Category: Community


Starting Secure Development

November 26th, 2013 — 3:32am

As I’m trying to get back into some more regular article writing for the websec.io security tutorial site, I thought I’d ask on Twitter for some of the things people might be interested in reading. I thought I’d gather them all up and share them here (since Twitter is sooo good at tracking this kind of thing…). There were some good responses and some things I hadn’t thought about yet:

> Top 10 pitfalls and how to avoid them. @calevans
> how to actually filter input and escape output correctly. @skoop
> I’d like the ability to answer to the question “Is it safe?” with confidence. @AmyStephen
> Data sanitization, escaping, and authentication. @codeguy
> how to test for secure code. @scottmattocks
> One of my largest stumbling blocks has been learning how to write proper (library-less) templates in a secure and flexible manner. @mkmcdonald

You can see all of the responses here. There’s a few articles related to these posted already:

If you have any other suggestions let me know!

4 comments » | Community, PHP, security, websec.io

iniscan: a security scanner for php.ini

November 9th, 2013 — 2:24am

I do a lot of talking at conferences and in the articles I write about application security, mostly in PHP. There’s been a resurgence of interest in creating secure applications and some of the best practices around it. There’s lots of examples of bad code out there but thankfully there’s a growing base of good reference materials that show how to Do Things the Right Way too. Most of these focus on good code practices, though, and don’t think too much about something fundamental to the PHP language and key to any installation – the php.ini configuration.

PHP’s configuration has quite a few settings (and is getting more all the time) so it can be confusing to have to keep it all straight and be sure you’re “thinking secure” in your app’s setup. There’s lots of sites out there that offer recommendations about how you should set up your config file to follow along with the best security practices, but they’re either all the same thing (copy and pasted?) or refer to settings that are now deprecated. So, in an effort to make it easier for developers (and sysadmins) to set up a php.ini file with a more secure configuration, I created the “iniscan” tool (catchy name, huh?).

I want to thank Ed Finkler for the foundational work he did on the PHPSecInfo project a few years back. PHPSecInfo was a web-based tool that you could load in a browser and report back similar information as what the iniscan tool reports. A lot of the rules in the iniscan tool are inspired by the ones he defined.

The tool runs from the command line and evaluates the php.ini file you’ve given it and evaluates it based on a set of pre-defined rules to provide a pass/fail grade on your current configuration. The goal behind it was to create something that was easy to install and easy to use to reduce the barrier for adoption and lead to an increased awareness about what a hardened php.ini looks like.

You can install it using Composer and call the command line “scan” command to get the results. They look something like:

== Executing INI Scan [11.09.2013 01:51:13] ==

Results for /private/etc/php.ini:
============
Status | Severity | Key                      | Description
----------------------------------------------------------------------
PASS   | ERROR    | session.use_cookies      | Must use cookies to manage sessions
FAIL   | WARNING  | session.cookie_domain    | It is recommended that you set the default domain for cookies.
PASS   | ERROR    | session.cookie_httponly  | Setting session cookies to 'http only' makes them only readable by the browser
FAIL   | WARNING  | session.save_path        | Path /tmp is world writeable

[...more test results...]

15 passing
6 failure(s)

Each of the tests gets a pass/fail grade with a bit of color-coding to help the really bad issues stick out a bit more. It looks at settings like:

  • session.cookie_httponly
  • register_globals
  • safe_mode
  • allow_url_fopen
  • expose_php
  • register_long_arrays

…and more. The tool, by default, reports back the information in a “table” output directly back to the command line. There’s options you can pass in that will change the output format into something a bit more machine-friendly (like JSON and XML).

If this sounds interesting to you, check out the github repo for it and try out the latest version (v2.5 at the time of this post). I definitely welcome feedback so I can help make this an even better tool for the PHP community overall. Many thanks to the PHP community members that have already contributed back to the project – Eric Hogue, Jeremy Cook, Hari KT and Alexandru G!

iniscan

2 comments » | Community, PHP, security, Testing

Speaking at Day Camp 4 Developers on Two-Factor Auth

August 9th, 2013 — 8:38pm

Well, the official announcements are making the rounds now, but the next Day Camp 4 Developers,(Master Series) will be coming up in October (the 18th) and will feature several security related talks. I’ll be one of the four folks presenting at this event and will be giving a talk about two-factor authentication. Here’s the summary:

Two-factor authentication has gotten a lot of attention lately. It’s being praised as a way to help eliminate identify theft online and already has several major companies adapting their practices to use it. Let me guide you through the world of two-factor authentication and explain some of the basic concepts and dive deeper into the associated protocols and RFCs. I’ll also show you some common implementations with standalone and web service options to get you started quickly.

Other topics that’ll be a part of this PHP Master Series (Vol 2) are:

  • Fred Alger – The OWASP Top 10 and You
  • Mike Stowe – Prison Theory of Web Development Security
  • Anthony Ferrara – Password Storage (And Hacking) in PHP

Tickets are already on sale, so you can go ahead and reserve your spot. We hope it’ll help encourage more PHP developers to get proactive about the security of their applications and expose them to some of the good practices and new ideas they can use.

