Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
@asgrim
Dip Your Toes in
the Sea of Security
James Titcumb
PHP South Africa 2017
$ whoami
James Titcumb
www.jamestitcumb.com
www.roave.com
@asgrim
@asgrim
@asgrim
Some simple PHP code...
<?php
$a = (int)filter_var($_GET['a'],
FILTER_SANITIZE_NUMBER_INT);
$b = (int)filter_var($...
@asgrim
@asgrim
The Golden Rules
@asgrim
The Golden Rules
(my made up golden rules)
@asgrim
1. Keep it simple
@asgrim
2. Know the risks
@asgrim
3. Fail securely
@asgrim
4. Don’t reinvent the wheel
@asgrim
5. Never trust anything
@asgrim
OWASP
& the OWASP Top 10
https://www.owasp.org/
@asgrim
Application Security
(mainly PHP applications)
@asgrim
Always remember…
Filter Input
Escape Output
@asgrim
© 2003 Disney/Pixar. All Rights Reserved.
SQL Injection (#1)
@asgrim
SQL Injection (#1)
http://xkcd.com/327/
@asgrim
SQL Injection (#1)
@asgrim
SQL Injection (#1)
<?php
// user_id=1; DROP TABLE users; --
$user_id = $_GET['user_id'];
$sql = "
SELECT * FROM us...
@asgrim
SQL Injection (#1)
<?php
$user_id = $_GET['user_id'];
$sql = "
SELECT * FROM users
WHERE user_id = :userid";
$stmt...
@asgrim
© 2003 Disney/Pixar. All Rights Reserved.
@asgrim
exec($_GET)
https://github.com/search?q=exec%28%24_GET&ref=cmdform&type=Code
@asgrim
eval()
https://github.com/search?q=eval%28%24_GET&type=Code&ref=searchresults
@asgrim
Cross-Site Scripting / XSS (#3)
© 2003 Disney/Pixar. All Rights Reserved.
@asgrim
Cross-Site Scripting / XSS (#3)
<?php
$unfilteredInput = '<script type="text/javascript">...</script>';
// Unescap...
@asgrim
Cross-Site Request
Forgery / CSRF (#8)
http://www.factzoo.com/invertebrates/cuttlefish-chameleon-of-the-sea.html
@asgrim
Cross-Site Request Forgery / CSRF (#8)
<?php
if (!$isPost) {
$csrfToken = base64_encode(random_bytes(32)));
$_SESS...
@asgrim
<?php
if (!$isPost) {
$csrfToken = base64_encode(random_bytes(32)));
$_SESSION['csrf_token'] = $csrfToken;
// ... ...
@asgrim
Cross-Site Request Forgery / CSRF (#8)
<?php
if (!$isPost) {
$csrfToken = base64_encode(random_bytes(32)));
$_SESS...
@asgrim
Timing attacks
// From zend_is_identical:
return (Z_STR_P(op1) == Z_STR_P(op2) ||
(Z_STRLEN_P(op1) == Z_STRLEN_P(o...
@asgrim
Timing attacks
Actual string: “foobar”
● a (0.00001)
● aa (0.00001)
● aaa (0.00001)
● aaaa (0.00001)
● aaaaa (0.00...
@asgrim
Timing attacks
1 int memcmp(const void* s1, const void* s2,size_t n)
2 {
3 const unsigned char *p1 = s1, *p2 = s2;...
@asgrim
Timing attacks
Actual string: “foobar”
● “aaaaaa” (0.00001)
● “baaaaa” (0.00001)
● …
● “faaaaa” (0.00002) ← succes...
@asgrim
Sensitive Data Exposure (#6)
© 2003 Disney/Pixar. All Rights Reserved.
@asgrim
Sensitive Data Exposure (#6)
@asgrim
© 2003 Disney/Pixar. All Rights Reserved.
@asgrim
curl + https
<?php
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false...
@asgrim
curl + https
<?php
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
cu...
@asgrim
