SlideShare a Scribd company logo

PHP SA 2013 - The weak points in our PHP projects

Download as PPT, PDF
X
xsist10

The document discusses weaknesses in web application security, specifically regarding dependencies on third party libraries, frameworks, and content management systems. It notes that many of these systems are outdated and vulnerable due to lack of updates by developers. Specific issues mentioned include SQL injection, unsalted password hashing, and a backdoor found in the OpenX library. Data is presented showing the average and median ages of versions for 43 popular open source projects, indicating that vulnerabilities increase significantly with older versions. Suggestions are made for improving awareness of updates and using tools that facilitate easier updating of dependencies.

Technology
Related topics:
Computer SecurityInsights on Software Development
1 of 18
Downloaded 15 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
The weak points in our systems Are your dependencies getting you down? Thomas Shone – Senior PHP Developer PHP South Africa - Oct 2013
Copyright © 2012 Clickatell. All rights reserved. About me  Senior developer for Clickatell  Work remotely from Grahamstown in the Eastern Cape  I like to break things
Copyright © 2012 Clickatell. All rights reserved. The bare minimum we SHOULD be doing  Preventing SQL injection and sanitizing user input  Email and cellphone verification – Mitigate social engineering against support team  Salting and using strong hashing for passwords – As of PHP 5.5, www.php.net/password will make this trivial  Forgotten password resets done by email link  Use OAuth or OpenID  Two factor authentication – High risk data – Premium support verification – Off-site staff authentication method
Copyright © 2012 Clickatell. All rights reserved. What the blogs haven't warned us about  No coder is an island  We all rely on: – 3rd party libraries – Frameworks • Symfony • Zend – CMS packages • Joomla! • Wordpress – E-Commerce software • osCommerce • Magento – CRM software • SugarCRM
Copyright © 2012 Clickatell. All rights reserved. So... time to come clean... I've done it too  Perception – Using a version of Smarty without vulnerabilities (3.1.12)  Reality – 4 versions of Smarty. – Version 2.6.26 with 11 Vulnerabilities (7 critical) – Version 2.6.28 with 12 Vulnerabilities (7 critical) – Version 2.6.11 with 12 Vulnerabilities (7 critical)  The other three were dependencies of another front end system  Developers had not updated Smarty since 2009 (the version they are using was released in Dec 2005)
Copyright © 2012 Clickatell. All rights reserved. Lets get some real world data  43 popular open source web applications, libraries and frameworks.  3,421 versions  5.6 million files
Worst offender
Copyright © 2012 Clickatell. All rights reserved. Some graph explanation Mean / Average Median The Doom Line
Insert the title of your long presentation names here Enter your subtitle here Some actual numbers please
What are SMBs using?
Copyright © 2012 Clickatell. All rights reserved. Where does the blame lie?  Wordpress and Joomla! – Highly popular = Highly targeted. – Fix released before the vulnerability disclosed  Libraries not so well behaved – Most of the libraries found where vulnerable – OpenX had a backdoor in their code base  Frameworks came off well – No vulnerabilities for the versions found Reference: http://blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.htm
Insert the title of your long presentation names here Enter your subtitle here Lets get a little ageist here
Insert the title of your long presentation names here Enter your subtitle here What's the sell by date
Insert the title of your long presentation names here Enter your subtitle here Lets just put those together
Copyright © 2012 Clickatell. All rights reserved. Some good news at least  We were looking at the worst of the worst – SMB with little technical knowledge – Freelancer CMS deploy  People will fix what they know is broken – Growing awareness – Emergence of auto update tools – Software houses and freelances, up-sell those maintenance contracts
Insert the title of your long presentation names here Enter your subtitle here How much has the situation improved
Copyright © 2012 Clickatell. All rights reserved. And for the developers  Means of distributing 3rd party code is improving – Composer • Don't commit dependencies... specify • Major release locking • Simple update mechanism
@thomas_shone www.shone.co.za Questions?

