PHP SA 2013 - The weak points in our PHP projects
-
Upload
xsist10 -
Category
Technology
-
view
566 -
download
2
description
Transcript of PHP SA 2013 - The weak points in our PHP projects
![Page 1: PHP SA 2013 - The weak points in our PHP projects](https://reader035.fdocuments.us/reader035/viewer/2022081404/5598db181a28ab2c5c8b47e8/html5/thumbnails/1.jpg)
The weak points in our systemsAre your dependencies getting you down?
Thomas Shone – Senior PHP DeveloperPHP South Africa - Oct 2013
![Page 2: PHP SA 2013 - The weak points in our PHP projects](https://reader035.fdocuments.us/reader035/viewer/2022081404/5598db181a28ab2c5c8b47e8/html5/thumbnails/2.jpg)
Copyright © 2012 Clickatell. All rights reserved.
About me
Senior developer for Clickatell
Work remotely from Grahamstown in the Eastern Cape
I like to break things
![Page 3: PHP SA 2013 - The weak points in our PHP projects](https://reader035.fdocuments.us/reader035/viewer/2022081404/5598db181a28ab2c5c8b47e8/html5/thumbnails/3.jpg)
Copyright © 2012 Clickatell. All rights reserved.
The bare minimum we SHOULD be doing
Preventing SQL injection and sanitizing user input Email and cellphone verification
– Mitigate social engineering against support team
Salting and using strong hashing for passwords– As of PHP 5.5, www.php.net/password will make this trivial
Forgotten password resets done by email link Use OAuth or OpenID Two factor authentication
– High risk data– Premium support verification– Off-site staff authentication method
![Page 4: PHP SA 2013 - The weak points in our PHP projects](https://reader035.fdocuments.us/reader035/viewer/2022081404/5598db181a28ab2c5c8b47e8/html5/thumbnails/4.jpg)
Copyright © 2012 Clickatell. All rights reserved.
What the blogs haven't warned us about
No coder is an island We all rely on:
– 3rd party libraries– Frameworks
• Symfony• Zend
– CMS packages• Joomla!• Wordpress
– E-Commerce software• osCommerce• Magento
– CRM software• SugarCRM
![Page 5: PHP SA 2013 - The weak points in our PHP projects](https://reader035.fdocuments.us/reader035/viewer/2022081404/5598db181a28ab2c5c8b47e8/html5/thumbnails/5.jpg)
Copyright © 2012 Clickatell. All rights reserved.
So... time to come clean... I've done it too
Perception– Using a version of Smarty without vulnerabilities (3.1.12)
Reality– 4 versions of Smarty.– Version 2.6.26 with 11 Vulnerabilities (7 critical)– Version 2.6.28 with 12 Vulnerabilities (7 critical)– Version 2.6.11 with 12 Vulnerabilities (7 critical)
The other three were dependencies of another front end system
Developers had not updated Smarty since 2009 (the version they are using was released in Dec 2005)
![Page 6: PHP SA 2013 - The weak points in our PHP projects](https://reader035.fdocuments.us/reader035/viewer/2022081404/5598db181a28ab2c5c8b47e8/html5/thumbnails/6.jpg)
Copyright © 2012 Clickatell. All rights reserved.
Lets get some real world data
43 popular open source web applications, libraries and frameworks.
3,421 versions 5.6 million files
![Page 7: PHP SA 2013 - The weak points in our PHP projects](https://reader035.fdocuments.us/reader035/viewer/2022081404/5598db181a28ab2c5c8b47e8/html5/thumbnails/7.jpg)
Worst offender
![Page 8: PHP SA 2013 - The weak points in our PHP projects](https://reader035.fdocuments.us/reader035/viewer/2022081404/5598db181a28ab2c5c8b47e8/html5/thumbnails/8.jpg)
Copyright © 2012 Clickatell. All rights reserved.
Some graph explanation
Mean / Average
Median
The Doom Line
![Page 9: PHP SA 2013 - The weak points in our PHP projects](https://reader035.fdocuments.us/reader035/viewer/2022081404/5598db181a28ab2c5c8b47e8/html5/thumbnails/9.jpg)
Insert the title of your long presentation names hereEnter your subtitle here
Some actual numbers please
![Page 10: PHP SA 2013 - The weak points in our PHP projects](https://reader035.fdocuments.us/reader035/viewer/2022081404/5598db181a28ab2c5c8b47e8/html5/thumbnails/10.jpg)
What are SMBs using?
![Page 11: PHP SA 2013 - The weak points in our PHP projects](https://reader035.fdocuments.us/reader035/viewer/2022081404/5598db181a28ab2c5c8b47e8/html5/thumbnails/11.jpg)
Copyright © 2012 Clickatell. All rights reserved.
Where does the blame lie?
Wordpress and Joomla!– Highly popular = Highly targeted.– Fix released before the vulnerability disclosed
Libraries not so well behaved– Most of the libraries found where vulnerable– OpenX had a backdoor in their code base
Frameworks came off well– No vulnerabilities for the versions found
Reference: http://blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.html
![Page 12: PHP SA 2013 - The weak points in our PHP projects](https://reader035.fdocuments.us/reader035/viewer/2022081404/5598db181a28ab2c5c8b47e8/html5/thumbnails/12.jpg)
Insert the title of your long presentation names hereEnter your subtitle here
Lets get a little ageist here
![Page 13: PHP SA 2013 - The weak points in our PHP projects](https://reader035.fdocuments.us/reader035/viewer/2022081404/5598db181a28ab2c5c8b47e8/html5/thumbnails/13.jpg)
Insert the title of your long presentation names hereEnter your subtitle here
What's the sell by date
![Page 14: PHP SA 2013 - The weak points in our PHP projects](https://reader035.fdocuments.us/reader035/viewer/2022081404/5598db181a28ab2c5c8b47e8/html5/thumbnails/14.jpg)
Insert the title of your long presentation names hereEnter your subtitle here
Lets just put those together
![Page 15: PHP SA 2013 - The weak points in our PHP projects](https://reader035.fdocuments.us/reader035/viewer/2022081404/5598db181a28ab2c5c8b47e8/html5/thumbnails/15.jpg)
Copyright © 2012 Clickatell. All rights reserved.
Some good news at least
We were looking at the worst of the worst– SMB with little technical knowledge– Freelancer CMS deploy
People will fix what they know is broken– Growing awareness– Emergence of auto update tools– Software houses and freelances, up-sell those maintenance
contracts
![Page 16: PHP SA 2013 - The weak points in our PHP projects](https://reader035.fdocuments.us/reader035/viewer/2022081404/5598db181a28ab2c5c8b47e8/html5/thumbnails/16.jpg)
Insert the title of your long presentation names hereEnter your subtitle here
How much has the situation improved
![Page 17: PHP SA 2013 - The weak points in our PHP projects](https://reader035.fdocuments.us/reader035/viewer/2022081404/5598db181a28ab2c5c8b47e8/html5/thumbnails/17.jpg)
Copyright © 2012 Clickatell. All rights reserved.
And for the developers
Means of distributing 3rd party code is improving– Composer
• Don't commit dependencies... specify• Major release locking• Simple update mechanism
![Page 18: PHP SA 2013 - The weak points in our PHP projects](https://reader035.fdocuments.us/reader035/viewer/2022081404/5598db181a28ab2c5c8b47e8/html5/thumbnails/18.jpg)
@thomas_shonewww.shone.co.za
Questions?