© 2003 Disney/Pixar. All Rights Reserved.
@asgrim
Third Party Code
@asgrim
Third Party Code
!!! WARNING !!!
@asgrim
Third Party Code
github.com/ /SecurityAdvisories
!!! WARNING !!!
@asgrim
Dependencies Disappearing
@asgrim
@asgrim
We are not all
security experts!
@asgrim
We are not all
security experts!
… but we CAN write secure code
@asgrim
Hack your own system!
© 2003 Disney/Pixar. All Rights Reserved.
@asgrim
What do you want?
Think like a hacker
@asgrim
How do you get it?
Think Differently
@asgrim
Threat Modelling
D.R.E.A.D.
© Buena Vista Pictures
@asgrim
Threat Modelling
Damage
R
E
A
D
© Buena Vista Pictures
@asgrim
Threat Modelling
Damage
Reproducibility
E
A
D
© Buena Vista Pictures
@asgrim
Threat Modelling
Damage
Reproducibility
Exploitability
A
D
© Buena Vista Pictures
@asgrim
Threat Modelling
Damage
Reproducibility
Exploitability
Affected users
D
© Buena Vista Pictures
@asgrim
Threat Modelling
Damage
Reproducibility
Exploitability
Affected users
Discoverability
© Buena Vista Pictures
@asgrim
Rank them in order
And fix them!
© Buena Vista Pictures
@asgrim
Authentication
& Authorization
@asgrim
Authentication
Verifying Identity
@asgrim
Case Study: Custom Authentication
We thought about doing this…
@asgrim
Case Study: Custom Authentication
We thought about doing this…
@asgrim
Case Study: Custom Authentication
We thought about doing this…
✘
@asgrim
Password Hashing
password_hash()
(basically, bcrypt with proper salt)
@asgrim
Two Factor Authentication
@asgrim
@asgrim
Authorization
Verifying Access
@asgrim
CRYPTOGRAPHY
IS
HARD
@asgrim
@asgrim
CRYPTOGRAPHY
IS
HARD
NEVER EVER “ROLL YOUR OWN”
@asgrim
CRYPTOGRAPHY
IS
HARD
NEVER EVER “ROLL YOUR OWN”
EVER!!!
@asgrim
How to encrypt then?
@asgrim
I’ve got some
great ideas for
encryption...
Image: IBTimes (http://goo.gl/zPVeo0)
@asgrim
How to encrypt then?
sodium+halite or Defuse php-encryption
@asgrim
Linux Server Security
@asgrim
Create an SSH Fortress
@asgrim
Firewalls
@asgrim
iptables
#!/bin/bash
IPT="/sbin/iptables"
$IPT --flush
$IPT --delete-chain
$IPT -P INPUT DROP
$IPT -P FORWARD DROP...
@asgrim
iptables
https://twitter.com/sadserver/status/615988393198026752
@asgrim
ufw
sudo ufw enable
sudo ufw allow 22
sudo ufw allow 80
@asgrim
Mitigate Brute Force Attacks
@asgrim
Install Only What You Need
@asgrim
© 2003 Disney/Pixar. All Rights Reserved.
@asgrim
+
@asgrim
Case Study: Be Minimal
Internets
Postfix
Squid Proxy
(badly configured)
hacker
spam
@asgrim
Resources
● http://securingphp.com/
● https://www.owasp.org/
● http://blog.ircmaxell.com/
● https://github.com/par...
@asgrim
The Golden Rules
1. Keep it simple
2. Know the risks
3. Fail securely
4. Don’t reinvent the wheel
5. Never trust a...
@asgrim
If you follow all this, you get...
@asgrim
If you follow all this, you get...
Any questions?
Please leave feedback!
https://joind.in/talk/b8bd0
James Titcumb
@asgrim
Upcoming SlideShare
Loading in …5
×

