PHP Security for Deployers - Revision history

Imifos at 11:03, 21 January 2016

2016-01-21T11:03:00Z

Andylew: /* If you're a Developer */

2009-08-07T21:51:51Z

‎If you're a Developer

Andylew: /* If you're a Developer */ added some LOLCats and something useful (but I don't remember what)

2009-08-07T21:50:28Z

‎If you're a Developer: added some LOLCats and something useful (but I don't remember what)

Andylew at 21:40, 7 August 2009

2009-08-07T21:40:38Z

Andylew: Some basic guidance and resources about EVERYTHING ELSE you ought to be doing in addition to writing secure code.

2009-08-07T21:31:25Z

Some basic guidance and resources about EVERYTHING ELSE you ought to be doing in addition to writing secure code.

Andylew: /* PHP Security for Deployers */

2009-08-07T21:19:47Z

‎PHP Security for Deployers

Andylew: /* Placeholder */

2009-08-07T20:58:35Z

‎Placeholder

Vanderaj at 11:18, 26 June 2006

2006-06-26T11:18:46Z

Vanderaj at 11:01, 26 June 2006

2006-06-26T11:01:49Z

New page

==Placeholder==
{{Template:Stub}}
[[Category:PHP]]

@@ Line 1: / Line 1: @@
-[[Category:OWASP PHP Project]]
+[[Category:PHP]]
 == PHP Security for Deployers ==
 === If you're a Developer ===

@@ Line 2: / Line 2: @@
 == PHP Security for Deployers ==
 === If you're a Developer ===
-work with your SysAdmins to step through any and all the layers of security designed to protect your apps.
+[http://www.owasp.org/index.php/PHP_Top_5 READ THIS] and then work with your SysAdmins to step through any and all the layers of security designed to protect your apps.
 Example:

@@ Line 6: / Line 6: @@
 Example:
 ##Traffic must first pass through a SPI firewall (ensure that ONLY necessary ports/protocols are permitted; ensure that EGRESS BLOCKING is in place so that if your system IS compromised it will be very difficult for the attacker to send data back or attack someone else via the Network Layer.  (Need reference; "traditional" SPI-based firewall security).
-##Traffic may then pass through an in-line IPS (Intrusion Prevention System) to filter out network-based attacks against the OS, web platform, or PHP framework itself)
+##Traffic may then pass through an in-line IPS (Intrusion Prevention System) to filter out network-based attacks against the OS, web platform, or PHP framework itself
 ##Traffic may then pass through a WAF (Web Application Firewall) such as [http://www.modsecurity.org/ ModSecurity] or a commercial WAF to defeat basic script-based attacks
 ##Traffic may then pass through an additional layer of security such as [http://php-ids.org/ PHP-IDS] to identify other attacks or concerns.
 ##By the time traffic has passed through all the layers above, you've achieved a significant measure of mitigation HOWEVER you still need to follow all the best practices to "harden" PHP, perhaps by using [http://www.hardened-php.net/suhosin.127.html suhosin].
 ##Ditto for all other layers.  Your SysAdmin should ensure that the OS and web server (iis, apache) are also hardened.  See the NSA's [http://www.nsa.gov/ia/guidance/security_configuration_guides/ security configuration guides] to get started.
-##The rest is up to you, the developer.  Write secure code.  How difficult could THAT be?
+##The rest is up to you, the developer.  [http://icanhascheezburger.com/2007/11/27/meh-security-system-let-me-showz-u-him/ Write secure code].  How difficult could [http://icanhascheezburger.com/2008/10/06/funny-pictures-doin-it-rathr-well-akshully/ THAT] be?  All it takes is a little [http://icanhascheezburger.com/2007/07/18/i-is-workin-wat-u-want/ work]...
 === If you're a Tester ===

