SlideShare uma empresa Scribd logo

PHP SA 2013 - The weak points in our PHP projects

Transferir como PPT, PDF
X
xsist10

The weak points in our PHP projects Are your dependencies getting you down

Tecnologia
1 de 18
The weak points in our systems Are your dependencies getting you down? Thomas Shone – Senior PHP Developer PHP South Africa - Oct 2013
Copyright © 2012 Clickatell. All rights reserved. About me  Senior developer for Clickatell  Work remotely from Grahamstown in the Eastern Cape  I like to break things
Copyright © 2012 Clickatell. All rights reserved. The bare minimum we SHOULD be doing  Preventing SQL injection and sanitizing user input  Email and cellphone verification – Mitigate social engineering against support team  Salting and using strong hashing for passwords – As of PHP 5.5, www.php.net/password will make this trivial  Forgotten password resets done by email link  Use OAuth or OpenID  Two factor authentication – High risk data – Premium support verification – Off-site staff authentication method
Copyright © 2012 Clickatell. All rights reserved. What the blogs haven't warned us about  No coder is an island  We all rely on: – 3rd party libraries – Frameworks • Symfony • Zend – CMS packages • Joomla! • Wordpress – E-Commerce software • osCommerce • Magento – CRM software • SugarCRM
Copyright © 2012 Clickatell. All rights reserved. So... time to come clean... I've done it too  Perception – Using a version of Smarty without vulnerabilities (3.1.12)  Reality – 4 versions of Smarty. – Version 2.6.26 with 11 Vulnerabilities (7 critical) – Version 2.6.28 with 12 Vulnerabilities (7 critical) – Version 2.6.11 with 12 Vulnerabilities (7 critical)  The other three were dependencies of another front end system  Developers had not updated Smarty since 2009 (the version they are using was released in Dec 2005)
Copyright © 2012 Clickatell. All rights reserved. Lets get some real world data  43 popular open source web applications, libraries and frameworks.  3,421 versions  5.6 million files
Worst offender
Copyright © 2012 Clickatell. All rights reserved. Some graph explanation Mean / Average Median The Doom Line
Insert the title of your long presentation names here Enter your subtitle here Some actual numbers please
What are SMBs using?
Copyright © 2012 Clickatell. All rights reserved. Where does the blame lie?  Wordpress and Joomla! – Highly popular = Highly targeted. – Fix released before the vulnerability disclosed  Libraries not so well behaved – Most of the libraries found where vulnerable – OpenX had a backdoor in their code base  Frameworks came off well – No vulnerabilities for the versions found Reference: http://blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.htm
Insert the title of your long presentation names here Enter your subtitle here Lets get a little ageist here
Insert the title of your long presentation names here Enter your subtitle here What's the sell by date
Insert the title of your long presentation names here Enter your subtitle here Lets just put those together
Copyright © 2012 Clickatell. All rights reserved. Some good news at least  We were looking at the worst of the worst – SMB with little technical knowledge – Freelancer CMS deploy  People will fix what they know is broken – Growing awareness – Emergence of auto update tools – Software houses and freelances, up-sell those maintenance contracts
Insert the title of your long presentation names here Enter your subtitle here How much has the situation improved
Copyright © 2012 Clickatell. All rights reserved. And for the developers  Means of distributing 3rd party code is improving – Composer • Don't commit dependencies... specify • Major release locking • Simple update mechanism
@thomas_shone www.shone.co.za Questions?

Recomendados

A Slide!
A Slide!A Slide!
A Slide!webhostingguy
 
Wordpress podcamp2011
Wordpress podcamp2011Wordpress podcamp2011
Wordpress podcamp2011Findability Solutions
 
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your ClientsWhy Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clientsryanduff
 
Installing WordPress The Right Way
Installing WordPress The Right WayInstalling WordPress The Right Way
Installing WordPress The Right WayChris Burgess
 
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and SecureWordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and SecureMeagan Hanes
 
Practical Blogs for Writers
Practical Blogs for WritersPractical Blogs for Writers
Practical Blogs for WritersSusan Stewart
 
Speed & Uptime with Wordpress
Speed & Uptime with WordpressSpeed & Uptime with Wordpress
Speed & Uptime with Wordpresstoddhdow
 
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteIdentifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteChris Burgess
 

Recomendados

A Slide!
A Slide!A Slide!
A Slide!webhostingguy
 
Wordpress podcamp2011
Wordpress podcamp2011Wordpress podcamp2011
Wordpress podcamp2011Findability Solutions
 
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your ClientsWhy Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clientsryanduff
 
Installing WordPress The Right Way
Installing WordPress The Right WayInstalling WordPress The Right Way
Installing WordPress The Right WayChris Burgess
 
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and SecureWordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and SecureMeagan Hanes
 
Practical Blogs for Writers
Practical Blogs for WritersPractical Blogs for Writers
Practical Blogs for WritersSusan Stewart
 