Comment » | Community, PHP, security, Speaking

Upcoming Conference Speaking

February 8th, 2013 — 3:24pm

I’ll be speaking at two upcoming PHP-related events – all of the talks will be discussing PHP and general development security topics.

First up is ConFoo (Feb 25th-March 1st in Montreal, Canada) where I’ll be presenting two sessions:

  • Beyond the Basics: Security with PHP

    You’ve seen some of the basics of securing your application – validating input, filtering output and the like. Let me take you a step further into more advanced security in PHP. Protecting your application from things like XML injection, insecure sessions & upload issues can be tricky. This session is a how-to on keeping your app safe.

  • Writing Secure PHP Applications

    Being secure on the web is getting harder and harder – the attacks are happening more and more and we, as web app developers, have to respond. The session will share tips you can follow in your code to ensure that your app stays safe and some tips to help improve investigation and preventing your app from becoming the next statistic.

The next is php|tek 13 (Chicago, May 14th-17th) with, again, two sessions:

  • Beyond the Basics: Security with PHP

    You’ve seen some of the basics of securing your application – validating input, filtering output and the like. Let me take you a step further into more advanced security in PHP. Protecting your application from things like XML injection, insecure sessions & upload issues can be tricky. This session is a how-to on keeping your app safe.

  • Top 10 Developer Security Misconceptions

    When it comes to security in development, there’s a lot of things developers have the wrong idea about – things like “I don’t have enough time” or “I don’t know enough to be effective.” Join me as a I run through the “top ten” of the list and help dispel them and make your life as a developer easier.

If you’re interested in the topics and want to drop in, be sure to stop off and say “hi”. I’m happy to talk your ear off about PHP and security…

1 comment » | Community, PHP, security

Education in PHP Security – What’s Needed?

November 21st, 2012 — 3:28am

As anyone that’s been around the PHP community recently (within the last six to nine months) knows, Chris Hartjes has taken up the lead in an effort to increase awareness about unit testing – really testing in general – of PHP applications. He favors things like test-driven development and having good tests to back up and reinforce a good resulting product. I admire him for his efforts (including his book) and I wonder if this same movement could be used to help kickstart a security testing “revolution” in the PHP community too.

For a long time, PHP has had an unfortunate reputation as being an insecure language to develop web-based applications in. The language itself has very few built-in security features and favors offering the ability to plug in techniques and tools of their own to make things secure. Unfortunately, this leaves a lot of the beginner level applications wide open to potential attacks. Developers aren’t immediately given options to do things like filter their data or secure the data they’re storing in their sessions. Most developers that I know that are just starting out with PHP don’t even know these sorts of things need to be done. They blindly accept user data and expect that nothing other than what they’re wanting will come through. Sadly, this sort of thing has lead to this insecure reputation – bad code written by inexperienced users. One of PHP’s best attributes is its low learning curve…and also its worst.

Many developers don’t even realize the need for security in the code they write until it’s too late. One day they wake up and – either because something they’ve written has been hacked or they read an article that talks about it – realize that they’ve been blind about protecting themselves and their data from Those People out on the web. This usually seems to happen about the time that most of them discover frameworks and how useful they can be. They start poking around what the framework has to offer and come across things like access control, user authentication and yes, maybe even secure session handling. A switch is flipped and the developer reacts in one of two ways – they take it as a charge to get better about their secure coding practices or they freak out and start going crazy with filtering, encryption and escaping.

Back to my original point – I wonder if it’s possible to take this momentum that Chris has gotten going and use it to encourage more testing for the security of applications up front. I’ve been doing what I can over on websec.io to try to help educate developers about things like secure coding practices, common infosec terms and information about securing their applications from would-be attackers, but it’s not enough. It’s not even a blip on the radar in what is a very serious matter that should be a consideration for all PHP developers.

Testing application security early, whether it be through the use of something like skipfish or a static code scanning tool, can save you time in the long run, just as unit testing your code helps track down and eliminate bugs faster. I want to promote early testing for security issues in applications and the mitigation of them, but I’m not sure how to reach developers in a way that they’ll listen.

Pádraic Brady has started up an effort to create a guide to some of the most common issues PHP developers might face and it’s off to a good start. I wonder if there’s more that can be done to help improve the security awareness in the PHP ecosystem, though. It seems like there’s a lot of content floating around out there that’s from the “stone age” of PHP security practices (filter input, escape output, blah blah blah) and not much about real-world, advanced threats that relate to PHP applications and current web technologies.

What would you like to see in a security resource that could help you, as a developer, make your code more secure? Do things like articles/tutorials encourage you to take a good long look at your code and try to “think like an attacker” or would more real-time interaction (screencasts or webinars) do more to help? I’m interested to see what the community thinks is a good approach to this.

Security is an important topic, no matter the language you’re working with. PHP just has more of an uphill battle than some other languages – help me make it a little bit easier.

13 comments » | Community, PHP, security

Introducing JsQuickFix

June 22nd, 2012 — 9:32am

Fans of PHPDeveloper.org (@phpdeveloper) or the PHPQuickFix (@phpquickfix) news feeds to keep up with some of the latest things in the PHP community, but looking for something a bit more on the Javascript side are in luck.

