .htaccess privilege escalation (CVE-2011-3607) • low: mod_log_config crash (CVE-2012-0021) • low: scoreboard parent DoS (CVE-2012-0031) • moderate: mod_proxy reverse proxy exposure (CVE-2011-4317) • moderate: error responses can expose cookies (CVE-2012-0053) • low: mod_deflate DoS (CVE-2009-1891) • low: AllowOverride Options handling bypass (CVE-2009-1195) • low: CRLF injection in mod_negotiation when untrusted uploads are supported (CVE-2008- 0456) • moderate: APR-util off-by-one overflow (CVE- 2009-1956) • moderate: APR-util XML DoS (CVE-2009- 1955) • moderate: APR-util heap underwrite (CVE- 2009-0023) • important: Timeout detection flaw (mod_proxy_http) (CVE-2010-2791) • low: mod_proxy_ftp globbing XSS (CVE-2008- 2939) • low: mod_proxy_balancer CSRF (CVE-2007- 6420) • moderate: mod_proxy_http DoS (CVE-2008- 2364) • low: mod_proxy_ftp UTF-7 XSS (CVE-2008- 0005) • low: mod_proxy_balancer DoS (CVE-2007- 6422) • low: mod_proxy_balancer XSS (CVE-2007- 6421) • moderate: mod_status XSS (CVE-2007-6388) • moderate: mod_imagemap XSS (CVE-2007- 5000) • moderate: mod_proxy crash (CVE-2007-3847) • moderate: mod_status cross-site scripting (CVE-2006-5752) • moderate: Signals to arbitrary processes (CVE-2007-3304) • moderate: mod_cache information leak (CVE- 2007-1862) • moderate: mod_cache proxy DoS (CVE-2007- 1863) • important: mod_rewrite off-by-one error (CVE- 2006-3747) • low: mod_ssl access control DoS (CVE-2005- 3357) • moderate: mod_imap Referer Cross-Site Scripting (CVE-2005-3352) • moderate: mod_proxy_ajp remote DoS (CVE-2011-3348) • important: Range header remote DoS (CVE-2011-3192) • Advisory: CVE-2011-3192.txt • moderate: apr_fnmatch flaw leads to mod_autoindex remote DoS (CVE-2011- 0419) • low: expat DoS (CVE-2009-3720) • low: expat DoS (CVE-2009-3560) • low: apr_bridage_split_line DoS (CVE- 2010-1623) • important: Timeout detection flaw (mod_proxy_http) (CVE-2010-2068) http://www.apache.org/dist/httpd/patches /apply_to_2.2.15/CVE-2010-2068- r953616.patch http://www.apache.org/dist/httpd/patches/ap ply_to_2.3.5/CVE-2010-2068-r953418.patch http://www.apache.org/dist/httpd/binaries/wi n32/mod_proxy_http-CVE-2010-2068.zip • low: mod_cache and mod_dav DoS (CVE-2010-1452) • important: mod_isapi module unload flaw (CVE-2010-0425) • low: Subrequest handling of request headers (mod_headers) (CVE-2010- 0434) • moderate: mod_proxy_ajp DoS (CVE- 2010-0408) • low: mod_proxy_ftp DoS (CVE-2009- 3094) low: mod_proxy_ftp FTP command injection (CVE-2009-3095) • moderate: Solaris pollset DoS (CVE- 2009-2699) • low: APR apr_palloc heap overflow (CVE-2009-2412) • important: mod_proxy reverse proxy DoS (CVE-2009-1890) • important: mod_proxy_ajp information disclosure (CVE-2009-1191)
  • 18. 18© 2017 Rogue Wave Software, Inc. All Rights Reserved. 18 Apache - Upgrading • UPGRADE TO 2.4 – Not that complicated – Most setups that run 2.2 will run 2.4 • http://httpd.apache.org/docs/2.4/upgrading.html • 2.2 configuration – Order deny,allow Deny from al – TO-> Require all denied • 2.2 configuration: – Order allow,deny Allow from all – TO-> Require all granted
  • 19. 19© 2017 Rogue Wave Software, Inc. All Rights Reserved. 19 Hardening Apache 2 • What is hardening? • ServerSignature – Turn off – Prevents pages from displaying information about the server • Turn off directory listings – Options • Check for unused modules – Httpd conf • Use groups / users – Httpd conf – user / group
  • 20. 20© 2017 Rogue Wave Software, Inc. All Rights Reserved. 20 Hardening Apache 2 - Cont – Use Allow and Deny on directories • <Directory> Deny from all – Install mod_security • Yum install libapache2-modsecurity – Use mod_evasive – Disable Symlinks • -FollowSymLinks – Turn off serverside includes • -Includes
  • 21. 21© 2017 Rogue Wave Software, Inc. All Rights Reserved. 21 Apache 2 Hardening • The web is your friend!!! • https://geekflare.com/10-best-practices-to-secure-and-harden-your- apache-web-server/f
