O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

PHP application code best practices

157 visualizações

Publicada em

Every day millions of pieces of sensitive data, both personal and business related, are processed by web applications. And every day, applications are at risk of being exposed to new PHP security threats that make that sensitive data vulnerable to attack. With the cost of data breaches averaging over $3.8M and mean time to identify attacks topping 190 days, it’s critical to ensure the security and compliance of your PHP applications and stacks.

Join Daryl Wood, senior software engineer and trainer, for a two-part webinar series discussing the best practices every development team should follow to ensure the security of their web applications.

In this session, we’ll dive deep into the PHP coding best practices which help with security including: Logs - Web server (Apache) and PHP application; Code - Injection handling input and output; Code - Different logs for different severities; and Updating PHP on a staging server.

Publicada em: Software
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (Unlimited) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... Download Full EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ACCESS WEBSITE for All Ebooks ......................................................................................................................... Download Full PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... Download EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... Download doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui
  • DOWNLOAD FULL eBOOK INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF eBook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB eBook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc eBook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF eBook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB eBook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc eBook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookeBOOK Crime, eeBOOK Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui
  • DOWNLOAD FULL. BOOKS INTO AVAILABLE FORMAT, ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui

PHP application code best practices

  1. 1. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 1/39� 2019 Rogue Wave Software, Inc. All rights reserved Webinar series: PHP security best practices Part 2: Web security best practices for PHP
  2. 2. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 2/39� 2019 Rogue Wave Software, Inc. All rights reserved PHPsecuritybestpracticesPHPsecuritybestpractices by Daryl Wood Senior Technical Trainer Webinar, April 25, 2019 Rogue Wave Software, Inc.
  3. 3. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 3/39� 2019 Rogue Wave Software, Inc. All rights reserved SessiononerecapSessiononerecap
  4. 4. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 4/39� 2019 Rogue Wave Software, Inc. All rights reserved PHPsecuritybestpracticesPHPsecuritybestpractices FirstsessionrecapFirstsessionrecap Part one of this series included: Security attack types Log monitoring Attack injection Attack severities and impacts PHP version end of life
  5. 5. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 5/39� 2019 Rogue Wave Software, Inc. All rights reserved PHPapplicationsecurityPHPapplicationsecurity BestpracticefundamentalsBestpracticefundamentals Today's part of this includes: Code: Injection handling input and output Logs: Web server (Apache) and PHP application Code: Di erent logs for di erent severities Updating PHP on a staging server
  6. 6. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 6/39� 2019 Rogue Wave Software, Inc. All rights reserved CodeCode InjectionhandlinginputandoutputInjectionhandlinginputandoutput
  7. 7. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 7/39� 2019 Rogue Wave Software, Inc. All rights reserved Code:InjectionhandlinginputandoutputCode:Injectionhandlinginputandoutput InputreviewInputreview What's considered data input: A request from a web client A data payload from a web service call A data payload from an asynchronous (AJAX) request Data from a persistent storage mechanism
  8. 8. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 8/39� 2019 Rogue Wave Software, Inc. All rights reserved Crosssiteinjection(XSS)Crosssiteinjection(XSS)
  9. 9. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 9/39� 2019 Rogue Wave Software, Inc. All rights reserved Code:InjectionhandlinginputandoutputCode:Injectionhandlinginputandoutput InputfilteringforXSSinjectionInputfilteringforXSSinjection VulnerablecodeVulnerablecode // Simulate injected post data $_POST['username'] = 'pablo'; $_POST['comment'] = '<script>alert("document.cookie")</script>'; if($_POST && isset($_POST['username') && isset($_POST['comment'])) { $result = null; try { $pdo = new PDO('mysql:unix_socket=/var/run/mysqld/mysqld.sock;dbname=blog', 'vagrant', 'vagrant'); $stmt = $pdo->query("INSERT INTO blog (username, comment) VALUES ({$_POST['username']}, {$_POST['comment']})"); if($stmt) $stmt->execute(); // Then subsequently $result = $pdo->exec("SELECT * FROM blog WHERE username='{$_POST['username']}'"); } catch (Throwable $e){ // Handle ... } if($result){ echo $result['comment']; } }