@@ Line 14: / Line 14: @@
 === If you're a Tester ===
-# Note that [http://php-ids.org/ PHP-IDS] and [http://www.modsecurity.org/ ModSecurity]can also be useful tools for testing/discovering vulnerabilities in your code.  See [https://www.owasp.org/images/f/fd/OWASP_Dynamic_Vulnerability_Identification_RyanBarnett200804.pdf Ryan Barnett's excellent presentation] to the Boulder OWASP chapter regarding using ModSecurity to identify app vulns on an ongoing basis.
+# Note that [http://php-ids.org/ PHP-IDS] and [http://www.modsecurity.org/ ModSecurity]can also be useful tools for testing/discovering vulnerabilities in your code.  See [https://www.owasp.org/images/f/fd/OWASP_Dynamic_Vulnerability_Identification_RyanBarnett200804.pdf Ryan Barnett's excellent presentation] to the [http://www.owasp.org/index.php/Boulder Boulder OWASP chapter] regarding using ModSecurity to identify app vulns on an ongoing basis.
 === If you're a SysAdmin ===

@@ Line 1: / Line 1: @@
 [[Category:OWASP PHP Project]]
 == PHP Security for Deployers ==
-=== If you're a Developer === work with your Ops/Infrastructure guys to step through any and all the layers of security designed to protect your apps.  Example:
+=== If you're a Developer ===
 ##Traffic must first pass through a SPI firewall (ensure that ONLY necessary ports/protocols are permitted; ensure that EGRESS BLOCKING is in place so that if your system IS compromised it will be very difficult for the attacker to send data back or attack someone else via the Network Layer.  (Need reference; "traditional" SPI-based firewall security).
 ##Traffic may then pass through an in-line IPS (Intrusion Prevention System) to filter out network-based attacks against the OS, web platform, or PHP framework itself)
@@ Line 7: / Line 10: @@
 ##Traffic may then pass through an additional layer of security such as [http://php-ids.org/ PHP-IDS] to identify other attacks or concerns.
 ##By the time traffic has passed through all the layers above, you've achieved a significant measure of mitigation HOWEVER you still need to follow all the best practices to "harden" PHP, perhaps by using [http://www.hardened-php.net/suhosin.127.html suhosin].
 # Note that [http://php-ids.org/ PHP-IDS] and [http://www.modsecurity.org/ ModSecurity]can also be useful tools for testing/discovering vulnerabilities in your code.  See [https://www.owasp.org/images/f/fd/OWASP_Dynamic_Vulnerability_Identification_RyanBarnett200804.pdf Ryan Barnett's excellent presentation] to the Boulder OWASP chapter regarding using ModSecurity to identify app vulns on an ongoing basis.

← Older revision		Revision as of 20:58, 7 August 2009
Line 1:		Line 1:
−	~~==Placeholder==~~
−	~~{{Template:Stub}}~~
	[[Category:OWASP PHP Project]]		[[Category:OWASP PHP Project]]
		+	== PHP Security for Deployers ==
		+	# If you're a Developer, work with your Ops/Infrastructure guys to step through any and all the layers of security designed to protect your apps. Example:
		+	##Traffic must first pass through a SPI firewall (ensure that ONLY necessary ports/protocols are permitted; ensure that EGRESS BLOCKING is in place so that if your system IS compromised it will be very difficult for the attacker to send data back or attack someone else via the Network Layer. (Need reference; "traditional" SPI-based firewall security).
		+	##Traffic may then pass through an in-line IPS (Intrusion Prevention System) to filter out network-based attacks against the OS, web platform, or PHP framework itself)
		+	##Traffic may then pass through a WAF (Web Application Firewall) such as [http://www.modsecurity.org/ ModSecurity] or a commercial WAF to defeat basic script-based attacks
		+	##Traffic may then pass through an additional layer of security such as [http://php-ids.org/ PHP-IDS] to identify other attacks or concerns.
		+	##By the time traffic has passed through all the layers above, you've achieved a significant measure of mitigation HOWEVER you still need to follow all the best practices to "harden" PHP
		+
		+	#Note that [http://php-ids.org/ PHP-IDS] and [http://www.modsecurity.org/ ModSecurity]can also be useful tools for testing/discovering vulnerabilities in your code. See [https://www.owasp.org/images/f/fd/OWASP_Dynamic_Vulnerability_Identification_RyanBarnett200804.pdf Ryan Barnett's excellent presentation] to the Boulder OWASP chapter regarding using ModSecurity to identify app vulns on an ongoing basis.