SlideShare ist ein Scribd-Unternehmen logo

Securing the PHP Environment with PHPSecInfo

F
funkatron
Technologie
1 von 22
Downloaden Sie, um offline zu lesen
Securing the PHP Environment with PHPSecInfo Ed Finkler coj@funkatron.com 20080523
The ubiquity of PHP PHP is very, very popular Nearly impossible to find a hosting service that doesn’t support PHP in some form About 34% of all domains report using PHP PHP is very easy to learn PHP provides results quickly Time between setup and seeing results is very short
The ubiquity of PHP PHP powers many busy, high-profile sites Wikipedia Facebook Wordpress.com Digg Flickr Yahoo!
NIST NVD: 2006 data PHP Language PHP Apps: remote file inclusion 13.6% PHP Apps: other 0.5% Other 28.9% 6604 total entries 2803 PHP applications 57.1% 895 PHP app remote file inclusion Almost blocked by disabling allow_url_fopen (allow_url_include in 5.2+)
What does this tell us? How popular PHP is How much a target web apps are How many PHP developers are incapable of writing secure apps How many sysadmins don’t secure their PHP environments
The parties involved The System Administrator Directly responsible for PHP environment security Tendency to lower security of environment to reduce application compatibility complaints
The parties involved •The PHP Developer • Must be aware of the environment and how it impacts app development • Will write apps assuming certain features are enabled, despite security risks
The parties involved The PHP “Deployer” By far the largest portion of the audience Uses PHP apps on a web site, but not a coder Not capable of assessing security of an app At the mercy of the SysAdmin and Developer
Requirements of PHPSecInfo A security auditing tool accessible to the “Deployer” Compatible Support PHP4 (63%) and PHP5 (37%) Easy to install Unzip and Upload Easy to execute (little or no config) Runs upon upload; single function call
Requirements of PHPSecInfo Easy to understand Clear, unambiguous results; color coding Encourage further exploration Offer extended explanations with links to more info
Executing PHPSecInfo 1.Unzip 2.Upload 3.View in Browser
Test Suite 17 tests for commonly exploited security vulnerabilities in PHP environment Each test result shows: Current Setting Recommended Setting Result (color-coded) Explanation Link to further info Simple metrics output
PHPSecInfo encourages accountability Sorry, we can’t support your Developers app because it requires an Here’s what’s wrong with your insecure config! PHP setup – fix it before you run our app! Sysadmins Why does your application Why doesn’t your hosting require an insecure Our hosting is secure – service provide a secure PHP configuration? PHPSecInfo says so! environment? Deployers
For advanced users Still a useful tool for evaluating PHP environments Part of an auditing toolkit for web app security experts Extensible test framework Create custom tests specific to an environment Full generated documentation available
Zend_Environment Security Module Part of Zend Framework PHP5-only Zend_Environment offers programatic access to PHP environment information Z_E security module based on PHPSecInfo Offers better (for now) programatic access to test results More flexible output (HTML, Text, etc) Part of a full-featured development framework
What the future may bring Phar & PEAR installs New view system & new output formats (xml, console, html themes, etc) Better IIS support Instantiate and obtain results programatically for embedding in apps Security testing during installation process, et al
What is needed Help! Developers and Documenters Both PSI and ZFW sides
More Information phpsecinfo.com phpsec.org cerias.purdue.edu framework.zend.com

Empfohlen

Benefits of using asp
Benefits of using aspBenefits of using asp
Benefits of using aspsubu subu
 
Web server security techniques by Khawar Nehal
Web server security techniques by Khawar NehalWeb server security techniques by Khawar Nehal
Web server security techniques by Khawar NehalKhawar Nehal khawar.nehal@atrc.net.pk
 
Selenium training in Chennai
Selenium training in Chennai Selenium training in Chennai
Selenium training in Chennai srinithya8994
 
Mcafee Epolicy Orchestrator
Mcafee Epolicy OrchestratorMcafee Epolicy Orchestrator
Mcafee Epolicy OrchestratorMindRiver Group
 
Anti Key Logging And Real Time Encryption Software
Anti Key Logging And Real Time Encryption SoftwareAnti Key Logging And Real Time Encryption Software
Anti Key Logging And Real Time Encryption SoftwareGrey Matter India Technologies PVT LTD
 