of

Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 1 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 2 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 3 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 4 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 5 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 6 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 7 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 8 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 9 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 10 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 11 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 12 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 13 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 14 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 15 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 16 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 17 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 18 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 19 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 20 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 21 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 22 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 23 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 24 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 25 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 26 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 27 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 28 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 29 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 30 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 31 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 32 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 33 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 34 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 35 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 36 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 37 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 38 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 39 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 40 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 41 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 42 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 43 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 44 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 45 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 46 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 47 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 48 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 49 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 50 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 51 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 52 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 53 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 54 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 55 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 56 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 57 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 58 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 59 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 60 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 61 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 62 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 63 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 64 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 65 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 66 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 67 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 68 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 69 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 70 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 71 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 72 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 73 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 74 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 75 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 76 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 77 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 78 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 79 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 80 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 81 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 82 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 83 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 84 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 85 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 86 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 87 Dip Your Toes in the Sea of Security (PHP South Africa 2017) Slide 88
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

Dip Your Toes in the Sea of Security (PHP South Africa 2017)

Download to read offline

Security is an enormous topic, and it’s really, really complicated. If you’re not careful, you’ll find yourself vulnerable to any number of attacks which you definitely don’t want to be on the receiving end of. This talk will give you just a taster of the vast array of things there is to know about security in modern web applications, such as writing secure PHP web applications and securing a Linux server. Whether you are writing anything beyond a basic brochure website, or even developing a complicated business web application, this talk will give you insights to some of the things you need to be aware of.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Dip Your Toes in the Sea of Security (PHP South Africa 2017)