Speed & Uptime with Wordpress
Speed & Uptime with WordpressSpeed & Uptime with Wordpress
Speed & Uptime with Wordpresstoddhdow
 
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteIdentifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteChris Burgess
 
Word press security 101
Word press security 101 Word press security 101
Word press security 101 Kojac801
 
A Slide!
A Slide!A Slide!
A Slide!webhostingguy
 
Secure pl-sql-coding
Secure pl-sql-codingSecure pl-sql-coding
Secure pl-sql-codingTrần Bình Hậu
 
Open Source in the Enterprise
Open Source in the EnterpriseOpen Source in the Enterprise
Open Source in the EnterpriseSocial Media Performance Group
 
Using Information Technology
Using Information TechnologyUsing Information Technology
Using Information TechnologyUniversitas Teknokrat Indonesia
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfdistortdistort
 
wcm domino
wcm dominowcm domino
wcm dominodominion
 
Joomla Security
Joomla SecurityJoomla Security
Joomla SecurityViryaTechnologies
 
Joomla Security
Joomla SecurityJoomla Security
Joomla SecurityRuth Cheesley
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Technologies for startup
Technologies for startupTechnologies for startup
Technologies for startupDzung Nguyen
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Wpd09 Sydney
Wpd09 SydneyWpd09 Sydney
Wpd09 Sydneyvirginiachoy
 
Community dynamics
Community dynamicsCommunity dynamics
Community dynamicsDave Neary
 
Lotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 CommandmentsLotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 CommandmentsBill Buchan
 
SharePoint Development and the Cloud
SharePoint Development and the CloudSharePoint Development and the Cloud
SharePoint Development and the Cloudcharelenetorres
 
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetingsSlides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings10n Software, LLC
 
Y4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should LearnY4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should Learncalenlegaspi
 
Security theatre (Scotland php)
Security theatre (Scotland php)Security theatre (Scotland php)
Security theatre (Scotland php)xsist10
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)xsist10
 

Mais conteúdo relacionado

Semelhante a PHP SA 2013 - The weak points in our PHP projects

Word press security 101
Word press security 101 Word press security 101
Word press security 101 Kojac801
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfdistortdistort
 
wcm domino
wcm dominowcm domino
wcm dominodominion
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Technologies for startup
Technologies for startupTechnologies for startup
Technologies for startupDzung Nguyen
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Community dynamics
Community dynamicsCommunity dynamics
Community dynamicsDave Neary
 
Lotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 CommandmentsLotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 CommandmentsBill Buchan
 
SharePoint Development and the Cloud
SharePoint Development and the CloudSharePoint Development and the Cloud
SharePoint Development and the Cloudcharelenetorres
 
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetingsSlides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings10n Software, LLC
 
Y4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should LearnY4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should Learncalenlegaspi
 

Semelhante a PHP SA 2013 - The weak points in our PHP projects (20)

Word press security 101
Word press security 101 Word press security 101
Word press security 101
 
A Slide!
A Slide!A Slide!
A Slide!
 
Secure pl-sql-coding
Secure pl-sql-codingSecure pl-sql-coding
Secure pl-sql-coding
 
Open Source in the Enterprise
Open Source in the EnterpriseOpen Source in the Enterprise
Open Source in the Enterprise
 
Using Information Technology
Using Information TechnologyUsing Information Technology
Using Information Technology
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
 
wcm domino
wcm dominowcm domino
wcm domino
 
Joomla Security
Joomla SecurityJoomla Security
Joomla Security
 
Joomla Security
Joomla SecurityJoomla Security
Joomla Security
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Technologies for startup
Technologies for startupTechnologies for startup
Technologies for startup
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Wpd09 Sydney
Wpd09 SydneyWpd09 Sydney
Wpd09 Sydney
 
Community dynamics
Community dynamicsCommunity dynamics
Community dynamics
 
Lotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 CommandmentsLotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 Commandments
 
SharePoint Development and the Cloud
SharePoint Development and the CloudSharePoint Development and the Cloud
SharePoint Development and the Cloud
 
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetingsSlides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings
 
Y4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should LearnY4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should Learn
 

Mais de xsist10

Security theatre (Scotland php)
Security theatre (Scotland php)Security theatre (Scotland php)
Security theatre (Scotland php)xsist10
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)xsist10
 
Security Theatre - Confoo
Security Theatre - ConfooSecurity Theatre - Confoo
Security Theatre - Confooxsist10
 
I put on my mink and wizard behat - Confoo Canada
I put on my mink and wizard behat - Confoo CanadaI put on my mink and wizard behat - Confoo Canada
I put on my mink and wizard behat - Confoo Canadaxsist10
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conferencexsist10
 
Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Beneluxxsist10
 
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPSecurity Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPxsist10
 
I put on my mink and wizard behat (talk)
I put on my mink and wizard behat (talk)I put on my mink and wizard behat (talk)
I put on my mink and wizard behat (talk)xsist10
 
