SlideShare ist ein Scribd-Unternehmen logo

PHP SA 2013 - The weak points in our PHP projects

Als PPT, PDF herunterladen
X
xsist10

The weak points in our PHP projects Are your dependencies getting you down

Technologie
1 von 18
The weak points in our systems Are your dependencies getting you down? Thomas Shone – Senior PHP Developer PHP South Africa - Oct 2013
Copyright © 2012 Clickatell. All rights reserved. About me  Senior developer for Clickatell  Work remotely from Grahamstown in the Eastern Cape  I like to break things
Copyright © 2012 Clickatell. All rights reserved. The bare minimum we SHOULD be doing  Preventing SQL injection and sanitizing user input  Email and cellphone verification – Mitigate social engineering against support team  Salting and using strong hashing for passwords – As of PHP 5.5, www.php.net/password will make this trivial  Forgotten password resets done by email link  Use OAuth or OpenID  Two factor authentication – High risk data – Premium support verification – Off-site staff authentication method
Copyright © 2012 Clickatell. All rights reserved. What the blogs haven't warned us about  No coder is an island  We all rely on: – 3rd party libraries – Frameworks • Symfony • Zend – CMS packages • Joomla! • Wordpress – E-Commerce software • osCommerce • Magento – CRM software • SugarCRM
Copyright © 2012 Clickatell. All rights reserved. So... time to come clean... I've done it too  Perception – Using a version of Smarty without vulnerabilities (3.1.12)  Reality – 4 versions of Smarty. – Version 2.6.26 with 11 Vulnerabilities (7 critical) – Version 2.6.28 with 12 Vulnerabilities (7 critical) – Version 2.6.11 with 12 Vulnerabilities (7 critical)  The other three were dependencies of another front end system  Developers had not updated Smarty since 2009 (the version they are using was released in Dec 2005)
Copyright © 2012 Clickatell. All rights reserved. Lets get some real world data  43 popular open source web applications, libraries and frameworks.  3,421 versions  5.6 million files
Worst offender
Copyright © 2012 Clickatell. All rights reserved. Some graph explanation Mean / Average Median The Doom Line
Insert the title of your long presentation names here Enter your subtitle here Some actual numbers please
What are SMBs using?
Copyright © 2012 Clickatell. All rights reserved. Where does the blame lie?  Wordpress and Joomla! – Highly popular = Highly targeted. – Fix released before the vulnerability disclosed  Libraries not so well behaved – Most of the libraries found where vulnerable – OpenX had a backdoor in their code base  Frameworks came off well – No vulnerabilities for the versions found Reference: http://blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.htm
Insert the title of your long presentation names here Enter your subtitle here Lets get a little ageist here
Insert the title of your long presentation names here Enter your subtitle here What's the sell by date
Insert the title of your long presentation names here Enter your subtitle here Lets just put those together
Copyright © 2012 Clickatell. All rights reserved. Some good news at least  We were looking at the worst of the worst – SMB with little technical knowledge – Freelancer CMS deploy  People will fix what they know is broken – Growing awareness – Emergence of auto update tools – Software houses and freelances, up-sell those maintenance contracts
Insert the title of your long presentation names here Enter your subtitle here How much has the situation improved
Copyright © 2012 Clickatell. All rights reserved. And for the developers  Means of distributing 3rd party code is improving – Composer • Don't commit dependencies... specify • Major release locking • Simple update mechanism
@thomas_shone www.shone.co.za Questions?

Empfohlen

A Slide!
A Slide!A Slide!
A Slide!webhostingguy
 
Wordpress podcamp2011
Wordpress podcamp2011Wordpress podcamp2011
Wordpress podcamp2011Findability Solutions
 
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your ClientsWhy Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clientsryanduff
 
Installing WordPress The Right Way
Installing WordPress The Right WayInstalling WordPress The Right Way
Installing WordPress The Right WayChris Burgess
 
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and SecureWordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and SecureMeagan Hanes
 
Practical Blogs for Writers
Practical Blogs for WritersPractical Blogs for Writers
Practical Blogs for WritersSusan Stewart
 
Speed & Uptime with Wordpress
Speed & Uptime with WordpressSpeed & Uptime with Wordpress
Speed & Uptime with Wordpresstoddhdow
 
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteIdentifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteChris Burgess
 

Empfohlen

A Slide!
A Slide!A Slide!
A Slide!webhostingguy
 
Wordpress podcamp2011
Wordpress podcamp2011Wordpress podcamp2011
Wordpress podcamp2011Findability Solutions
 
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your ClientsWhy Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clientsryanduff
 
Installing WordPress The Right Way
Installing WordPress The Right WayInstalling WordPress The Right Way
Installing WordPress The Right WayChris Burgess
 
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and SecureWordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and SecureMeagan Hanes
 
Practical Blogs for Writers
Practical Blogs for WritersPractical Blogs for Writers
Practical Blogs for WritersSusan Stewart
 