  1. 1. @asgrim Dip Your Toes in the Sea of Security James Titcumb PHP South Africa 2017
  2. 2. $ whoami James Titcumb www.jamestitcumb.com www.roave.com @asgrim
  3. 3. @asgrim
  4. 4. @asgrim Some simple PHP code... <?php $a = (int)filter_var($_GET['a'], FILTER_SANITIZE_NUMBER_INT); $b = (int)filter_var($_GET['b'], FILTER_SANITIZE_NUMBER_INT); $result = $a + $b; printf('The answer is %d', $result);
  5. 5. @asgrim
  6. 6. @asgrim The Golden Rules
  7. 7. @asgrim The Golden Rules (my made up golden rules)
  8. 8. @asgrim 1. Keep it simple
  9. 9. @asgrim 2. Know the risks
  10. 10. @asgrim 3. Fail securely
  11. 11. @asgrim 4. Don’t reinvent the wheel
  12. 12. @asgrim 5. Never trust anything
  13. 13. @asgrim OWASP & the OWASP Top 10 https://www.owasp.org/
  14. 14. @asgrim Application Security (mainly PHP applications)
  15. 15. @asgrim Always remember… Filter Input Escape Output
  16. 16. @asgrim © 2003 Disney/Pixar. All Rights Reserved. SQL Injection (#1)
  17. 17. @asgrim SQL Injection (#1) http://xkcd.com/327/
  18. 18. @asgrim SQL Injection (#1)
  19. 19. @asgrim SQL Injection (#1) <?php // user_id=1; DROP TABLE users; -- $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = {$user_id}"; $db->execute($sql); ✘
  20. 20. @asgrim SQL Injection (#1) <?php $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = :userid"; $stmt = $db->prepare($sql); $stmt->bind('userid', $user_id); $stmt->execute(); ✓
  21. 21. @asgrim © 2003 Disney/Pixar. All Rights Reserved.
  22. 22. @asgrim exec($_GET) https://github.com/search?q=exec%28%24_GET&ref=cmdform&type=Code
  23. 23. @asgrim eval() https://github.com/search?q=eval%28%24_GET&type=Code&ref=searchresults
  24. 24. @asgrim Cross-Site Scripting / XSS (#3) © 2003 Disney/Pixar. All Rights Reserved.
  25. 25. @asgrim Cross-Site Scripting / XSS (#3) <?php $unfilteredInput = '<script type="text/javascript">...</script>'; // Unescaped - JS will run :'( echo $unfilteredInput; // Escaped - JS will not run :) echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
  26. 26. @asgrim Cross-Site Request Forgery / CSRF (#8) http://www.factzoo.com/invertebrates/cuttlefish-chameleon-of-the-sea.html
  27. 27. @asgrim Cross-Site Request Forgery / CSRF (#8) <?php if (!$isPost) { $csrfToken = base64_encode(random_bytes(32))); $_SESSION['csrf_token'] = $csrfToken; // ... output the form ... echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />'; } else if ($isPost) { if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) { die("Token invalid..."); } // ... handle the form ... }
  28. 28. @asgrim <?php if (!$isPost) { $csrfToken = base64_encode(random_bytes(32))); $_SESSION['csrf_token'] = $csrfToken; // ... output the form ... echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />'; } else if ($isPost) { if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) { die("Token invalid..."); } // ... handle the form ... } Cross-Site Request Forgery / CSRF (#8)
  29. 29. @asgrim Cross-Site Request Forgery / CSRF (#8) <?php if (!$isPost) { $csrfToken = base64_encode(random_bytes(32))); $_SESSION['csrf_token'] = $csrfToken; // ... output the form ... echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />'; } else if ($isPost) { if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) { die("Token invalid..."); } // ... handle the form ... }
  30. 30. @asgrim Timing attacks // From zend_is_identical: return (Z_STR_P(op1) == Z_STR_P(op2) || (Z_STRLEN_P(op1) == Z_STRLEN_P(op2) && memcmp(Z_STRVAL_P(op1), Z_STRVAL_P(op2), Z_STRLEN_P(op1)) == 0));
  31. 31. @asgrim Timing attacks Actual string: “foobar” ● a (0.00001) ● aa (0.00001) ● aaa (0.00001) ● aaaa (0.00001) ● aaaaa (0.00001) ● aaaaaa (0.00002) ← success! ● aaaaaaa (0.00001) ● aaaaaaaa (0.00001) ● aaaaaaaaa (0.00001)
  32. 32. @asgrim Timing attacks 1 int memcmp(const void* s1, const void* s2,size_t n) 2 { 3 const unsigned char *p1 = s1, *p2 = s2; 4 while(n--) 5 if( *p1 != *p2 ) 6 return *p1 - *p2; 7 else 8 p1++,p2++; 9 return 0; 10 } http://clc-wiki.net/wiki/C_standard_library:string.h:memcmp#Implementation
  33. 33. @asgrim Timing attacks Actual string: “foobar” ● “aaaaaa” (0.00001) ● “baaaaa” (0.00001) ● … ● “faaaaa” (0.00002) ← success! ● “fbaaaa” (0.00002) ● “fcaaaa” (0.00002) ● … ● “foaaaa” (0.00003) ← success!
  34. 34. @asgrim Sensitive Data Exposure (#6) © 2003 Disney/Pixar. All Rights Reserved.
  35. 35. @asgrim Sensitive Data Exposure (#6)
  36. 36. @asgrim © 2003 Disney/Pixar. All Rights Reserved.
  37. 37. @asgrim curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); ✘
  38. 38. @asgrim curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($ch, CURLOPT_CAINFO, "/path/to/certificate"); ✓
  39. 39. @asgrim © 2003 Disney/Pixar. All Rights Reserved.
