PHP & The secure development lifecycle

PHP & The Secure Application Development

Life-cycle“The art of building secure PHPyramids”

Robert van der LindeSanta Clara, 16 september 2008

Who’s that dude?

• Robert van der Linde• 5 years of PHP

experience• Team lead PaSS-PHP• Sogeti’s PHP training

coordinator• Zend Certified

Engineer

Secure PHPyramids

• An application is secure if does exactly what is expected at all times

What is a secure application?

Design Implementation

So what do we do?

• Applications are information• Threats are everywhere• Creating secure applications need

a standardized approach• There is tooling available to help

you

Application === Information

IntegrityAvailability Confidentiality

Information security

Where do you implement security?

Where do threats come from?

• Conciously

Where do threats come from?

• Unconsciously

Approach

Requirements

Test plans

• Training• Awareness• Outside-the-box thinking• Codified security test plans• Tools

>OWASP WebScarab>Ratproxy>NTO Spider

Test results

• Review with programmers• Reporting and analysis• End goal: clean bill of health

Code

• Owasp PHP top 5>Remote code execution>Cross site scripting>SQL Injection>PHP Configuration>File system attacks

• Best practices>Whitelisting vs. blacklisting>Filter input, escape output>Keep errors to yourself

Feedback

• Consciously handle found issues• Praise, not prey• Handle proactively

The key to all this

• Awareness

Implementation at Sogeti

• PaSS (Pro-active Security Strategy)• Workgroup per expertise

>PHP>Design>Testing>Etc.

• Added value

Tooling example

Finally.... some code!

Setting it up

The result

Working with the result

What’s next?

• Logging attacks>File>MySQL>Email

• Reporting and analysis

Thank you for watching

• Referenties:> www.php.net> www.owasp.com> www.php-ids.org> www.sogeti.nl> www.zend.com

• Contact:E: robert.vander.linde@sogeti.nlIM: linde002@hotmail.comSkype: linderobBlog: http://php.linde002.nl/