  • 22. 22© 2017 Rogue Wave Software, Inc. All Rights Reserved. 22 PHP
  • 23. 23© 2017 Rogue Wave Software, Inc. All Rights Reserved. 23 PHP 5 – 7 • PHP is in use everywhere • PHP 5 has over 500 vulnerabilites (Mitre.org) • Upgrade to PHP 7 – Lots of information on migration – http://php.net/manual/en/migration70.php • If you have to use 5, harden it
  • 24. 24© 2017 Rogue Wave Software, Inc. All Rights Reserved. 24 Php 5.5.9 Exploit – Moadmin Mongo Admin tool • Allows execution of code • Not PHP’s fault • Large negative impact
  • 25. 25© 2017 Rogue Wave Software, Inc. All Rights Reserved. 25 Hardening PHP • Prevent fOpen wrappers – Allow_url_fopen • Limit process time / input time – Max_input_time – Max_execution_time • Limit script memory – Memory_limit • Turn Register Globals off – Register_globals
  • 26. 26© 2017 Rogue Wave Software, Inc. All Rights Reserved. 26 Hardening PHP - Cont • Don’t expose PHP in response – Expose_php • Only use redirect – Cgi.force_redirect • Impose input restrictions – Post_max_size – Max_input_vars • Do not display error information – Display_errors=0 – Display_startup_errors
  • 27. 27© 2017 Rogue Wave Software, Inc. All Rights Reserved. 27 Hardening PHP - Cont • Log errors – Log_errors – Error_log • Restrict File Access – Open_basedir • File Uploads – File_uploads – Upload_max_filesize • Session Security • Cookie Security
  • 28. 28© 2017 Rogue Wave Software, Inc. All Rights Reserved. 28 Building PHP 7 How to build PHP 7 • sudo yum install git gcc gcc-c++ libxml2-devel pkgconfig openssl-devel bzip2-devel curl-devel libpng-devel libjpeg-devel libXpm-devel freetype-devel gmp-devel libmcrypt-devel mariadb-devel aspell-devel recode-devel autoconf bison re2c libicu-develsudo mkdir /usr/local/php7git clone https://github.com/php/php-src.gitcd php-srcgit checkout PHP-7.0.2./buildconf --force./configure --prefix=/usr/local/php7 --with-config-file-path=/usr/local/php7/etc --with-config-file-scan- dir=/usr/local/php7/etc/conf.d --enable-bcmath --with-bz2 --with-curl --enable-filter - -enable-fpm --with-gd --enable-gd-native-ttf --with-freetype-dir --with-jpeg-dir -- with-png-dir --enable-intl --enable-mbstring --with-mcrypt --enable-mysqlnd --with- mysql-sock=/var/lib/mysql/mysql.sock --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd --with-pdo-sqlite --disable-phpdbg --disable-phpdbg-webhelper --enable-opcache -- with-openssl --enable-simplexml --with-sqlite3 --enable-xmlreader --enable-xmlwriter --enable-zip --with-zlibmake -j2Make installsudo mkdir /usr/local/php7/etc/conf.dsudo cp -v ./php.ini-production /usr/local/php7/lib/php.inisudo cp -v ./sapi/fpm/www.conf /usr/local/php7/etc/php-fpm.d/www.confsudo cp -v ./sapi/fpm/php-fpm.conf /usr/local/php7/etc/php-fpm.conf#Or Debug##sudo vi /usr/local/php7/etc/conf.d/modules.ini## OPcache#zend_extension=opcache.sosudo vi /usr/local/php7/etc/php-fpm.d/www.confuser = centosgroup = centos listen = /var/run/php-fpm.sock listen.owner = apachelisten.group = apachesudo ln -s /usr/local/php7/sbin/php-fpm /usr/sbin/php-fpm#. /usr/lib/systemd/system/php- fpm.service[Unit]Description=The PHP FastCGI Process ManagerAfter=syslog.target network.target[Service]Type=simplePIDFile=/run/php-fpm/php-fpm.pidExecStart=/usr/sbin/php- fpm --nodaemonize --fpm-config /usr/local/php7/etc/php-fpm.confExecReload=/bin/kill -USR2 $MAINPID[Install]WantedBy=multi-user.target sudo mkdir /run/php-fpmchkconfig --levels 235 php-fpm onsystemctl start php-fpm#Put in test.php<?php phpinfo(); ?>
  • 29. 29© 2017 Rogue Wave Software, Inc. All Rights Reserved. 29 Building PHP 7 How To Build • Get the source • Get the dependencies • Grab additional files for anything you want to enable • ./configure –help is your friend • Ask Roguewave experts
  • 30. 30© 2017 Rogue Wave Software, Inc. All Rights Reserved. 30 Questions…?