php sa 2013 - the weak points in our php projects
DESCRIPTION
The weak points in our PHP projects Are your dependencies getting you downTRANSCRIPT
The weak points in our systemsAre your dependencies getting you down?
Thomas Shone – Senior PHP DeveloperPHP South Africa - Oct 2013
Copyright © 2012 Clickatell. All rights reserved.
About me
Senior developer for Clickatell
Work remotely from Grahamstown in the Eastern Cape
I like to break things
Copyright © 2012 Clickatell. All rights reserved.
The bare minimum we SHOULD be doing
Preventing SQL injection and sanitizing user input Email and cellphone verification
– Mitigate social engineering against support team
Salting and using strong hashing for passwords– As of PHP 5.5, www.php.net/password will make this trivial
Forgotten password resets done by email link Use OAuth or OpenID Two factor authentication
– High risk data– Premium support verification– Off-site staff authentication method
Copyright © 2012 Clickatell. All rights reserved.
What the blogs haven't warned us about
No coder is an island We all rely on:
– 3rd party libraries– Frameworks
• Symfony• Zend
– CMS packages• Joomla!• Wordpress
– E-Commerce software• osCommerce• Magento
– CRM software• SugarCRM
Copyright © 2012 Clickatell. All rights reserved.
So... time to come clean... I've done it too
Perception– Using a version of Smarty without vulnerabilities (3.1.12)
Reality– 4 versions of Smarty.– Version 2.6.26 with 11 Vulnerabilities (7 critical)– Version 2.6.28 with 12 Vulnerabilities (7 critical)– Version 2.6.11 with 12 Vulnerabilities (7 critical)
The other three were dependencies of another front end system
Developers had not updated Smarty since 2009 (the version they are using was released in Dec 2005)
Copyright © 2012 Clickatell. All rights reserved.
Lets get some real world data
43 popular open source web applications, libraries and frameworks.
3,421 versions 5.6 million files
Worst offender
Copyright © 2012 Clickatell. All rights reserved.
Some graph explanation
Mean / Average
Median
The Doom Line
Insert the title of your long presentation names hereEnter your subtitle here
Some actual numbers please
What are SMBs using?
Copyright © 2012 Clickatell. All rights reserved.
Where does the blame lie?
Wordpress and Joomla!– Highly popular = Highly targeted.– Fix released before the vulnerability disclosed
Libraries not so well behaved– Most of the libraries found where vulnerable– OpenX had a backdoor in their code base
Frameworks came off well– No vulnerabilities for the versions found
Reference: http://blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.html
Insert the title of your long presentation names hereEnter your subtitle here
Lets get a little ageist here
Insert the title of your long presentation names hereEnter your subtitle here
What's the sell by date
Insert the title of your long presentation names hereEnter your subtitle here
Lets just put those together
Copyright © 2012 Clickatell. All rights reserved.
Some good news at least
We were looking at the worst of the worst– SMB with little technical knowledge– Freelancer CMS deploy
People will fix what they know is broken– Growing awareness– Emergence of auto update tools– Software houses and freelances, up-sell those maintenance
contracts
Insert the title of your long presentation names hereEnter your subtitle here
How much has the situation improved
Copyright © 2012 Clickatell. All rights reserved.
And for the developers
Means of distributing 3rd party code is improving– Composer
• Don't commit dependencies... specify• Major release locking• Simple update mechanism
@thomas_shonewww.shone.co.za
Questions?