Ethical hacking course task 8
Ethical hacking course task 8Ethical hacking course task 8
Ethical hacking course task 8GURUPRASANTH33
 
Devops certification training task 08
Devops certification training task 08Devops certification training task 08
Devops certification training task 08GURUPRASANTH33
 
Webinar: 10 Steps To Your Archive!
Webinar: 10 Steps To Your Archive!Webinar: 10 Steps To Your Archive!
Webinar: 10 Steps To Your Archive!GWAVA
 

Empfohlen

Benefits of using asp
Benefits of using aspBenefits of using asp
Benefits of using aspsubu subu
 
Web server security techniques by Khawar Nehal
Web server security techniques by Khawar NehalWeb server security techniques by Khawar Nehal
Web server security techniques by Khawar NehalKhawar Nehal khawar.nehal@atrc.net.pk
 
Selenium training in Chennai
Selenium training in Chennai Selenium training in Chennai
Selenium training in Chennai srinithya8994
 
Mcafee Epolicy Orchestrator
Mcafee Epolicy OrchestratorMcafee Epolicy Orchestrator
Mcafee Epolicy OrchestratorMindRiver Group
 
Anti Key Logging And Real Time Encryption Software
Anti Key Logging And Real Time Encryption SoftwareAnti Key Logging And Real Time Encryption Software
Anti Key Logging And Real Time Encryption SoftwareGrey Matter India Technologies PVT LTD
 
Ethical hacking course task 8
Ethical hacking course task 8Ethical hacking course task 8
Ethical hacking course task 8GURUPRASANTH33
 
Devops certification training task 08
Devops certification training task 08Devops certification training task 08
Devops certification training task 08GURUPRASANTH33
 
Webinar: 10 Steps To Your Archive!
Webinar: 10 Steps To Your Archive!Webinar: 10 Steps To Your Archive!
Webinar: 10 Steps To Your Archive!GWAVA
 
Apple notification push
Apple notification pushApple notification push
Apple notification pushJonathan RAMIER
 
Dpc14 security as part of Quality Assurance
Dpc14 security as part of Quality AssuranceDpc14 security as part of Quality Assurance
Dpc14 security as part of Quality AssuranceBoy Baukema
 
Skills required to start your Software Testing Engineer Career
Skills required to start your Software Testing Engineer CareerSkills required to start your Software Testing Engineer Career
Skills required to start your Software Testing Engineer CareerYoussef Trabelsi
 
WebRTC for Remote Call Center Agents
WebRTC for Remote Call Center AgentsWebRTC for Remote Call Center Agents
WebRTC for Remote Call Center AgentsJoseph Hernandez
 
Self Service for IT Infrastructure
Self Service for IT Infrastructure Self Service for IT Infrastructure
Self Service for IT Infrastructure Cisco DevNet
 
Background thread
Background threadBackground thread
Background threadmsarangam
 
APIdays Paris 2019 - The Rise of Shadow APIs by Guillaume Montard, Bearer.sh
APIdays Paris 2019 - The Rise of Shadow APIs by Guillaume Montard, Bearer.shAPIdays Paris 2019 - The Rise of Shadow APIs by Guillaume Montard, Bearer.sh
APIdays Paris 2019 - The Rise of Shadow APIs by Guillaume Montard, Bearer.shapidays
 
500 Internal Server Error
500 Internal Server Error500 Internal Server Error
500 Internal Server Errormcafeemtpretailcard2014
 
How to build a server and a iPhone client application using the Apple Push No...
How to build a server and a iPhone client application using the Apple Push No...How to build a server and a iPhone client application using the Apple Push No...
How to build a server and a iPhone client application using the Apple Push No...Shu Masuda
 
Presentation web based application|Web designing training center in coimbator...
Presentation web based application|Web designing training center in coimbator...Presentation web based application|Web designing training center in coimbator...
Presentation web based application|Web designing training center in coimbator...Vignesh026
 
Steps on macfee epo console icon
Steps on macfee epo console iconSteps on macfee epo console icon
Steps on macfee epo console iconChennam Bhaskar
 
