Defensive Coding Crash Course

Defensive CodingCrash Course

Mark Niebergall https://joind.in/talk/d4c29

About Mark Niebergall• PHP since 2005 • Masters degree in MIS • Senior Software Engineer • Drug screening project • UPHPU President • CSSLP, SSCP Certified and SME • Drones, fishing, skiing, father, husband

Defensive CodingCrash Course

• Why defensive coding

• How to code defensively

• Community trends with best practices

Why Defensive Coding

Why Defensive Coding• Denver Broncos

- 2 recent Super Bowl appearances: 2013 and 2015

- What was the difference?

Why Defensive Coding• Rogue One - The Empire

- Single point of failure

- No encryption of sensitive data

- Missing authentication

- Bad error handling

Why Defensive Coding• The Three R’s:

- Reliability

- Resiliency

- Recoverability

Why Defensive Coding• Reliability

- Predictable behavior

- Likelihood of failure is low

- Achieved by writing resilient code

Why Defensive Coding• Resiliency

- Ability to recover from problems

- How errors are handled

- Avoid assumptions

- Use correct data types

- Use type hinting

- Use return types

- Use visibility modifiers

- function do_something($thing) { $thing->do_ThatThing(); }

- public function doSomething(Thing $thing) : bool{ return $thing->doThatThing(); }

Why Defensive Coding• Recoverability

- Application can come back from crashes and failures

Why Defensive Coding• Recoverability

- Good exception handling

- try { … } catch (SomeException $exception) { … }

- Hope for the best, code for the worst

Why Defensive Coding• Good code qualities

- Efficient

‣ High performance

‣ foreach ($array as $thing) { $db = new $Db; $db->update(‘thing’, $thing); }

- Efficient

‣ Separation of services

‣ class Pet{ public function walkDog(Dog $dog) {…} public function feedFish(Fish $fish) {…} public function cleanDishes(Dish $dish) {…}}

- Efficient

‣ Loosely coupled

‣ protected function driveCar(){ $car = new Car; $driver = new Person; …}

- Secure

‣ Strong cryptography

• password_hash and password_verify

‣ Proven approaches to reduce vulnerabilities

‣ Secure architecture

- Maintain

‣ Good code organization, file structure, domains

‣ Documentation, doc blocks

‣ Adaptability

Why Defensive Coding• Achieved by practicing effective defensive coding

Why Defensive Coding

How to Code Defensively

How to Code Defensively• Cover a variety of techniques

How to Code Defensively• Attack surfaces • Input validation • Canonicalization • Secure type checking • External library vetting • Cryptographic agility • Exception management • Code reviews • Unit and behavioral testing

How to Code Defensively• Attack surfaces

- Measurement of exposure of being exploited by threats

- Part of threat modeling - Ability of software to be attacked

- Each accessible entry and exit point ‣ Everything in public/ ‣ Every route

- Every feature is an attack vector

- Attack surface evaluation ‣ Features that may be exploited ‣ Given a weight based on severity of impact ‣ Controls prioritized based on weight

- Relative Attack Surface Quotient (RASQ) ‣ 3 Dimensions

• Targets and Enablers (resources) • Channels and Protocols (communication) • Access Rights (privileges)

- High value resources ‣ Data ‣ Functionality

How to Code Defensively• Input validation

- Source - Type - Format - Length - Range - Values - Canonical

- Source ‣ Unsafe superglobals includes $_GET, $_POST,

$_SERVER, $_COOKIE, $_FILES, $_REQUEST ‣ Scrutinize trusted sources ‣ Any user input should be treated as unsafe

- Type ‣ is_x functions ‣ Name then all?

- Type ‣ is_string($name) ‣ is_int($age) ‣ is_float($percentage) ‣ is_bool($isAccepted) ‣ is_null($questionableThing) ‣ is_array($keyValueData) ‣ is_object($jsonDecoded) ‣ is_resource($fileHandle)

- Type ‣ if ($thing instanceof SomeThing) {…}

• class • abstract • interface • trait

- Format ‣ Phone number: preg_match(/^\d{10}$/, $phone) ‣ Email address (complicated) ‣ Country code: preg_match(/^[A-Z]{2}$/, $code) ‣ Character patterns

- Length ‣ Minimum: strlen($string) >= 5 ‣ Maximum: preg_match(/^[a-zA-Z0-9]{1,10}$/,

$number) ‣ Is it required?

