Vlatko Kosturjak is a IT Security Specialist with IBM Global Services Security and Privacy Services. In his practice, Vlatko specializes in ethical hacking, IT audit, security policy development according to ISO/IEC 17799 standard, consultative services for the design,
implementation, and validation of enterprise-wide continuity and recovery programs, and assisting clients with developing and implementing effective security solutions for the protection of their information assets. He has extensive experience in security design for networks and server hardening on various operating systems.






Subject

Insecurity of PHP web based applications

There is a great amount of sensitive data, which flows through Internet every day. At the same time, web is the most popular traffic on the internet and the most allowed protocol on various network devices. Therefore, it is clear that most of the sensitive data flows through web and that securing web applications became the most critical thing today.

Lecture will cover topics, such as how to secure web applications on various parts and/or layers with examples in PHP. Although the examples are in PHP, web developers are interested in who uses ASP or Perl. Theory around securing web applications is the same.

PHP (recursive acronym for "PHP: Hypertext Preprocessor") is a widely-used Open Source general-purpose scripting language that is especially suitable for Web development and can be embedded into HTML.

First line of defence is to secure system trough various networking devices (firewalls, intrusion detection systems - IDS, ...) and operating systems. Blocking TCP/IP ports together with auto-detection of intruders are common and well-known techniques.

Second line of defence is to harden web server itself. Depending on various web servers - that part of work can go from impossible mission to a very easy task. There is also lot of automatic security hardening software, which can be helpful at that task. But, as always, manual security hardening with good security knowledge is always considered to be the best solution.

Next, it's very good to have a look at PHP module running. There are many exploits regarding PHP module on various web servers. Also, PHP module has various configuration options, which can be used to tighten security of module and PHP scripts as well.

Last and extremely popular problem nowaday is web application design. The problem is, designers often pay attention on securing systems at the network level, but they ignore security on the web application level.
Designers, architects and programmers should be aware of various security threats in web scripting languages such as PHP. Architects should be aware of various security mechanisms already at the beginning. And programmer's bad practices can lead to huge security issues.

There is also good documentation about PHP and its security already included in the package. So, secure web applications, but don't forget:
"A completely secure system is a virtual impossibility, so an approach often used in the security profession is one of balancing risk and usability. If every variable submitted by a user required two forms of biometric validation (such as a retinal scan and a fingerprint), you would have an extremely high level of accountability. It would also take half an hour to fill out a fairly complex form, which would tend to encourage users to find ways of bypassing the security.The best security is often unobtrusive enough to suit the requirements without the user being prevented from accomplishing their work, or over-burdening the code author with excessive complexity. Indeed, some security attacks are merely exploits of this kind of overly built security, which tends to erode over time. " (PHP documentation).