Push Notification
Push NotificationPush Notification
Push NotificationVinoth Kannan
 
VirusScan Enterprise v8.8
VirusScan Enterprise v8.8VirusScan Enterprise v8.8
VirusScan Enterprise v8.8Geronimo Martin Alonso
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Ravindra Singh Rathore
 
Resume (1)
Resume (1)Resume (1)
Resume (1)S Prabahar Prabu
 
Learn SELENIUM at ASIT
Learn SELENIUM at ASITLearn SELENIUM at ASIT
Learn SELENIUM at ASITASIT
 
The Twelve Factor Apps
The Twelve Factor AppsThe Twelve Factor Apps
The Twelve Factor Appstomi vanek
 
Demo Camp2009 Hyd
Demo Camp2009 HydDemo Camp2009 Hyd
Demo Camp2009 Hydrakesh_shah_1999
 
Animals
AnimalsAnimals
AnimalsCarla Lopes
 
Bunnysharerevised
BunnysharerevisedBunnysharerevised
BunnysharerevisedCarla Lopes
 
Billandtedpowerpoint
BillandtedpowerpointBillandtedpowerpoint
Billandtedpowerpointdklm09
 
Joomla gran
Joomla granJoomla gran
Joomla grancarlesr
 

Weitere ähnliche Inhalte

Was ist angesagt?

Dpc14 security as part of Quality Assurance
Dpc14 security as part of Quality AssuranceDpc14 security as part of Quality Assurance
Dpc14 security as part of Quality AssuranceBoy Baukema
 
Skills required to start your Software Testing Engineer Career
Skills required to start your Software Testing Engineer CareerSkills required to start your Software Testing Engineer Career
Skills required to start your Software Testing Engineer CareerYoussef Trabelsi
 
WebRTC for Remote Call Center Agents
WebRTC for Remote Call Center AgentsWebRTC for Remote Call Center Agents
WebRTC for Remote Call Center AgentsJoseph Hernandez
 
Self Service for IT Infrastructure
Self Service for IT Infrastructure Self Service for IT Infrastructure
Self Service for IT Infrastructure Cisco DevNet
 
Background thread
Background threadBackground thread
Background threadmsarangam
 
APIdays Paris 2019 - The Rise of Shadow APIs by Guillaume Montard, Bearer.sh
APIdays Paris 2019 - The Rise of Shadow APIs by Guillaume Montard, Bearer.shAPIdays Paris 2019 - The Rise of Shadow APIs by Guillaume Montard, Bearer.sh
APIdays Paris 2019 - The Rise of Shadow APIs by Guillaume Montard, Bearer.shapidays
 
How to build a server and a iPhone client application using the Apple Push No...
How to build a server and a iPhone client application using the Apple Push No...How to build a server and a iPhone client application using the Apple Push No...
How to build a server and a iPhone client application using the Apple Push No...Shu Masuda
 
Presentation web based application|Web designing training center in coimbator...
Presentation web based application|Web designing training center in coimbator...Presentation web based application|Web designing training center in coimbator...
Presentation web based application|Web designing training center in coimbator...Vignesh026
 
Steps on macfee epo console icon
Steps on macfee epo console iconSteps on macfee epo console icon
Steps on macfee epo console iconChennam Bhaskar
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Ravindra Singh Rathore
 
Learn SELENIUM at ASIT
Learn SELENIUM at ASITLearn SELENIUM at ASIT
Learn SELENIUM at ASITASIT
 
The Twelve Factor Apps
The Twelve Factor AppsThe Twelve Factor Apps
The Twelve Factor Appstomi vanek
 

Was ist angesagt? (18)

Apple notification push
Apple notification pushApple notification push
Apple notification push
 
Dpc14 security as part of Quality Assurance
Dpc14 security as part of Quality AssuranceDpc14 security as part of Quality Assurance
Dpc14 security as part of Quality Assurance
 
Skills required to start your Software Testing Engineer Career
Skills required to start your Software Testing Engineer CareerSkills required to start your Software Testing Engineer Career
Skills required to start your Software Testing Engineer Career
 
WebRTC for Remote Call Center Agents
WebRTC for Remote Call Center AgentsWebRTC for Remote Call Center Agents
WebRTC for Remote Call Center Agents
 