- Range ‣ Between 1 and 10: $value >= 1 && $value <= 10 ‣ Date range ‣ AA to ZZ ‣ Start and end values

- Values ‣ Whitelist: in_array($checking, [1, 2, 3], true) ‣ Blacklist: !in_array($checking, [‘X’, ‘Y’, ‘Z’]) ‣ Regular expressions ‣ Alphanumeric ‣ Free text ‣ Allowed values

- Injection prevention - Malicious

- Techniques ‣ Filtration ‣ Sanitization

- Techniques ‣ Filtration

• Whitelist and blacklist • Regular expressions with preg_match

• preg_match(/^d{10}$/, $number) • preg_match(/^[a-zA-Z0-9]$/, $string)

• filter_input(TYPE, $variableName, $filter [, $options])

• boolean false if filter fails • NULL if variable is not set • variable upon success

• filter_input(INPUT_POST, ‘key’, FILTER_VALIDATE_INT)

• filter_input(INPUT_GET, ‘search’, FILTER_VALIDATE_REGEXP, [‘options’ => [‘regexp’ => ‘/^d{10}$/‘]])

• filter_var($email, FILTER_VALIDATE_EMAIL) • filter_var($id, FILTER_VALIDATE_INT) • filter_var($bool, FILTER_VALIDATE_BOOLEAN)

- Techniques ‣ Sanitization

• Remove unwanted characters or patterns • str_replace([‘ ‘, ‘-‘, ‘(‘, ‘)’], ‘’, $phone) • preg_replace([‘/A/‘, ‘/B/‘, ‘/C/‘], [1, 2, 3],

$subject) • strip_tags($text, ‘<marquee>’)

• Clean up the data

- Techniques ‣ Sanitization

• filter_input(INPUT_POST, ‘user_email’, FILTER_SANITIZE_EMAIL)

• filter_input(INPUT_COOKIE, ‘some_url’, FILTER_SANITIZE_URL)

- When to validate data ‣ Frontend (client) ‣ Backend (server) ‣ Filter input, escape output

How to Code Defensively• Canonicalization

- Translating input to a standardized value ‣ Encoding ‣ Character set ‣ Aliases ‣ Alternative spellings, formats

- Translating input to a standardized value ‣ 2017-08-17 ‣ 8/17/17 ‣ 17/8/17 ‣ Thursday, August 17, 2017

- Translating input to a standardized value ‣ Yes ‣ On ‣ 1 ‣ true ‣ T

- Translating input to a standardized value ‣ Free text vs pre-defined choices

• Proper foreign keys in relational data • Utilize database integrity checks and

normalization • Denormalize to an extent for optimizations

How to Code Defensively• Secure type checking

- Part of Code Access Security (CAS) ‣ Only trusted sources can run application ‣ Prevent trusted sources from compromising

security

- PHP is a type-safe language - C is not a type-safe language

- PHP manages memory use for you - C is unmanaged ‣ Susceptible to attacks like buffer overflow

- Apply PHP security patches - Vet third-party libraries

How to Code Defensively• External library vetting

- Security - Quality

- Security ‣ Secure implementation ‣ Security audit ‣ Handling security issues ‣ Use trusted projects

- Quality ‣ Unit tests ‣ Actively maintained ‣ Popularity ‣ Ease of use ‣ Coding standards ‣ Community acceptance

How to Code Defensively• Cryptographic agility

- Ability to stay current

- Use vetted and trusted algorithms - Avoid: ‣ Broken algorithms ‣ Weak algorithms ‣ Custom-made algorithms

• Cryptography is complex, please don’t make your own algorithm

- PHP password_hash and password_verify

- PHP 7.2 includes libsodium in core ‣ Modern security library ‣ Vetted ‣ Passed security audit

