This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
PHP Security for Deployers
From OWASP
PHP Security for Deployers
If you're a Developer
READ THIS and then work with your SysAdmins to step through any and all the layers of security designed to protect your apps.
Example:
- Traffic must first pass through a SPI firewall (ensure that ONLY necessary ports/protocols are permitted; ensure that EGRESS BLOCKING is in place so that if your system IS compromised it will be very difficult for the attacker to send data back or attack someone else via the Network Layer. (Need reference; "traditional" SPI-based firewall security).
- Traffic may then pass through an in-line IPS (Intrusion Prevention System) to filter out network-based attacks against the OS, web platform, or PHP framework itself
- Traffic may then pass through a WAF (Web Application Firewall) such as ModSecurity or a commercial WAF to defeat basic script-based attacks
- Traffic may then pass through an additional layer of security such as PHP-IDS to identify other attacks or concerns.
- By the time traffic has passed through all the layers above, you've achieved a significant measure of mitigation HOWEVER you still need to follow all the best practices to "harden" PHP, perhaps by using suhosin.
- Ditto for all other layers. Your SysAdmin should ensure that the OS and web server (iis, apache) are also hardened. See the NSA's security configuration guides to get started.
- The rest is up to you, the developer. Write secure code. How difficult could THAT be? All it takes is a little work...
If you're a Tester
- Note that PHP-IDS and ModSecuritycan also be useful tools for testing/discovering vulnerabilities in your code. See Ryan Barnett's excellent presentation to the Boulder OWASP chapter regarding using ModSecurity to identify app vulns on an ongoing basis.
- Grab the OWASP LiveCD here(owasp.org) or here(appseclive.org) and review the great information in the OWASP Testing Project
If you're a SysAdmin
- BE PATIENT. NOBODY was born with a visceral understanding of how to write secure code, any more than YOU were born with the knowledge of how to harden YOUR components.
- Help out with all the items above.
- Have the developers buy you your favorite libation when you've completed all of the above items the first time. There's a pretty strong posibility that they are making better wages than you.