Self Service for IT Infrastructure
Self Service for IT Infrastructure Self Service for IT Infrastructure
Self Service for IT Infrastructure
 
Background thread
Background threadBackground thread
Background thread
 
APIdays Paris 2019 - The Rise of Shadow APIs by Guillaume Montard, Bearer.sh
APIdays Paris 2019 - The Rise of Shadow APIs by Guillaume Montard, Bearer.shAPIdays Paris 2019 - The Rise of Shadow APIs by Guillaume Montard, Bearer.sh
APIdays Paris 2019 - The Rise of Shadow APIs by Guillaume Montard, Bearer.sh
 
500 Internal Server Error
500 Internal Server Error500 Internal Server Error
500 Internal Server Error
 
How to build a server and a iPhone client application using the Apple Push No...
How to build a server and a iPhone client application using the Apple Push No...How to build a server and a iPhone client application using the Apple Push No...
How to build a server and a iPhone client application using the Apple Push No...
 
Presentation web based application|Web designing training center in coimbator...
Presentation web based application|Web designing training center in coimbator...Presentation web based application|Web designing training center in coimbator...
Presentation web based application|Web designing training center in coimbator...
 
Steps on macfee epo console icon
Steps on macfee epo console iconSteps on macfee epo console icon
Steps on macfee epo console icon
 
Push Notification
Push NotificationPush Notification
Push Notification
 
VirusScan Enterprise v8.8
VirusScan Enterprise v8.8VirusScan Enterprise v8.8
VirusScan Enterprise v8.8
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)
 
Resume (1)
Resume (1)Resume (1)
Resume (1)
 
Learn SELENIUM at ASIT
Learn SELENIUM at ASITLearn SELENIUM at ASIT
Learn SELENIUM at ASIT
 
The Twelve Factor Apps
The Twelve Factor AppsThe Twelve Factor Apps
The Twelve Factor Apps
 
Demo Camp2009 Hyd
Demo Camp2009 HydDemo Camp2009 Hyd
Demo Camp2009 Hyd
 

Andere mochten auch

Bunnysharerevised
BunnysharerevisedBunnysharerevised
BunnysharerevisedCarla Lopes
 
Billandtedpowerpoint
BillandtedpowerpointBillandtedpowerpoint
Billandtedpowerpointdklm09
 
Joomla gran
Joomla granJoomla gran
Joomla grancarlesr
 
馬桶修好了!
馬桶修好了!馬桶修好了!
馬桶修好了!Visit1992
 
Building Desktop RIAs with PHP, HTML & Javascript in AIR
Building Desktop RIAs with PHP, HTML & Javascript in AIRBuilding Desktop RIAs with PHP, HTML & Javascript in AIR
Building Desktop RIAs with PHP, HTML & Javascript in AIRfunkatron
 

Andere mochten auch (7)

Animals
AnimalsAnimals
Animals
 
Bunnysharerevised
BunnysharerevisedBunnysharerevised
Bunnysharerevised
 
Billandtedpowerpoint
BillandtedpowerpointBillandtedpowerpoint
Billandtedpowerpoint
 
Joomla gran
Joomla granJoomla gran
Joomla gran
 
馬桶修好了!
馬桶修好了!馬桶修好了!
馬桶修好了!
 
Building Desktop RIAs with PHP, HTML & Javascript in AIR
Building Desktop RIAs with PHP, HTML & Javascript in AIRBuilding Desktop RIAs with PHP, HTML & Javascript in AIR
Building Desktop RIAs with PHP, HTML & Javascript in AIR
 
InglêS
InglêSInglêS
InglêS
 

Ähnlich wie Securing the PHP Environment with PHPSecInfo

Microsoft TechDays 2011 - PHP on Windows
Microsoft TechDays 2011 - PHP on WindowsMicrosoft TechDays 2011 - PHP on Windows
Microsoft TechDays 2011 - PHP on WindowsEnterprise PHP Center
 
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetingsSlides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings10n Software, LLC
 
Hire Professional PHP Developer
Hire Professional PHP DeveloperHire Professional PHP Developer
Hire Professional PHP Developerdeveloperonrents
 