I put on my mink and wizard behat (tutorial)
I put on my mink and wizard behat (tutorial)I put on my mink and wizard behat (tutorial)
I put on my mink and wizard behat (tutorial)xsist10
 
I put on my mink and wizard behat
I put on my mink and wizard behatI put on my mink and wizard behat
I put on my mink and wizard behatxsist10
 
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source ProjectPHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Projectxsist10
 

Mais de xsist10 (11)

Security theatre (Scotland php)
Security theatre (Scotland php)Security theatre (Scotland php)
Security theatre (Scotland php)
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
 
Security Theatre - Confoo
Security Theatre - ConfooSecurity Theatre - Confoo
Security Theatre - Confoo
 
I put on my mink and wizard behat - Confoo Canada
I put on my mink and wizard behat - Confoo CanadaI put on my mink and wizard behat - Confoo Canada
I put on my mink and wizard behat - Confoo Canada
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
 
Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Benelux
 
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPSecurity Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHP
 
I put on my mink and wizard behat (talk)
I put on my mink and wizard behat (talk)I put on my mink and wizard behat (talk)
I put on my mink and wizard behat (talk)
 
I put on my mink and wizard behat (tutorial)
I put on my mink and wizard behat (tutorial)I put on my mink and wizard behat (tutorial)
I put on my mink and wizard behat (tutorial)
 
I put on my mink and wizard behat
I put on my mink and wizard behatI put on my mink and wizard behat
I put on my mink and wizard behat
 
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source ProjectPHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Project
 

Último

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Último (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

PHP SA 2013 - The weak points in our PHP projects

  • 1. The weak points in our systems Are your dependencies getting you down? Thomas Shone – Senior PHP Developer PHP South Africa - Oct 2013
  • 2. Copyright © 2012 Clickatell. All rights reserved. About me  Senior developer for Clickatell  Work remotely from Grahamstown in the Eastern Cape  I like to break things
  • 3. Copyright © 2012 Clickatell. All rights reserved. The bare minimum we SHOULD be doing  Preventing SQL injection and sanitizing user input  Email and cellphone verification – Mitigate social engineering against support team  Salting and using strong hashing for passwords – As of PHP 5.5, www.php.net/password will make this trivial  Forgotten password resets done by email link  Use OAuth or OpenID  Two factor authentication – High risk data – Premium support verification – Off-site staff authentication method
  • 4. Copyright © 2012 Clickatell. All rights reserved. What the blogs haven't warned us about  No coder is an island  We all rely on: – 3rd party libraries – Frameworks • Symfony • Zend – CMS packages • Joomla! • Wordpress – E-Commerce software • osCommerce • Magento – CRM software • SugarCRM
  • 5. Copyright © 2012 Clickatell. All rights reserved. So... time to come clean... I've done it too  Perception – Using a version of Smarty without vulnerabilities (3.1.12)  Reality – 4 versions of Smarty. – Version 2.6.26 with 11 Vulnerabilities (7 critical) – Version 2.6.28 with 12 Vulnerabilities (7 critical) – Version 2.6.11 with 12 Vulnerabilities (7 critical)  The other three were dependencies of another front end system  Developers had not updated Smarty since 2009 (the version they are using was released in Dec 2005)
  • 6. Copyright © 2012 Clickatell. All rights reserved. Lets get some real world data  43 popular open source web applications, libraries and frameworks.  3,421 versions  5.6 million files
  • 8. Copyright © 2012 Clickatell. All rights reserved. Some graph explanation Mean / Average Median The Doom Line
  • 9. Insert the title of your long presentation names here Enter your subtitle here Some actual numbers please
  • 10. What are SMBs using?
  • 11. Copyright © 2012 Clickatell. All rights reserved. Where does the blame lie?  Wordpress and Joomla! – Highly popular = Highly targeted. – Fix released before the vulnerability disclosed  Libraries not so well behaved – Most of the libraries found where vulnerable – OpenX had a backdoor in their code base  Frameworks came off well – No vulnerabilities for the versions found Reference: http://blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.htm
  • 12. Insert the title of your long presentation names here Enter your subtitle here Lets get a little ageist here
  • 13. Insert the title of your long presentation names here Enter your subtitle here What's the sell by date
  • 14. Insert the title of your long presentation names here Enter your subtitle here Lets just put those together
  • 15. Copyright © 2012 Clickatell. All rights reserved. Some good news at least  We were looking at the worst of the worst – SMB with little technical knowledge – Freelancer CMS deploy  People will fix what they know is broken – Growing awareness – Emergence of auto update tools – Software houses and freelances, up-sell those maintenance contracts
  • 16. Insert the title of your long presentation names here Enter your subtitle here How much has the situation improved
  • 17. Copyright © 2012 Clickatell. All rights reserved. And for the developers  Means of distributing 3rd party code is improving – Composer • Don't commit dependencies... specify • Major release locking • Simple update mechanism