getting started with php and ibm i - ocean user … › assets › documents › 2014 › php...•...
TRANSCRIPT
© All rights reserved. Zend Technologies, Inc.
Mike Pavlak Solutions Consultant [email protected]
PHP Security
© All rights reserved. Zend Technologies, Inc.
Audience
• Responsible for delivering, deploying or supporting PHP Web applications on IBM i
• Want to understand more about the security aspects of PHP and the web as it conforms to IBM i
• Been told to modernize “ or else…”
© All rights reserved. Zend Technologies, Inc.
Agenda
• Set the stage
• Instill some FUD
• Tips for securing PHP Web Applications
• Why this discussion?
© All rights reserved. Zend Technologies, Inc.
Bumper sticker of the week…
© All rights reserved. Zend Technologies, Inc.
What is security?
"All human beings have three lives: public, private, and secret."―Gabriel García Márquez (Colombian novelist and winner of the Nobel Prize for Literature, 1982)
© All rights reserved. Zend Technologies, Inc.
IBM i Fundamentals
© All rights reserved. Zend Technologies, Inc.
LMTCPB(*YES) is enough, right? Oy vey!
Multiple file systems with different security schemes
EDTOBJAUT vs. CHGAUT
Native environment
Data, Programs, objects
Root file systems
Scripts, logs, images
| 7 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
Physical vs. Logical access Lines blured
Locked doors
Virtual Workspaces
Remote users
Contractors - local or remote?
Good question: Where is the threat?
| 8 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
Google yourself What is your image on the net
What do others perceive of your business
Netcraft says what?
Wappalyzer on ACA?
| 9 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
EDTOBJAUT Green Screen works, but...
IBM i Nav is more powerful, has more features
| 10 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
CHGAUT Manages ALL IFS objects...
WRKLNKOption 2 prompts CHGAUT
| 11 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
Unix style commands in PASE chmod, chown, chroot, chgrp
rmdir, rm
Be VERY careful...
How’s your octal?
| 12 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
Who does PHP run as? Up to you - db2_connect($db, $user, $pwd, $options)
Default – QTMHHTTP
Maybe we change this?
| 13 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
Who does PHP need to get to? Well, Apache (and PHP) need to get to files
PHP needs to get to data
| 14 Geting Started with PHP on IBM i
Zend Server
HTTP:10080 Apache Server
(FastCGI)
DB2 UDB
PHP CGI
PHP file PASE
*PGM
CMD
MySQL, SQL Server,
Oracle
© All rights reserved. Zend Technologies, Inc.
FUD
© All rights reserved. Zend Technologies, Inc.
Gartner Top Ten Audit Findings ID#G00152216 1. Data classification
2. Change management
3. Admin controls and shared accounts
4. Identity and access management
5. User activity tracking & log analysis
6. Segregation of duties in ERP systems
7. Physical access
8. Business continuity
9. Sourcing controls and partner agreements
10. Education and awareness
| 16 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
What’s in your shop? • *PUBLIC(*ALL)
• QSECOFR
• *ALLOBJ
• Dumb terminals
• Interfacing systems
• PC, Tablets, Smartphones
| 17 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
PHP Security Tips
© All rights reserved. Zend Technologies, Inc.
1. Understand Networks • Bridge from Physical to Logical
• PHP is client server, runs on TCP/IP
• IPv4, IPv6, DNS, PORT
• Switches, VLAN’s
• Firewalls
• Consider CNA class at local community college
• You don’t need a CNA, but the education will help!
| 19 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
What’s the best way to “architect” PHP
• It depends
• VLAN is a great start
• Firewall is simply a set of rules
• DMZ – Defined point between to VLAN’s
| 20 Geting Started with PHP on IBM i
LAN DMZ Internet
© All rights reserved. Zend Technologies, Inc. | 21 Geting Started with PHP on IBM i
IBM position on security re: Windows
4 advisories, all patched
© All rights reserved. Zend Technologies, Inc. | 22 Geting Started with PHP on IBM i
What about Linux?