Phpbasics And Php Framework
Phpbasics And Php FrameworkPhpbasics And Php Framework
Phpbasics And Php Frameworkshivas
 
main report on restaurant
main report on restaurantmain report on restaurant
main report on restaurantNeeraj Kumar
 
Integrating PHP With System-i using Web Services
Integrating PHP With System-i using Web ServicesIntegrating PHP With System-i using Web Services
Integrating PHP With System-i using Web ServicesIvo Jansch
 
Scaling PHP Applications with Zend Platform
Scaling PHP Applications with Zend PlatformScaling PHP Applications with Zend Platform
Scaling PHP Applications with Zend PlatformShahar Evron
 
Driving a PHP Application with MultiValue Data
Driving a PHP Application with MultiValue DataDriving a PHP Application with MultiValue Data
Driving a PHP Application with MultiValue DataRocket Software
 
Top 7 Skills PHP Developer Must Have
Top 7 Skills PHP Developer Must HaveTop 7 Skills PHP Developer Must Have
Top 7 Skills PHP Developer Must HaveIndumathySK
 
Crime Reporting System.pptx
Crime Reporting System.pptxCrime Reporting System.pptx
Crime Reporting System.pptxPenilVora
 
Freelance web development
Freelance web developmentFreelance web development
Freelance web developmentbritadammen
 
Professional PHP: an open-source alternative for enterprise development [Antw...
Professional PHP: an open-source alternative for enterprise development [Antw...Professional PHP: an open-source alternative for enterprise development [Antw...
Professional PHP: an open-source alternative for enterprise development [Antw...Combell NV
 
Federico Feroldi: PHP in Yahoo!
Federico Feroldi: PHP in Yahoo!Federico Feroldi: PHP in Yahoo!
Federico Feroldi: PHP in Yahoo!Francesco Fullone
 

Ähnlich wie Securing the PHP Environment with PHPSecInfo (20)

Microsoft TechDays 2011 - PHP on Windows
Microsoft TechDays 2011 - PHP on WindowsMicrosoft TechDays 2011 - PHP on Windows
Microsoft TechDays 2011 - PHP on Windows
 
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetingsSlides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings
 
PHP Course and Training
PHP Course and Training PHP Course and Training
PHP Course and Training
 
Php Training in Chandigarh
Php Training in ChandigarhPhp Training in Chandigarh
Php Training in Chandigarh
 
Hire Professional PHP Developer
Hire Professional PHP DeveloperHire Professional PHP Developer
Hire Professional PHP Developer
 
Phpbasics And Php Framework
Phpbasics And Php FrameworkPhpbasics And Php Framework
Phpbasics And Php Framework
 
main report on restaurant
main report on restaurantmain report on restaurant
main report on restaurant
 
Integrating PHP With System-i using Web Services
Integrating PHP With System-i using Web ServicesIntegrating PHP With System-i using Web Services
Integrating PHP With System-i using Web Services
 
Scaling PHP Applications with Zend Platform
Scaling PHP Applications with Zend PlatformScaling PHP Applications with Zend Platform
Scaling PHP Applications with Zend Platform
 
Driving a PHP Application with MultiValue Data
Driving a PHP Application with MultiValue DataDriving a PHP Application with MultiValue Data
Driving a PHP Application with MultiValue Data
 
Top 7 Skills PHP Developer Must Have
Top 7 Skills PHP Developer Must HaveTop 7 Skills PHP Developer Must Have
Top 7 Skills PHP Developer Must Have
 
Crime Reporting System.pptx
Crime Reporting System.pptxCrime Reporting System.pptx
Crime Reporting System.pptx
 
Freelance web development
Freelance web developmentFreelance web development
Freelance web development
 
PHP Frameworks
PHP FrameworksPHP Frameworks
PHP Frameworks
 
Professional PHP: an open-source alternative for enterprise development [Antw...
Professional PHP: an open-source alternative for enterprise development [Antw...Professional PHP: an open-source alternative for enterprise development [Antw...
Professional PHP: an open-source alternative for enterprise development [Antw...
 