  10. 10. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 10/39� 2019 Rogue Wave Software, Inc. All rights reserved Code:InjectionhandlinginputandoutputCode:Injectionhandlinginputandoutput InputfilteringforXSSinjectionInputfilteringforXSSinjection FilteredcodeFilteredcode // Simulate injected post data $_POST['username'] = 'pablo'; $_POST['comment'] = '<script>alert("document.cookie")</script>'; // This code should be owned by the initial domain input handling if($_POST && isset($_POST['username') && isset($_POST['comment'])) { // Looking for an alpha numeric value $cleanUsername = ctype_alnum($_POST['username']) ? $_POST['username'] : false; // Looking for tag-based injection and stripping the tags $cleanComment = strip_tags($_POST['comment']) ?? false; if($cleanUsername && $cleanComment) { // Persist the data with $cleanUsername and $cleanComment escaping with: // * htmlspecialchars() // * htmlentities() // * or your framework escaping mechanism } }
  11. 11. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 11/39� 2019 Rogue Wave Software, Inc. All rights reserved SQLinjectionSQLinjection
  12. 12. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 12/39� 2019 Rogue Wave Software, Inc. All rights reserved Code:InjectionhandlinginputandoutputCode:Injectionhandlinginputandoutput InputfilteringforSQLinjectionInputfilteringforSQLinjection VulnerablecodeVulnerablecode // Simulate injected get data $_GET['id'] = ';update blog set username = attacker where user_id = 1;'; $_GET['new-password'] = 'e44sxdfg3'; $_GET['submit'] = 'submit'; if ($_GET && isset($_GET['Submit'])) { //Employ ACL to determine access try { $pdo = new PDO('mysql:unix_socket=/var/run/mysqld/mysqld.sock;dbname=blog', 'vagrant', 'vagrant'); $stmt = $pdo->query("SELECT first_name, last_name FROM blog WHERE user_id = '{$_GET['id']}'"); $stmt->execute(); $result = $stmt->fetch(PDO::FETCH_ASSOC); } catch (PDOException $e) { // Handle ... } }
  13. 13. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 13/39� 2019 Rogue Wave Software, Inc. All rights reserved Code:InjectionhandlinginputandoutputCode:Injectionhandlinginputandoutput InputfilteringforSQLinjectionInputfilteringforSQLinjection FilteredcodeFilteredcode // Simulate injected get data $_GET['id'] = ';update blog set username = attacker where user_id = 1;'; $_GET['new-password'] = 'e44sxdfg3'; $_GET['submit'] = 'submit'; if ($_GET && isset($_GET['id']) && isset($_GET['Submit'])) { //Employ ACL to determine access // Filter by type coercion on integer-type identifier $cleanId = (int)$_GET['id']; // Filter by using the ctype_alnum() function for none integer-type // identifiers, and assuming here alpha numeric $cleanId = ctype_alnum($_GET['id']) ? $_GET['id'] : false; // Filter by stripping tags, as passwords can be just about any character combination $cleanPass = strip_tags($_GET['new-password']); if($cleanId && $cleanPass) { // Escape, then persist and update the data with $cleanId and $cleanPass ... } else { echo 'Data invalid'; } }
  14. 14. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 14/39� 2019 Rogue Wave Software, Inc. All rights reserved BrokensessionmanagementBrokensessionmanagement
  15. 15. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 15/39� 2019 Rogue Wave Software, Inc. All rights reserved Code:InjectionhandlinginputandoutputCode:Injectionhandlinginputandoutput BrokensessionmanagementBrokensessionmanagement VulnerablecodeVulnerablecode // A controller responsible for login/logout actions class LoginController { // ... public function logoutAction() { $this->view->setTemplate('login'); $this->view->render(); } // ... }
  16. 16. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 16/39� 2019 Rogue Wave Software, Inc. All rights reserved Code:InjectionhandlinginputandoutputCode:Injectionhandlinginputandoutput BrokensessionmanagementBrokensessionmanagement RepairedcodeRepairedcode // Assuming a controller handles the fix directly, or indirectly. class LoginController { // ... public function logoutAction() { // Destroy the session here, session_destroy(); // or with some injected and dedicated Session-responsible // object calling its destroy() method. $this->session->destroy(); $this->view->setTemplate('login'); $this->view->render(); } // ... }
  17. 17. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 17/39� 2019 Rogue Wave Software, Inc. All rights reserved BruteforceBruteforce