  40. 40. @asgrim Third Party Code
  41. 41. @asgrim Third Party Code !!! WARNING !!!
  42. 42. @asgrim Third Party Code github.com/ /SecurityAdvisories !!! WARNING !!!
  43. 43. @asgrim Dependencies Disappearing
  44. 44. @asgrim
  45. 45. @asgrim We are not all security experts!
  46. 46. @asgrim We are not all security experts! … but we CAN write secure code
  47. 47. @asgrim Hack your own system! © 2003 Disney/Pixar. All Rights Reserved.
  48. 48. @asgrim What do you want? Think like a hacker
  49. 49. @asgrim How do you get it? Think Differently
  50. 50. @asgrim Threat Modelling D.R.E.A.D. © Buena Vista Pictures
  51. 51. @asgrim Threat Modelling Damage R E A D © Buena Vista Pictures
  52. 52. @asgrim Threat Modelling Damage Reproducibility E A D © Buena Vista Pictures
  53. 53. @asgrim Threat Modelling Damage Reproducibility Exploitability A D © Buena Vista Pictures
  54. 54. @asgrim Threat Modelling Damage Reproducibility Exploitability Affected users D © Buena Vista Pictures
  55. 55. @asgrim Threat Modelling Damage Reproducibility Exploitability Affected users Discoverability © Buena Vista Pictures
  56. 56. @asgrim Rank them in order And fix them! © Buena Vista Pictures
  57. 57. @asgrim Authentication & Authorization
  58. 58. @asgrim Authentication Verifying Identity
  59. 59. @asgrim Case Study: Custom Authentication We thought about doing this…
  60. 60. @asgrim Case Study: Custom Authentication We thought about doing this…
  61. 61. @asgrim Case Study: Custom Authentication We thought about doing this… ✘
  62. 62. @asgrim Password Hashing password_hash() (basically, bcrypt with proper salt)
  63. 63. @asgrim Two Factor Authentication
  64. 64. @asgrim
  65. 65. @asgrim Authorization Verifying Access
  66. 66. @asgrim CRYPTOGRAPHY IS HARD
  67. 67. @asgrim
  68. 68. @asgrim CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN”
  69. 69. @asgrim CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN” EVER!!!
  70. 70. @asgrim How to encrypt then?
  71. 71. @asgrim I’ve got some great ideas for encryption... Image: IBTimes (http://goo.gl/zPVeo0)
  72. 72. @asgrim How to encrypt then? sodium+halite or Defuse php-encryption
  73. 73. @asgrim Linux Server Security
  74. 74. @asgrim Create an SSH Fortress
  75. 75. @asgrim Firewalls
  76. 76. @asgrim iptables #!/bin/bash IPT="/sbin/iptables" $IPT --flush $IPT --delete-chain $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP # Loopback $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Inbound traffic $IPT -A INPUT -p tcp --dport ssh -j ACCEPT $IPT -A INPUT -p tcp --dport 80 -j ACCEPT $IPT -A INPUT -p tcp --dport 443 -j ACCEPT # Outbound traffic $IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT $IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
  77. 77. @asgrim iptables https://twitter.com/sadserver/status/615988393198026752
  78. 78. @asgrim ufw sudo ufw enable sudo ufw allow 22 sudo ufw allow 80
  79. 79. @asgrim Mitigate Brute Force Attacks
  80. 80. @asgrim Install Only What You Need
  81. 81. @asgrim © 2003 Disney/Pixar. All Rights Reserved.
  82. 82. @asgrim +
  83. 83. @asgrim Case Study: Be Minimal Internets Postfix Squid Proxy (badly configured) hacker spam
  84. 84. @asgrim Resources ● http://securingphp.com/ ● https://www.owasp.org/ ● http://blog.ircmaxell.com/ ● https://github.com/paragonie/random_compat ● https://github.com/paragonie/sodium_compat ● https://github.com/ircmaxell/password_compat ● https://paragonie.com/blog ● https://websec.io/resources.php ● https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-16-04 ● https://www.kali.org/
  85. 85. @asgrim The Golden Rules 1. Keep it simple 2. Know the risks 3. Fail securely 4. Don’t reinvent the wheel 5. Never trust anything / anyone
  86. 86. @asgrim If you follow all this, you get...
  87. 87. @asgrim If you follow all this, you get...
  88. 88. Any questions? Please leave feedback! https://joind.in/talk/b8bd0 James Titcumb @asgrim

Security is an enormous topic, and it’s really, really complicated. If you’re not careful, you’ll find yourself vulnerable to any number of attacks which you definitely don’t want to be on the receiving end of. This talk will give you just a taster of the vast array of things there is to know about security in modern web applications, such as writing secure PHP web applications and securing a Linux server. Whether you are writing anything beyond a basic brochure website, or even developing a complicated business web application, this talk will give you insights to some of the things you need to be aware of.

Views

Total views

251

On Slideshare

0

From embeds

0

Number of embeds

0

Actions

Downloads

2

Shares

0

Comments

0

Likes

0

×