Why Choose PHP for web app development_.pdf
Why Choose PHP for web app development_.pdfWhy Choose PHP for web app development_.pdf
Why Choose PHP for web app development_.pdf
 
PHP Web Development.pdf
PHP Web Development.pdfPHP Web Development.pdf
PHP Web Development.pdf
 
Introducing symfony
Introducing symfonyIntroducing symfony
Introducing symfony
 
Top 5 advanced php framework in 2018
Top 5 advanced php framework in 2018Top 5 advanced php framework in 2018
Top 5 advanced php framework in 2018
 
Federico Feroldi: PHP in Yahoo!
Federico Feroldi: PHP in Yahoo!Federico Feroldi: PHP in Yahoo!
Federico Feroldi: PHP in Yahoo!
 

Mehr von funkatron

Building mobile apps with JavaScript and PHP
Building mobile apps with JavaScript and PHPBuilding mobile apps with JavaScript and PHP
Building mobile apps with JavaScript and PHPfunkatron
 
JavaScript for PHP Developers
JavaScript for PHP DevelopersJavaScript for PHP Developers
JavaScript for PHP Developersfunkatron
 
Building RIAs with CodeIgniter and JavaScript
Building RIAs with CodeIgniter and JavaScriptBuilding RIAs with CodeIgniter and JavaScript
Building RIAs with CodeIgniter and JavaScriptfunkatron
 
Secure PHP Development with Inspekt
Secure PHP Development with InspektSecure PHP Development with Inspekt
Secure PHP Development with Inspektfunkatron
 
JavaScript for PHP Developers
JavaScript for PHP DevelopersJavaScript for PHP Developers
JavaScript for PHP Developersfunkatron
 
Building Desktop RIAs with JavaScript and PHP - ZendCon09
Building Desktop RIAs with JavaScript and PHP - ZendCon09Building Desktop RIAs with JavaScript and PHP - ZendCon09
Building Desktop RIAs with JavaScript and PHP - ZendCon09funkatron
 
Building Desktop RIAs With PHP And JavaScript
Building Desktop RIAs With PHP And JavaScriptBuilding Desktop RIAs With PHP And JavaScript
Building Desktop RIAs With PHP And JavaScriptfunkatron
 
Intro To Mvc Development In Php
Intro To Mvc Development In PhpIntro To Mvc Development In Php
Intro To Mvc Development In Phpfunkatron
 
Building Desktop RIAs with PHP, HTML & Javascript in AIR
Building Desktop RIAs with PHP, HTML & Javascript in AIRBuilding Desktop RIAs with PHP, HTML & Javascript in AIR
Building Desktop RIAs with PHP, HTML & Javascript in AIRfunkatron
 
Securing the PHP Environment with PHPSecInfo - OSCON 2008
Securing the PHP Environment with PHPSecInfo - OSCON 2008Securing the PHP Environment with PHPSecInfo - OSCON 2008
Securing the PHP Environment with PHPSecInfo - OSCON 2008funkatron
 

Mehr von funkatron (10)

Building mobile apps with JavaScript and PHP
Building mobile apps with JavaScript and PHPBuilding mobile apps with JavaScript and PHP
Building mobile apps with JavaScript and PHP
 
JavaScript for PHP Developers
JavaScript for PHP DevelopersJavaScript for PHP Developers
JavaScript for PHP Developers
 
Building RIAs with CodeIgniter and JavaScript
Building RIAs with CodeIgniter and JavaScriptBuilding RIAs with CodeIgniter and JavaScript
Building RIAs with CodeIgniter and JavaScript
 
Secure PHP Development with Inspekt
Secure PHP Development with InspektSecure PHP Development with Inspekt
Secure PHP Development with Inspekt
 
JavaScript for PHP Developers
JavaScript for PHP DevelopersJavaScript for PHP Developers
JavaScript for PHP Developers
 
Building Desktop RIAs with JavaScript and PHP - ZendCon09
Building Desktop RIAs with JavaScript and PHP - ZendCon09Building Desktop RIAs with JavaScript and PHP - ZendCon09
Building Desktop RIAs with JavaScript and PHP - ZendCon09
 
Building Desktop RIAs With PHP And JavaScript
Building Desktop RIAs With PHP And JavaScriptBuilding Desktop RIAs With PHP And JavaScript
Building Desktop RIAs With PHP And JavaScript
 