- PHP 7.1 deprecated mcrypt ‣ Upgrade to libsodium or openssl

How to Code Defensively• Exception management

- Handle errors with try/catch blocks ‣ try {...} catch (Exception $e) {…}

- Do not display PHP errors except in development environment ‣ dev: display_errors = On ‣ others: display_errors = Off

- Log errors and review them actively ‣ dev: error_reporting = E_ALL ‣ prod: E_ALL & ~E_DEPRECATED & ~E_STRICT ‣ E_ALL ‣ E_NOTICE ‣ E_STRICT ‣ E_DEPRECATED

How to Code Defensively• Code reviews

- Static - Dynamic

- Peers reviewing code changes ‣ Web-based tools ‣ Manual/static code review

- Automatic code review ‣ Commit hooks ‣ Coding standards ‣ Run tests

- Constructive feedback

- Architecture direction

- Coding standards

- Security issues ‣ Cryptographic agility ‣ Injection flaws

- Business rules - Related functionality - Exception handling

- Automatic code reviews ‣ Coding standard enforcement ‣ Run unit and behavioral tests ‣ Continuous integration tools

- Automatic code reviews ‣ Statistics ‣ Security ‣ Design patterns

How to Code Defensively• Unit and behavioral testing

- Unit tests to ensure logic ‣ PHPUnit

- Behavioral tests to ensure functionality ‣ behat ‣ codeception

How to Code Defensively• Tips and Tricks

- Hope for the best, plan for the worst

- Abuse cases ‣ Harmful interactions ‣ Help identify threats

- Misuse cases ‣ Inverse of use case ‣ Highlights malicious acts

- Limit class functionality - Limit function lines of code

- Leverage framework functionality - Leverage built-in PHP functionality

- Use type hinting - Use return types - Use correct data types ‣ Bool true or false instead of string ’T' or ‘false’ ‣ Be aware of type casting issues ‣ Use strict type === comparisons when possible ‣ Use is_* checks

- Use database integrity ‣ Have foreign keys ‣ Use correct data types ‣ Normalize data to good level

• Usually 2nd or 3rd level • Beyond that usually slows performance • Denormalize to improve performance but take

up more disk space

How to Code Defensively• Community movements

- PHP Standards Recommendations (PSR) ‣ Coding standard and style guide ‣ Autoloading ‣ Caching ‣ HTTP Message Interface

- PHP Standards Recommendations ‣ Security issue reporting and handling ‣ Documentation ‣ Extended coding style guide

- Security ‣ New OWASP Top 10 ‣ Security at all parts of SDLC ‣ libsodium with PHP 7.2 ‣ Sophisticated attacks ‣ MD5 sunset ‣ IoT

- Security ‣ Increasing importance ‣ Good skill to complement development ‣ Core software feature ‣ Investment that can save a project

- Conferences help set trends - Magazines focus on topics monthly - Blogs to dispense knowledge - Social media to share ideas - Instant messaging to get live help

How to Code Defensively• Considerations

- How could your project be attacked? - What are weak points in your projects?

- What will you do differently?

- Make a plan - Make a change

How to Code Defensively

How to Code Defensively• Questions?

- Rate on joind.in ‣ https://joind.in/talk/d4c29

Defensive Coding Crash Course - ZendCon 2017

Software

Transcript of Defensive Coding Crash Course - ZendCon 2017

Desktop Apps with PHP and Titanium (ZendCon 2010)

ZendCon 2008

Php Dependency Management with Composer ZendCon 2016

Building an SSO platform in php (Zendcon 2010)

UA Testing with Selenium and PHPUnit - ZendCon 2013

Caffeinated PHP Zendcon 2009 by Kevin Schroeder

Demystifying Object-Oriented Programming - ZendCon 2016

MySQL 8 Zendcon and Scotland PHP

Demystifying PostgreSQL (Zendcon 2010)

ZendCon 2014: Using an IDE like a Pro

Zendcon 2007 Api Design

IBM Hackathon@ZendCon 2014

ZendCon 2008 Closing Keynote

Grokking REST (ZendCon 2010)

Zendcon zray

Debugging Effectively - ZendCon 2016

Oracle Zendcon Php 2009

ZendCon 2010 Technical Debt

Highlights from ZendCon 2013