Difference between revisions of "PHP Security for Deployers"

From OWASP
Jump to: navigation, search
(Placeholder)
Line 1: Line 1:
==Placeholder==
 
{{Template:Stub}}
 
 
[[Category:OWASP PHP Project]]
 
[[Category:OWASP PHP Project]]
 +
== PHP Security for Deployers ==
 +
# If you're a Developer, work with your Ops/Infrastructure guys to step through any and all the layers of security designed to protect your apps.  Example:
 +
##Traffic must first pass through a SPI firewall (ensure that ONLY necessary ports/protocols are permitted; ensure that EGRESS BLOCKING is in place so that if your system IS compromised it will be very difficult for the attacker to send data back or attack someone else via the Network Layer.  (Need reference; "traditional" SPI-based firewall security).
 +
##Traffic may then pass through an in-line IPS (Intrusion Prevention System) to filter out network-based attacks against the OS, web platform, or PHP framework itself)
 +
##Traffic may then pass through a WAF (Web Application Firewall) such as [http://www.modsecurity.org/ ModSecurity] or a commercial WAF to defeat basic script-based attacks
 +
##Traffic may then pass through an additional layer of security such as [http://php-ids.org/ PHP-IDS] to identify other attacks or concerns.
 +
##By the time traffic has passed through all the layers above, you've achieved a significant measure of mitigation HOWEVER you still need to follow all the best practices to "harden" PHP
 +
 +
#Note that [http://php-ids.org/ PHP-IDS] and [http://www.modsecurity.org/ ModSecurity]can also be useful tools for testing/discovering vulnerabilities in your code.  See [https://www.owasp.org/images/f/fd/OWASP_Dynamic_Vulnerability_Identification_RyanBarnett200804.pdf Ryan Barnett's excellent presentation] to the Boulder OWASP chapter regarding using ModSecurity to identify app vulns on an ongoing basis.

Revision as of 15:58, 7 August 2009

PHP Security for Deployers

  1. If you're a Developer, work with your Ops/Infrastructure guys to step through any and all the layers of security designed to protect your apps. Example:
    1. Traffic must first pass through a SPI firewall (ensure that ONLY necessary ports/protocols are permitted; ensure that EGRESS BLOCKING is in place so that if your system IS compromised it will be very difficult for the attacker to send data back or attack someone else via the Network Layer. (Need reference; "traditional" SPI-based firewall security).
    2. Traffic may then pass through an in-line IPS (Intrusion Prevention System) to filter out network-based attacks against the OS, web platform, or PHP framework itself)
    3. Traffic may then pass through a WAF (Web Application Firewall) such as ModSecurity or a commercial WAF to defeat basic script-based attacks
    4. Traffic may then pass through an additional layer of security such as PHP-IDS to identify other attacks or concerns.
    5. By the time traffic has passed through all the layers above, you've achieved a significant measure of mitigation HOWEVER you still need to follow all the best practices to "harden" PHP
  1. Note that PHP-IDS and ModSecuritycan also be useful tools for testing/discovering vulnerabilities in your code. See Ryan Barnett's excellent presentation to the Boulder OWASP chapter regarding using ModSecurity to identify app vulns on an ongoing basis.