Intro To Mvc Development In Php
Intro To Mvc Development In PhpIntro To Mvc Development In Php
Intro To Mvc Development In Php
 
Building Desktop RIAs with PHP, HTML & Javascript in AIR
Building Desktop RIAs with PHP, HTML & Javascript in AIRBuilding Desktop RIAs with PHP, HTML & Javascript in AIR
Building Desktop RIAs with PHP, HTML & Javascript in AIR
 
Securing the PHP Environment with PHPSecInfo - OSCON 2008
Securing the PHP Environment with PHPSecInfo - OSCON 2008Securing the PHP Environment with PHPSecInfo - OSCON 2008
Securing the PHP Environment with PHPSecInfo - OSCON 2008
 

Kürzlich hochgeladen

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

Kürzlich hochgeladen (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

Securing the PHP Environment with PHPSecInfo

  • 1. Securing the PHP Environment with PHPSecInfo Ed Finkler coj@funkatron.com 20080523
  • 2. The ubiquity of PHP PHP is very, very popular Nearly impossible to find a hosting service that doesn’t support PHP in some form About 34% of all domains report using PHP PHP is very easy to learn PHP provides results quickly Time between setup and seeing results is very short
  • 3. The ubiquity of PHP PHP powers many busy, high-profile sites Wikipedia Facebook Wordpress.com Digg Flickr Yahoo!
  • 4. NIST NVD: 2006 data PHP Language PHP Apps: remote file inclusion 13.6% PHP Apps: other 0.5% Other 28.9% 6604 total entries 2803 PHP applications 57.1% 895 PHP app remote file inclusion Almost blocked by disabling allow_url_fopen (allow_url_include in 5.2+)
  • 5. What does this tell us? How popular PHP is How much a target web apps are How many PHP developers are incapable of writing secure apps How many sysadmins don’t secure their PHP environments
  • 6. The parties involved The System Administrator Directly responsible for PHP environment security Tendency to lower security of environment to reduce application compatibility complaints
  • 7. The parties involved •The PHP Developer • Must be aware of the environment and how it impacts app development • Will write apps assuming certain features are enabled, despite security risks
  • 8. The parties involved The PHP “Deployer” By far the largest portion of the audience Uses PHP apps on a web site, but not a coder Not capable of assessing security of an app At the mercy of the SysAdmin and Developer
  • 9. Requirements of PHPSecInfo A security auditing tool accessible to the “Deployer” Compatible Support PHP4 (63%) and PHP5 (37%) Easy to install Unzip and Upload Easy to execute (little or no config) Runs upon upload; single function call
  • 10. Requirements of PHPSecInfo Easy to understand Clear, unambiguous results; color coding Encourage further exploration Offer extended explanations with links to more info
  • 11. Executing PHPSecInfo 1.Unzip 2.Upload 3.View in Browser
  • 12.
  • 13. Test Suite 17 tests for commonly exploited security vulnerabilities in PHP environment Each test result shows: Current Setting Recommended Setting Result (color-coded) Explanation Link to further info Simple metrics output
  • 14.
  • 15.
  • 16. PHPSecInfo encourages accountability Sorry, we can’t support your Developers app because it requires an Here’s what’s wrong with your insecure config! PHP setup – fix it before you run our app! Sysadmins Why does your application Why doesn’t your hosting require an insecure Our hosting is secure – service provide a secure PHP configuration? PHPSecInfo says so! environment? Deployers
  • 17. For advanced users Still a useful tool for evaluating PHP environments Part of an auditing toolkit for web app security experts Extensible test framework Create custom tests specific to an environment Full generated documentation available
  • 18. Zend_Environment Security Module Part of Zend Framework PHP5-only Zend_Environment offers programatic access to PHP environment information Z_E security module based on PHPSecInfo Offers better (for now) programatic access to test results More flexible output (HTML, Text, etc) Part of a full-featured development framework
  • 19.
  • 20. What the future may bring Phar & PEAR installs New view system & new output formats (xml, console, html themes, etc) Better IIS support Instantiate and obtain results programatically for embedding in apps Security testing during installation process, et al
  • 21. What is needed Help! Developers and Documenters Both PSI and ZFW sides