Speed & Uptime with Wordpress
Speed & Uptime with WordpressSpeed & Uptime with Wordpress
Speed & Uptime with Wordpresstoddhdow
 
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteIdentifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteChris Burgess
 
Word press security 101
Word press security 101 Word press security 101
Word press security 101 Kojac801
 
A Slide!
A Slide!A Slide!
A Slide!webhostingguy
 
Secure pl-sql-coding
Secure pl-sql-codingSecure pl-sql-coding
Secure pl-sql-codingTrần Bình Hậu
 
Open Source in the Enterprise
Open Source in the EnterpriseOpen Source in the Enterprise
Open Source in the EnterpriseSocial Media Performance Group
 
Using Information Technology
Using Information TechnologyUsing Information Technology
Using Information TechnologyUniversitas Teknokrat Indonesia
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfdistortdistort
 
wcm domino
wcm dominowcm domino
wcm dominodominion
 
Joomla Security
Joomla SecurityJoomla Security
Joomla SecurityViryaTechnologies
 
Joomla Security
Joomla SecurityJoomla Security
Joomla SecurityRuth Cheesley
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Technologies for startup
Technologies for startupTechnologies for startup
Technologies for startupDzung Nguyen
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Wpd09 Sydney
Wpd09 SydneyWpd09 Sydney
Wpd09 Sydneyvirginiachoy
 
Community dynamics
Community dynamicsCommunity dynamics
Community dynamicsDave Neary
 
Lotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 CommandmentsLotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 CommandmentsBill Buchan
 
SharePoint Development and the Cloud
SharePoint Development and the CloudSharePoint Development and the Cloud
SharePoint Development and the Cloudcharelenetorres
 
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetingsSlides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings10n Software, LLC
 
Y4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should LearnY4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should Learncalenlegaspi
 
Security theatre (Scotland php)
Security theatre (Scotland php)Security theatre (Scotland php)
Security theatre (Scotland php)xsist10
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)xsist10
 

Weitere ähnliche Inhalte

Ähnlich wie PHP SA 2013 - The weak points in our PHP projects

Word press security 101
Word press security 101 Word press security 101
Word press security 101 Kojac801
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfdistortdistort
 
wcm domino
wcm dominowcm domino
wcm dominodominion
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Technologies for startup
Technologies for startupTechnologies for startup
Technologies for startupDzung Nguyen
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Community dynamics
Community dynamicsCommunity dynamics
Community dynamicsDave Neary
 
Lotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 CommandmentsLotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 CommandmentsBill Buchan
 
SharePoint Development and the Cloud
SharePoint Development and the CloudSharePoint Development and the Cloud
SharePoint Development and the Cloudcharelenetorres
 
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetingsSlides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings10n Software, LLC
 
Y4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should LearnY4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should Learncalenlegaspi
 

Ähnlich wie PHP SA 2013 - The weak points in our PHP projects (20)

Word press security 101
Word press security 101 Word press security 101
Word press security 101
 
A Slide!
A Slide!A Slide!
A Slide!
 
Secure pl-sql-coding
Secure pl-sql-codingSecure pl-sql-coding
Secure pl-sql-coding
 
Open Source in the Enterprise
Open Source in the EnterpriseOpen Source in the Enterprise
Open Source in the Enterprise
 
Using Information Technology
Using Information TechnologyUsing Information Technology
Using Information Technology
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
 
wcm domino
wcm dominowcm domino
wcm domino
 
Joomla Security
Joomla SecurityJoomla Security
Joomla Security
 
Joomla Security
Joomla SecurityJoomla Security
Joomla Security
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Technologies for startup
Technologies for startupTechnologies for startup
Technologies for startup
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Wpd09 Sydney
Wpd09 SydneyWpd09 Sydney
Wpd09 Sydney
 
Community dynamics
Community dynamicsCommunity dynamics
Community dynamics
 
Lotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 CommandmentsLotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 Commandments
 
SharePoint Development and the Cloud
SharePoint Development and the CloudSharePoint Development and the Cloud
SharePoint Development and the Cloud
 
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetingsSlides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings
 
Y4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should LearnY4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should Learn
 

Mehr von xsist10

Security theatre (Scotland php)
Security theatre (Scotland php)Security theatre (Scotland php)
Security theatre (Scotland php)xsist10
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)xsist10
 
Security Theatre - Confoo
Security Theatre - ConfooSecurity Theatre - Confoo
Security Theatre - Confooxsist10
 
I put on my mink and wizard behat - Confoo Canada
I put on my mink and wizard behat - Confoo CanadaI put on my mink and wizard behat - Confoo Canada
I put on my mink and wizard behat - Confoo Canadaxsist10
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conferencexsist10
 
Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Beneluxxsist10
 
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPSecurity Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPxsist10
 
I put on my mink and wizard behat (talk)
I put on my mink and wizard behat (talk)I put on my mink and wizard behat (talk)
I put on my mink and wizard behat (talk)xsist10
 