  18. 18. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 18/39� 2019 Rogue Wave Software, Inc. All rights reserved Code:InjectionhandlinginputandoutputCode:Injectionhandlinginputandoutput BruteforceBruteforce VulnerablecodeVulnerablecode // Simulate a billion-fold brute force attempt with minor changes to the password. $_POST['username'] = 'admin'; $_POST['password'] = 'pA$$wORD'; if($_POST && isset($_POST['username']) && isset($_POST['password'])) { $result = false; $password = md5($_POST['password']); try{ $stmt = $this->getPdo()->query("SELECT * FROM users WHERE username='{$_POST['username']}' AND password='$password'"); $stmt->execute(); $result = $stmt->fetch(PDO::FETCH_ASSOC); }catch(PDOException $e){ // Handle ... } if($result && count($result)) { // On success // Redirect to password-protected area } else { // On failure echo "<p>Login unsuccessful</p>"; } }
  19. 19. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 19/39� 2019 Rogue Wave Software, Inc. All rights reserved Code:InjectionhandlinginputandoutputCode:Injectionhandlinginputandoutput BruteforceBruteforce RepairedcodeRepairedcode // Simulate a billion-fold brute force attempt with minor changes to the password. $_POST['username'] = 'admin'; $_POST['password'] = 'pA$$wORD'; if($_POST && isset($_POST['username']) && isset($_POST['password'])) { // Execute brute force detection code here ... $cleanUser = ctype_alnum($_POST['username']) ? $_POST['username'] : false; if($cleanUser){ try{ $stmt = $this->getPdo()->query("SELECT * FROM users WHERE username='$cleanUser'"); $stmt->execute(); $result = $stmt->fetch(PDO::FETCH_ASSOC); }catch(PDOException $e) { // Handle ... } } if($result && count($result) && password_verify($_POST['password'], $result['password']) ) { // Login successful, redirect to password-protected area escaping any input used ... } else { //Login failed echo "<p>Login unsuccessful</p>"; // Execute brute force detection code to record failed attempt } }
  20. 20. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 20/39� 2019 Rogue Wave Software, Inc. All rights reserved LogsLogs Webserver(Apache)andPHPapplicationWebserver(Apache)andPHPapplication
  21. 21. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 21/39� 2019 Rogue Wave Software, Inc. All rights reserved Logs:Webserver(Apache)andPHPapplicationLogs:Webserver(Apache)andPHPapplication LoglocationLoglocation Here restated are the default log locations for a Debian-based Linux server and PHP installation: Syslog: /var/log/syslog Apache access: /var/log/apache2/access.log Apache error: /var/log/apache2/error.log PHP error When enabled, and by default, is the syslog. Instead of these defaults, we concern ourselves with Apache access and error logging for a speci c host, and separate logs for critical PHP error severities from all other severities.
  22. 22. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 22/39� 2019 Rogue Wave Software, Inc. All rights reserved Logs:Webserver(Apache)andPHPapplicationLogs:Webserver(Apache)andPHPapplication SpecificApachehostloggingSpecificApachehostlogging This code block shows an Apache virtual host con guration for host- speci c access and error logging. https://httpd.apache.org/ <VirtualHost *:80> ServerName rockets.com DocumentRoot /var/www/rockets <Directory /var/www/rockets/> Options Indexes FollowSymLinks MultiViews AllowOverride All Require all granted </Directory> # Custom host-specific logging ErrorLog /var/www/rockets/error.log CustomLog /var/www/rockets/access.log combined </VirtualHost>
  23. 23. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 23/39� 2019 Rogue Wave Software, Inc. All rights reserved Logs:Webserver(Apache)andPHPapplicationLogs:Webserver(Apache)andPHPapplication PHPapplicationerrorloggingPHPapplicationerrorlogging These code blocks shows production environment PHP con guration directives enabling error reporting, logging, and location for application-speci c PHP error logging. In a web server php.ini con guration le: error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT log_errors = On error_log = /var/www/rocket/logs/error.log
  24. 24. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 24/39� 2019 Rogue Wave Software, Inc. All rights reserved CodeCode DifferentlogsfordifferentseveritiesDifferentlogsfordifferentseverities
  25. 25. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 25/39� 2019 Rogue Wave Software, Inc. All rights reserved CodeCode DifferentlogsfordifferentseveritiesDifferentlogsfordifferentseverities It is often helpful to direct speci c error severities to dedicated log les. The next few slides de ne one way of doing that in object-oriented code.
  26. 26. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 26/39� 2019 Rogue Wave Software, Inc. All rights reserved Code:DifferentlogsfordifferentseveritiesCode:Differentlogsfordifferentseverities ALoggerclassALoggerclass class Logger{ public static $critical_log, $warning_notice_log; protected static $error; public static function handler(...$error) { self::$error = $error; // Checks if error code is not part of error_reporting and bail if (!(error_reporting() & self::$error[0])) return; self::log(); } public static function log(){ $logEntry = date('Ymd.h.m.s').'|'.self::$error[1].'|'.self::$error[2].'|'. self::$error[3] . PHP_EOL; switch (true){ case (self::$error[0] === E_ERROR || self::$error[0] === E_USER_ERROR): return error_log($logEntry, 3, self::$critical_log); case (self::$error[0] === E_WARNING || self::$error[0] === E_NOTICE): return error_log($logEntry, 3, self::$warning_notice_log); // ... } return false; } }