More Related Content

PPT
A Slide!
webhostingguy
 
PPTX
Wordpress podcamp2011
Findability Solutions
 
KEY
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
ryanduff
 
PPTX
Installing WordPress The Right Way
Chris Burgess
 
PPTX
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
Meagan Hanes
 
PPTX
Practical Blogs for Writers
Susan Stewart
 
PPTX
Speed & Uptime with Wordpress
toddhdow
 
PDF
Identifying a Compromised WordPress Site
Chris Burgess
 
A Slide!
webhostingguy
 
Wordpress podcamp2011
Findability Solutions
 
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
ryanduff
 
Installing WordPress The Right Way
Chris Burgess
 
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
Meagan Hanes
 
Practical Blogs for Writers
Susan Stewart
 
Speed & Uptime with Wordpress
toddhdow
 
Identifying a Compromised WordPress Site
Chris Burgess
 

Similar to PHP SA 2013 - The weak points in our PHP projects (20)

PPTX
2018 Hacked Website Trends
Sucuri
 
PDF
Web Security
KHOANGUYNNGANH
 
PPT
SoftwareSecurity.ppt
ssuserfb92ae
 
PDF
My tryst with sourcecode review
Anant Shrivastava
 
PPT
香港六合彩
baoyin
 
PPTX
Open Source Security
Sander Temme
 
PDF
ZendCon Security
philipo
 
PDF
Secure PHP Coding
Narudom Roongsiriwong, CISSP
 
PPTX
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
Nurul Haszeli Ahmad
 
PDF
WhiteHat 2014 Website Security Statistics Report
Jeremiah Grossman
 
PPT
Secure SDLC for Software
Shreeraj Shah
 
PPT
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
DOC
Joomla web application development vulnerabilities
BlazeDream Technologies Pvt Ltd
 
PPTX
Identifying & fixing the most common software vulnerabilities
Alireza Aghamohammadi
 
DOCX
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
Ajith Kp
 
PDF
Make it Fixable (NDC Copenhagen 2018)
Patricia Aas
 
PDF
Make It Fixable (Sikkert NOK 2017)
Patricia Aas
 
PDF
11 PHP Security #burningkeyboards
Denis Ristic
 
PDF
Open Source Security: How to Lay the Groundwork for a Secure Culture
WhiteSource
 
PDF
Open Source Security: How to Lay the Groundwork for a Secure Culture
DevOps.com
 
2018 Hacked Website Trends
Sucuri
 
Web Security
KHOANGUYNNGANH
 
SoftwareSecurity.ppt
ssuserfb92ae
 
My tryst with sourcecode review
Anant Shrivastava
 
香港六合彩
baoyin
 
Open Source Security
Sander Temme
 
ZendCon Security
philipo
 
Secure PHP Coding
Narudom Roongsiriwong, CISSP
 
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
Nurul Haszeli Ahmad
 
WhiteHat 2014 Website Security Statistics Report
Jeremiah Grossman
 
Secure SDLC for Software
Shreeraj Shah
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
Joomla web application development vulnerabilities
BlazeDream Technologies Pvt Ltd
 
Identifying & fixing the most common software vulnerabilities
Alireza Aghamohammadi
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
Ajith Kp
 
Make it Fixable (NDC Copenhagen 2018)
Patricia Aas
 
Make It Fixable (Sikkert NOK 2017)
Patricia Aas
 
11 PHP Security #burningkeyboards
Denis Ristic
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
WhiteSource
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
DevOps.com
 
Ad

More from xsist10 (11)