© All rights reserved. Zend Technologies, Inc.
Action item • Education –
• Network training, seminars, etc.
• Build a network, literally open the manual for your home router and play!
• Proxies in the DMZ are good, but without education they are worthless!
| 23 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
2. Tighten the IBM i • LMTCPB won’t work
• Check the security on your datasets
• ODBC!
• User ID and Password rules
• Security through obscurity is no security at all
• Can we get someone in charge?
| 24 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
3. User Authentication and PHP • You have options...
• Hard coded user profiles
• Hard coded in copy book
• Encrypted in copy book
• Dynamic (at login)
• Encrypted at Browser
| 25 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
Some options • Zend/Crypt/Password/Bcrypt ZF2
• http://framework.zend.com/manual/2.2/en/modules/zend.crypt.password.html#bcrypt
• Building secure applications with ZF2 (Enrico Zimuel)
• https://speakerdeck.com/ezimuel/building-secure-applications-with-zend-framework-2
| 26 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
Explore ZF2 (It’s already in ZS6!) • Zend\Auth
• Zend\Captcha
• Zend\Crypt
• Zend\Escaper
• Zend\Filter
• Zend\InputFilter
• Zend\Permissions
• Zend\math
• Zend\Validator
| 27 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
4. Application Security • PHP is not inherently insecure, programmers are
• The only cure is education!
• Types of exposure
• SQL Injection
• XSS
• 2 levels in web development
• At the client (for ease of use & speed)
• On the server (for final safety check)
• Always double check as payload can be hacked
| 28 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
GET & POST • GET - passes data along URL
• Ideal for benign data, but exposed in clear text
• Enbedded URL’s
• Limited in size
• POST – Passes data via HTTP Headers
• Better looking as typical user cannot see the values
• More room for parms, does arrays really well
• Neither is secure! Always validate and test again on the server!!!
| 29 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
At least use filters... • Procedural PHP is no excuse for bad security!
| 30 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
filter_var() • Some possible filters:
• Validate Filters
• Boolean, email, float, int, IP, RegEx, URL
• Sanitize filters
• Email, encoded, magic quotes, float, Int, special chars
| 31 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
Prepared SQL or Hard coded SQL • DB2_Exec
• DB2_Execute
| 32 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
Action item: http://cwe.mitre.org/ • Top 25 known security flaws in application development
| 33 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
Get help • You cannot know it all, don’t put that upon yourself
• Before implementing web applications I hired a firm to test the environment. Their analysis was not a critique of my world, but became a roadmap of remediation, education and greater security!
• Not just consultants, although that can be good
• Hire auditors
• Penetration tests
• Stress test the applications
| 34 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
5. Maintenance • PTF’s
• Group
• Cumulative
• HiPer
• Technology Refresh
• Zend Server
• Updates via PTF process
• Windows, Linux, Cisco, etc.
| 35 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
6. Hide your PHP • Tricks
• expose_php setting in PHP.ini file to reduce visibility
• ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
| 36 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
Harden your server then test • PHPSecInfo on phpsecorg.org
• Hire professionals to perform a penetration test
• Internal or external doesn’t matter
• Develop audit and remediate
• Budget for remediation
| 37 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
5. Hide your PHP • Tricks
• Rename files as .html
• Use short URL’s
• Best practices
• Move your document root
• Keep data out of the document root
| 38 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
Where to get more? Carol Woodbury white paper on IBM i
| 39 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
PHP Resources…
• Books
Sam’s teach yourself PHP, MySQL and Apache All in One (4th edition) ISBN:067232976X
Head First HTML with CSS and XHTML ISBN:059610197X
Zend Server Doc at Zend Website
Advanced Guide to PHP 02/03/10
| 40 Geting Started with PHP on IBM i
© All rights reserved. Zend Technologies, Inc.
Wrap it up…
© All rights reserved. Zend Technologies, Inc. 42 Insert->Header & Footer
Q&A
www.zend.com