  27. 27. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 27/39� 2019 Rogue Wave Software, Inc. All rights reserved Code:DifferentlogsfordifferentseveritiesCode:Differentlogsfordifferentseverities TheloggerruntimeTheloggerruntime require 'Logger.php'; // Import the logger set_error_handler(['Logger', 'handler']); // Set the handler code // Set log entry destination for warnings and notices Logger::$warning_notice_log = 'logs/warning_notice.log'; // Set log entry destination for critical errors Logger::$critical_log = 'logs/critical.log'; // Force simulate a warning error with an empty explode function call, explode(); // or force a triggered warning trigger_error("A warning error happened", E_WARNING); // Force simulate a critical error with an unloaded class. try{ $object = new MissingObject(); } catch (Throwable $e){ Logger::handler(E_ERROR, $e->getMessage(), $e->getFile(), $e->getLine()); echo 'Server unable to grant request at this time'; }
  28. 28. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 28/39� 2019 Rogue Wave Software, Inc. All rights reserved Code:DifferentlogsfordifferentseveritiesCode:Differentlogsfordifferentseverities LogentriesLogentries The Critical log entry: 20190414.11.04.27|Class 'MissingObject' not found|<path/to/runtime.php>|25 The Warning and Notice log entries: 20190414.11.04.29|explode() expects at least 2 parameters, 0 given|<path/to/runtime.php>|18 20190414.11.04.58|Invalid error type specified|<path/to/runtime.php>|21 Don'tforgettomonitorthelogs!Don'tforgettomonitorthelogs!
  29. 29. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 29/39� 2019 Rogue Wave Software, Inc. All rights reserved UpdatingPHPonastagingserverUpdatingPHPonastagingserver
  30. 30. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 30/39� 2019 Rogue Wave Software, Inc. All rights reserved UpdatingPHPonastagingserverUpdatingPHPonastagingserver Production servers must be kept up to date for the security, bug xes, and system optimization bene ts. A staging server is a server environment that: Matches a production server Same software Same software update process Identical in deployment process Can fail without production impact
  31. 31. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 31/39� 2019 Rogue Wave Software, Inc. All rights reserved UpdatingPHPonastagingserverUpdatingPHPonastagingserver A Staging server allows re nements to all update, deployment, and continuous delivery processes. But, should be subject to the same rigor as a production server, including: Assessment process Functionality Performance requirements Security
  32. 32. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 32/39� 2019 Rogue Wave Software, Inc. All rights reserved RecapRecap
  33. 33. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 33/39� 2019 Rogue Wave Software, Inc. All rights reserved RecapRecap Let's recap: Input injection handling of a few of the most predominate attacks The di erence between the Web server and PHP application error logging Setup di erent logs for di erent severities Staging server purpose and recommendations
  34. 34. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 34/39� 2019 Rogue Wave Software, Inc. All rights reserved $3.86 million Average cost of a data breach 197 days Mean time to identify a breach 75% of attacks occur on web apps 27% likelihood of a recurring material breach over the next two years Over 60% are running on vulnerable, unsupported PHP runtime versions BusinessimpactofapplicationsecurityBusinessimpactofapplicationsecurity
  35. 35. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 35/39� 2019 Rogue Wave Software, Inc. All rights reserved Zend Server is a commercially supported & secure PHP destribution Wide range of professional services including migration, audits & custom consulting Online & onsite PHP training from beginner to advanced, plus PHP certi cation HowcanRogueWavehelp?HowcanRogueWavehelp?
  36. 36. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 36/39� 2019 Rogue Wave Software, Inc. All rights reserved What'snext?What'snext?
  37. 37. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 37/39� 2019 Rogue Wave Software, Inc. All rights reserved ResourcesResources Some followup resources: Zend Server: zend.com/en/products/zend_server PHP Security, support and migration: zend.com/phpsecurity Training, PHP security and more: zend.com/en/services/training 2019 State of PHP Survey: https://www.surveymonkey.com/r/2019- state-of-php
  38. 38. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 38/39� 2019 Rogue Wave Software, Inc. All rights reserved Q&AQ&A
  39. 39. 4/24/2019 Security Best Practices webinars/SecurityBestPractices2/Webinar_Materials/?print-pdf#/ 39/39� 2019 Rogue Wave Software, Inc. All rights reserved Thankyou!Thankyou! Contact Ryan: ryan.krszjzaniek@roguewave.com Contact Daryl: daryl.wood@roguewave.com Follow me on Twitter: @datashuttle

×