PDF
Security theatre (Scotland php)
xsist10
 
PDF
Security Theatre (PHP Leuven)
xsist10
 
PDF
Security Theatre - Confoo
xsist10
 
PDF
I put on my mink and wizard behat - Confoo Canada
xsist10
 
PDF
Security Theatre - PHP UK Conference
xsist10
 
PDF
Security Theatre - Benelux
xsist10
 
PDF
Security Theatre - AmsterdamPHP
xsist10
 
PDF
I put on my mink and wizard behat (talk)
xsist10
 
PDF
I put on my mink and wizard behat (tutorial)
xsist10
 
PDF
I put on my mink and wizard behat
xsist10
 
PDF
PHP SA 2014 - Releasing Your Open Source Project
xsist10
 
Security theatre (Scotland php)
xsist10
 
Security Theatre (PHP Leuven)
xsist10
 
Security Theatre - Confoo
xsist10
 
I put on my mink and wizard behat - Confoo Canada
xsist10
 
Security Theatre - PHP UK Conference
xsist10
 
Security Theatre - Benelux
xsist10
 
Security Theatre - AmsterdamPHP
xsist10
 
I put on my mink and wizard behat (talk)
xsist10
 
I put on my mink and wizard behat (tutorial)
xsist10
 
I put on my mink and wizard behat
xsist10
 
PHP SA 2014 - Releasing Your Open Source Project
xsist10
 
Ad

Recently uploaded (20)

PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Cloud computing and distributed systems.
kkkkkhan
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Approach and Philosophy of On baking technology
30anthuong17
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 

PHP SA 2013 - The weak points in our PHP projects

  • 1. The weak points in our systems Are your dependencies getting you down? Thomas Shone – Senior PHP Developer PHP South Africa - Oct 2013
  • 2. Copyright © 2012 Clickatell. All rights reserved. About me  Senior developer for Clickatell  Work remotely from Grahamstown in the Eastern Cape  I like to break things
  • 3. Copyright © 2012 Clickatell. All rights reserved. The bare minimum we SHOULD be doing  Preventing SQL injection and sanitizing user input  Email and cellphone verification – Mitigate social engineering against support team  Salting and using strong hashing for passwords – As of PHP 5.5, www.php.net/password will make this trivial  Forgotten password resets done by email link  Use OAuth or OpenID  Two factor authentication – High risk data – Premium support verification – Off-site staff authentication method
  • 4. Copyright © 2012 Clickatell. All rights reserved. What the blogs haven't warned us about  No coder is an island  We all rely on: – 3rd party libraries – Frameworks • Symfony • Zend – CMS packages • Joomla! • Wordpress – E-Commerce software • osCommerce • Magento – CRM software • SugarCRM
  • 5. Copyright © 2012 Clickatell. All rights reserved. So... time to come clean... I've done it too  Perception – Using a version of Smarty without vulnerabilities (3.1.12)  Reality – 4 versions of Smarty. – Version 2.6.26 with 11 Vulnerabilities (7 critical) – Version 2.6.28 with 12 Vulnerabilities (7 critical) – Version 2.6.11 with 12 Vulnerabilities (7 critical)  The other three were dependencies of another front end system  Developers had not updated Smarty since 2009 (the version they are using was released in Dec 2005)
  • 6. Copyright © 2012 Clickatell. All rights reserved. Lets get some real world data  43 popular open source web applications, libraries and frameworks.  3,421 versions  5.6 million files
  • 8. Copyright © 2012 Clickatell. All rights reserved. Some graph explanation Mean / Average Median The Doom Line
  • 9. Insert the title of your long presentation names here Enter your subtitle here Some actual numbers please
  • 10. What are SMBs using?
  • 11. Copyright © 2012 Clickatell. All rights reserved. Where does the blame lie?  Wordpress and Joomla! – Highly popular = Highly targeted. – Fix released before the vulnerability disclosed  Libraries not so well behaved – Most of the libraries found where vulnerable – OpenX had a backdoor in their code base  Frameworks came off well – No vulnerabilities for the versions found Reference: http://blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.htm
  • 12. Insert the title of your long presentation names here Enter your subtitle here Lets get a little ageist here
  • 13. Insert the title of your long presentation names here Enter your subtitle here What's the sell by date
  • 14. Insert the title of your long presentation names here Enter your subtitle here Lets just put those together
  • 15. Copyright © 2012 Clickatell. All rights reserved. Some good news at least  We were looking at the worst of the worst – SMB with little technical knowledge – Freelancer CMS deploy  People will fix what they know is broken – Growing awareness – Emergence of auto update tools – Software houses and freelances, up-sell those maintenance contracts
  • 16. Insert the title of your long presentation names here Enter your subtitle here How much has the situation improved
  • 17. Copyright © 2012 Clickatell. All rights reserved. And for the developers  Means of distributing 3rd party code is improving – Composer • Don't commit dependencies... specify • Major release locking • Simple update mechanism