際際滷

際際滷Share a Scribd company logo

PHP SA 2013 - The weak points in our PHP projects

Download as PPT, PDF
X
xsist10

The document discusses weaknesses in web application security, specifically regarding dependencies on third party libraries, frameworks, and content management systems. It notes that many of these systems are outdated and vulnerable due to lack of updates by developers. Specific issues mentioned include SQL injection, unsalted password hashing, and a backdoor found in the OpenX library. Data is presented showing the average and median ages of versions for 43 popular open source projects, indicating that vulnerabilities increase significantly with older versions. Suggestions are made for improving awareness of updates and using tools that facilitate easier updating of dependencies.

1 of 18
Downloaded 15 times
The weak points in our systems Are your dependencies getting you down? Thomas Shone Senior PHP Developer PHP South Africa - Oct 2013
Copyright 息 2012 Clickatell. All rights reserved. About me Senior developer for Clickatell Work remotely from Grahamstown in the Eastern Cape I like to break things
Copyright 息 2012 Clickatell. All rights reserved. The bare minimum we SHOULD be doing Preventing SQL injection and sanitizing user input Email and cellphone verification Mitigate social engineering against support team Salting and using strong hashing for passwords As of PHP 5.5, www.php.net/password will make this trivial Forgotten password resets done by email link Use OAuth or OpenID Two factor authentication High risk data Premium support verification Off-site staff authentication method
Copyright 息 2012 Clickatell. All rights reserved. What the blogs haven't warned us about No coder is an island We all rely on: 3rd party libraries Frameworks Symfony Zend CMS packages Joomla! Wordpress E-Commerce software osCommerce Magento CRM software SugarCRM
Copyright 息 2012 Clickatell. All rights reserved. So... time to come clean... I've done it too Perception Using a version of Smarty without vulnerabilities (3.1.12) Reality 4 versions of Smarty. Version 2.6.26 with 11 Vulnerabilities (7 critical) Version 2.6.28 with 12 Vulnerabilities (7 critical) Version 2.6.11 with 12 Vulnerabilities (7 critical) The other three were dependencies of another front end system Developers had not updated Smarty since 2009 (the version they are using was released in Dec 2005)
Copyright 息 2012 Clickatell. All rights reserved. Lets get some real world data 43 popular open source web applications, libraries and frameworks. 3,421 versions 5.6 million files
Worst offender
Copyright 息 2012 Clickatell. All rights reserved. Some graph explanation Mean / Average Median The Doom Line
Insert the title of your long presentation names here Enter your subtitle here Some actual numbers please
What are SMBs using?
Copyright 息 2012 Clickatell. All rights reserved. Where does the blame lie? Wordpress and Joomla! Highly popular = Highly targeted. Fix released before the vulnerability disclosed Libraries not so well behaved Most of the libraries found where vulnerable OpenX had a backdoor in their code base Frameworks came off well No vulnerabilities for the versions found Reference: http://blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.htm
Insert the title of your long presentation names here Enter your subtitle here Lets get a little ageist here
Insert the title of your long presentation names here Enter your subtitle here What's the sell by date
Insert the title of your long presentation names here Enter your subtitle here Lets just put those together
Copyright 息 2012 Clickatell. All rights reserved. Some good news at least We were looking at the worst of the worst SMB with little technical knowledge Freelancer CMS deploy People will fix what they know is broken Growing awareness Emergence of auto update tools Software houses and freelances, up-sell those maintenance contracts
Insert the title of your long presentation names here Enter your subtitle here How much has the situation improved
Copyright 息 2012 Clickatell. All rights reserved. And for the developers Means of distributing 3rd party code is improving Composer Don't commit dependencies... specify Major release locking Simple update mechanism
@thomas_shone www.shone.co.za Questions?

More Related Content

PHP SA 2013 - The weak points in our PHP projects

  • 1. The weak points in our systems Are your dependencies getting you down? Thomas Shone Senior PHP Developer PHP South Africa - Oct 2013
  • 2. Copyright 息 2012 Clickatell. All rights reserved. About me Senior developer for Clickatell Work remotely from Grahamstown in the Eastern Cape I like to break things
  • 3. Copyright 息 2012 Clickatell. All rights reserved. The bare minimum we SHOULD be doing Preventing SQL injection and sanitizing user input Email and cellphone verification Mitigate social engineering against support team Salting and using strong hashing for passwords As of PHP 5.5, www.php.net/password will make this trivial Forgotten password resets done by email link Use OAuth or OpenID Two factor authentication High risk data Premium support verification Off-site staff authentication method
  • 4. Copyright 息 2012 Clickatell. All rights reserved. What the blogs haven't warned us about No coder is an island We all rely on: 3rd party libraries Frameworks Symfony Zend CMS packages Joomla! Wordpress E-Commerce software osCommerce Magento CRM software SugarCRM
  • 5. Copyright 息 2012 Clickatell. All rights reserved. So... time to come clean... I've done it too Perception Using a version of Smarty without vulnerabilities (3.1.12) Reality 4 versions of Smarty. Version 2.6.26 with 11 Vulnerabilities (7 critical) Version 2.6.28 with 12 Vulnerabilities (7 critical) Version 2.6.11 with 12 Vulnerabilities (7 critical) The other three were dependencies of another front end system Developers had not updated Smarty since 2009 (the version they are using was released in Dec 2005)
  • 6. Copyright 息 2012 Clickatell. All rights reserved. Lets get some real world data 43 popular open source web applications, libraries and frameworks. 3,421 versions 5.6 million files
  • 8. Copyright 息 2012 Clickatell. All rights reserved. Some graph explanation Mean / Average Median The Doom Line
  • 9. Insert the title of your long presentation names here Enter your subtitle here Some actual numbers please
  • 10. What are SMBs using?
  • 11. Copyright 息 2012 Clickatell. All rights reserved. Where does the blame lie? Wordpress and Joomla! Highly popular = Highly targeted. Fix released before the vulnerability disclosed Libraries not so well behaved Most of the libraries found where vulnerable OpenX had a backdoor in their code base Frameworks came off well No vulnerabilities for the versions found Reference: http://blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.htm
  • 12. Insert the title of your long presentation names here Enter your subtitle here Lets get a little ageist here
  • 13. Insert the title of your long presentation names here Enter your subtitle here What's the sell by date
  • 14. Insert the title of your long presentation names here Enter your subtitle here Lets just put those together
  • 15. Copyright 息 2012 Clickatell. All rights reserved. Some good news at least We were looking at the worst of the worst SMB with little technical knowledge Freelancer CMS deploy People will fix what they know is broken Growing awareness Emergence of auto update tools Software houses and freelances, up-sell those maintenance contracts
  • 16. Insert the title of your long presentation names here Enter your subtitle here How much has the situation improved
  • 17. Copyright 息 2012 Clickatell. All rights reserved. And for the developers Means of distributing 3rd party code is improving Composer Don't commit dependencies... specify Major release locking Simple update mechanism