I put on my mink and wizard behat (tutorial)
I put on my mink and wizard behat (tutorial)I put on my mink and wizard behat (tutorial)
I put on my mink and wizard behat (tutorial)xsist10
 
I put on my mink and wizard behat
I put on my mink and wizard behatI put on my mink and wizard behat
I put on my mink and wizard behatxsist10
 
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source ProjectPHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Projectxsist10
 

Mehr von xsist10 (11)

Security theatre (Scotland php)
Security theatre (Scotland php)Security theatre (Scotland php)
Security theatre (Scotland php)
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
 
Security Theatre - Confoo
Security Theatre - ConfooSecurity Theatre - Confoo
Security Theatre - Confoo
 
I put on my mink and wizard behat - Confoo Canada
I put on my mink and wizard behat - Confoo CanadaI put on my mink and wizard behat - Confoo Canada
I put on my mink and wizard behat - Confoo Canada
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
 
Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Benelux
 
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPSecurity Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHP
 
I put on my mink and wizard behat (talk)
I put on my mink and wizard behat (talk)I put on my mink and wizard behat (talk)
I put on my mink and wizard behat (talk)
 
I put on my mink and wizard behat (tutorial)
I put on my mink and wizard behat (tutorial)I put on my mink and wizard behat (tutorial)
I put on my mink and wizard behat (tutorial)
 
I put on my mink and wizard behat
I put on my mink and wizard behatI put on my mink and wizard behat
I put on my mink and wizard behat
 
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source ProjectPHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Project
 

Kürzlich hochgeladen

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 

Kürzlich hochgeladen (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

PHP SA 2013 - The weak points in our PHP projects

  • 1. The weak points in our systems Are your dependencies getting you down? Thomas Shone – Senior PHP Developer PHP South Africa - Oct 2013
  • 2. Copyright © 2012 Clickatell. All rights reserved. About me  Senior developer for Clickatell  Work remotely from Grahamstown in the Eastern Cape  I like to break things
  • 3. Copyright © 2012 Clickatell. All rights reserved. The bare minimum we SHOULD be doing  Preventing SQL injection and sanitizing user input  Email and cellphone verification – Mitigate social engineering against support team  Salting and using strong hashing for passwords – As of PHP 5.5, www.php.net/password will make this trivial  Forgotten password resets done by email link  Use OAuth or OpenID  Two factor authentication – High risk data – Premium support verification – Off-site staff authentication method
  • 4. Copyright © 2012 Clickatell. All rights reserved. What the blogs haven't warned us about  No coder is an island  We all rely on: – 3rd party libraries – Frameworks • Symfony • Zend – CMS packages • Joomla! • Wordpress – E-Commerce software • osCommerce • Magento – CRM software • SugarCRM
  • 5. Copyright © 2012 Clickatell. All rights reserved. So... time to come clean... I've done it too  Perception – Using a version of Smarty without vulnerabilities (3.1.12)  Reality – 4 versions of Smarty. – Version 2.6.26 with 11 Vulnerabilities (7 critical) – Version 2.6.28 with 12 Vulnerabilities (7 critical) – Version 2.6.11 with 12 Vulnerabilities (7 critical)  The other three were dependencies of another front end system  Developers had not updated Smarty since 2009 (the version they are using was released in Dec 2005)
  • 6. Copyright © 2012 Clickatell. All rights reserved. Lets get some real world data  43 popular open source web applications, libraries and frameworks.  3,421 versions  5.6 million files
  • 8. Copyright © 2012 Clickatell. All rights reserved. Some graph explanation Mean / Average Median The Doom Line
  • 9. Insert the title of your long presentation names here Enter your subtitle here Some actual numbers please
  • 10. What are SMBs using?
  • 11. Copyright © 2012 Clickatell. All rights reserved. Where does the blame lie?  Wordpress and Joomla! – Highly popular = Highly targeted. – Fix released before the vulnerability disclosed  Libraries not so well behaved – Most of the libraries found where vulnerable – OpenX had a backdoor in their code base  Frameworks came off well – No vulnerabilities for the versions found Reference: http://blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.htm
  • 12. Insert the title of your long presentation names here Enter your subtitle here Lets get a little ageist here
  • 13. Insert the title of your long presentation names here Enter your subtitle here What's the sell by date
  • 14. Insert the title of your long presentation names here Enter your subtitle here Lets just put those together
  • 15. Copyright © 2012 Clickatell. All rights reserved. Some good news at least  We were looking at the worst of the worst – SMB with little technical knowledge – Freelancer CMS deploy  People will fix what they know is broken – Growing awareness – Emergence of auto update tools – Software houses and freelances, up-sell those maintenance contracts
  • 16. Insert the title of your long presentation names here Enter your subtitle here How much has the situation improved
  • 17. Copyright © 2012 Clickatell. All rights reserved. And for the developers  Means of distributing 3rd party code is improving – Composer • Don't commit dependencies... specify • Major release locking • Simple update mechanism