getting started with php and ibm i - ocean user … › assets › documents › 2014 › php...•...

© All rights reserved. Zend Technologies, Inc.

Mike Pavlak Solutions Consultant [email protected]

PHP Security


Audience

• Responsible for delivering, deploying or supporting PHP Web applications on IBM i

• Want to understand more about the security aspects of PHP and the web as it conforms to IBM i

• Been told to modernize “ or else…”


Agenda

• Set the stage

• Instill some FUD

• Tips for securing PHP Web Applications

• Why this discussion?


Bumper sticker of the week…


What is security?

"All human beings have three lives: public, private, and secret."―Gabriel García Márquez (Colombian novelist and winner of the Nobel Prize for Literature, 1982)


IBM i Fundamentals


LMTCPB(*YES) is enough, right? Oy vey!

Multiple file systems with different security schemes

EDTOBJAUT vs. CHGAUT

Native environment

Data, Programs, objects

Root file systems

Scripts, logs, images

| 7 Geting Started with PHP on IBM i


Physical vs. Logical access Lines blured

Locked doors

Virtual Workspaces

Remote users

Contractors - local or remote?

Good question: Where is the threat?



Google yourself What is your image on the net

What do others perceive of your business

Netcraft says what?

Wappalyzer on ACA?


http://toolbar.netcraft.com/site_report?url=http://www.healthcare.gov


EDTOBJAUT Green Screen works, but...

IBM i Nav is more powerful, has more features



CHGAUT Manages ALL IFS objects...

WRKLNKOption 2 prompts CHGAUT



Unix style commands in PASE chmod, chown, chroot, chgrp

rmdir, rm

Be VERY careful...

How’s your octal?



Who does PHP run as? Up to you - db2_connect($db, $user, $pwd, $options)

Default – QTMHHTTP

Maybe we change this?



Who does PHP need to get to? Well, Apache (and PHP) need to get to files

PHP needs to get to data


Zend Server

HTTP:10080 Apache Server

(FastCGI)

DB2 UDB

PHP CGI

PHP file PASE

*PGM

CMD

MySQL, SQL Server,

Oracle


FUD


Gartner Top Ten Audit Findings ID#G00152216 1. Data classification

2. Change management

3. Admin controls and shared accounts

4. Identity and access management

5. User activity tracking & log analysis

6. Segregation of duties in ERP systems

7. Physical access

8. Business continuity

9. Sourcing controls and partner agreements

10. Education and awareness



What’s in your shop? • *PUBLIC(*ALL)

• QSECOFR

• *ALLOBJ

• Dumb terminals

• Interfacing systems

• PC, Tablets, Smartphones



PHP Security Tips


1. Understand Networks • Bridge from Physical to Logical

• PHP is client server, runs on TCP/IP

• IPv4, IPv6, DNS, PORT

• Switches, VLAN’s

• Firewalls

• Consider CNA class at local community college

• You don’t need a CNA, but the education will help!



What’s the best way to “architect” PHP

• It depends

• VLAN is a great start

• Firewall is simply a set of rules

• DMZ – Defined point between to VLAN’s


LAN DMZ Internet

© All rights reserved. Zend Technologies, Inc. | 21 Geting Started with PHP on IBM i

IBM position on security re: Windows

4 advisories, all patched

© All rights reserved. Zend Technologies, Inc. | 22 Geting Started with PHP on IBM i

What about Linux?


Action item • Education –

• Network training, seminars, etc.

• Build a network, literally open the manual for your home router and play!

• Proxies in the DMZ are good, but without education they are worthless!



2. Tighten the IBM i • LMTCPB won’t work

• Check the security on your datasets

• ODBC!

• User ID and Password rules

• Security through obscurity is no security at all

• Can we get someone in charge?



3. User Authentication and PHP • You have options...

• Hard coded user profiles

• Hard coded in copy book

• Encrypted in copy book

• Dynamic (at login)

• Encrypted at Browser



Some options • Zend/Crypt/Password/Bcrypt ZF2

• http://framework.zend.com/manual/2.2/en/modules/zend.crypt.password.html#bcrypt

• Building secure applications with ZF2 (Enrico Zimuel)

• https://speakerdeck.com/ezimuel/building-secure-applications-with-zend-framework-2


http://framework.zend.com/manual/2.2/en/modules/zend.crypt.password.html

http://framework.zend.com/manual/2.2/en/modules/zend.crypt.password.html

https://speakerdeck.com/ezimuel/building-secure-applications-with-zend-framework-2

https://speakerdeck.com/ezimuel/building-secure-applications-with-zend-framework-2


Explore ZF2 (It’s already in ZS6!) • Zend\Auth

• Zend\Captcha

• Zend\Crypt

• Zend\Escaper

• Zend\Filter

• Zend\InputFilter

• Zend\Permissions

• Zend\math

• Zend\Validator



4. Application Security • PHP is not inherently insecure, programmers are

• The only cure is education!

• Types of exposure

• SQL Injection

• XSS

• 2 levels in web development

• At the client (for ease of use & speed)

• On the server (for final safety check)

• Always double check as payload can be hacked



GET & POST • GET - passes data along URL

• Ideal for benign data, but exposed in clear text

• Enbedded URL’s

• Limited in size

• POST – Passes data via HTTP Headers

• Better looking as typical user cannot see the values

• More room for parms, does arrays really well

• Neither is secure! Always validate and test again on the server!!!



At least use filters... • Procedural PHP is no excuse for bad security!



filter_var() • Some possible filters:

• Validate Filters

• Boolean, email, float, int, IP, RegEx, URL

• Sanitize filters

• Email, encoded, magic quotes, float, Int, special chars



Prepared SQL or Hard coded SQL • DB2_Exec

• DB2_Execute



Action item: http://cwe.mitre.org/ • Top 25 known security flaws in application development


http://cwe.mitre.org/


Get help • You cannot know it all, don’t put that upon yourself

• Before implementing web applications I hired a firm to test the environment. Their analysis was not a critique of my world, but became a roadmap of remediation, education and greater security!

• Not just consultants, although that can be good

• Hire auditors

• Penetration tests

• Stress test the applications



5. Maintenance • PTF’s

• Group

• Cumulative

• HiPer

• Technology Refresh

• Zend Server

• Updates via PTF process

• Windows, Linux, Cisco, etc.



6. Hide your PHP • Tricks

• expose_php setting in PHP.ini file to reduce visibility

• ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000



Harden your server then test • PHPSecInfo on phpsecorg.org

• Hire professionals to perform a penetration test

• Internal or external doesn’t matter

• Develop audit and remediate

• Budget for remediation



5. Hide your PHP • Tricks

• Rename files as .html

• Use short URL’s

• Best practices

• Move your document root

• Keep data out of the document root



Where to get more? Carol Woodbury white paper on IBM i



PHP Resources…

• Books

Sam’s teach yourself PHP, MySQL and Apache All in One (4th edition) ISBN:067232976X

Head First HTML with CSS and XHTML ISBN:059610197X

Zend Server Doc at Zend Website

Advanced Guide to PHP 02/03/10


http://www.zend.com/


Wrap it up…

getting started with php and ibm i - ocean user … › assets › documents › 2014 › php...•...

Documents