To compliment the PHPQuickFix site/twitter account, I’ve started up a Javascript-centric feed of hand-picked items I find in my reading that look useful/interesting/are more than just fluff – JsQuickFix (and @jsquickfix on Twitter).

This uses the same setup I have for the PHPQuickFix feed:

  • using GimmeBar as a data source
  • a simple PHP script to generate an RSS feed of the latest assets
  • Twitterfeed to pull the latest from this feed and post to Twitter

I use the Chrome extension that adds a GimmeBar icon to my toolbar and makes adding new links to these services a few simple clicks away.

To accomplish this, though, I had to shift over to using Collections instead of just pointing it at my main GimmeBar Public feed. Here’s the two collections that will grow in the future:

Enjoy! :)

1 comment » | Community, javascript, jsquickfix, PHP, phpquickfix

Innovation’s Not The “Ah-Hah!”

May 25th, 2012 — 10:29pm

After reading through his “Confessions of a Public Speaker” (as a beginning speaker, I learned some good things from this one – I’d suggest it if you do any kind of speaking) I was anxious to check out some of Scott Berkun’s other books. The topics of some of the others didn’t really appeal to me, but the one that’s caught my attention recently is his “Myths of Innovation” book. I’m maybe a third of the way through it right now, and there’s one thing that keeps resonating in my mind as I go through it. In a previous chapter, he makes the point that innovation, despite what the history books and popular culture would have us assume – it’s less of an “Ah-hah!” and more of a “Finally!”.

See, most of the common stories of innovators out there leave out something that’s very important – the reference frame of their lives. They don’t provide a larger picture of who someone is (like Einstein or Newton) and how all of their work, everything they’ve done in their career led up to the discoveries that they’re known for.

I think this is important to remember as software developers, too. All of us start projects and never finish them, it’s just a fact of life in the world of a coder. We find something that we either think is the “Next Big Idea” or something that we’ll find amazingly useful and latch onto it, giving it our all for a week, maybe a month. Nine times out of ten, though, that project falls by the wayside. Now, don’t get me wrong, there’s some folks out there that do a great job with anything they touch, but for the average developer, it’s all about hacking away at the latest “shiny”.

Sometimes it’s about the technology (“everyone’s learning Backbone.js, why shouldn’t I?”) and other times there’s a bit of pride that kicks in (“I could do this so much better if…”) but there’s always one thing to remember. It doesn’t matter if the project you’re working on goes anywhere. Remember this. Just like some of the great innovators of the past, it takes a lot of dedication and work to get to be the “Ah-hah Guy” that wows the world with something new and amazing. Don’t forget that the code of the Next Great App isn’t just going to fly from your fingertips.

Work hard at your craft and it will pay off. Maybe not in fame and glory, maybe in making real, useful contributions to the culture and technology around you. Don’t stop trying to innovate, don’t focus on the failures and, above all, keep learning and keep doing.

4 comments » | Community, Development, Opinion, PHP

Ideas of March

March 15th, 2012 — 8:26am

It’s March 15th and you know what that means….only a month left for the procrastinators to do their taxes in the US. Well, actually, that’s not what I’m really talking about here. Last year a whole host of people write up posts titled “Ideas of March” and this year’s no different. Several members of the PHP community are jumping in with there thoughts on blogging – here’s some of mine.

Blogging is great, don’t get me wrong…I love it when I can Google for something and find that someone, somewhere has done exactly what I need. This historical record of shared knowledge is one of the things that makes the web great. Of course, it can also sometimes do more harm than good. “But I thought you were going to write about how blogging is a good thing,” you ask. Well, I believe it inherently is, but with a few caveats:

  • Blogs are only as good as their authors:
    Not everyone out there is a clear, excellent writer (I know I’m not) and, as a result, sometimes the message of a post can get lost in poor wording. What’s a solution to this? Blog more often! That’s right, it’s just like anything else – the more you do something, the better at it you get. You start getting into a certain frame of mind when you’re fingers to the keys and you learn little “mind tricks” (no Jedi here) on how to best get your message across. You don’t have to be an amazing writer to be a clear one.

  • Dates, Versions & Code:
    This one’s a tough one, especially for us tech bloggers. I can’t tell you the number of times that I’ve found what I thought I needed in my Google results only to go over to a post and discover that I have no idea when it was written. The URL gives no clue and there’s not a date to be found. This drives me nuts and if your blog dosen’t have dates on the post, go change that. Right now. I’ll wait here.

    Additionally, something that can make for a lot less frustration for people coming to your posts later are two things – somehow tagging or mentioning what version of a language the post relates to (“this post was written against PHP 5.2.5″) and trying to keep the code up to date. Yes, I know this second request requires a bit more commitment on your part, but people would sing your praises if you took the time to do it. Even if it’s just an update to a post that say, “I found a better way to do this…” in a more recent version of the language/tool.

  • More than just a “brain dump”:
    I’ve seen several people use their blogs as a sort of “brain dump” – a place for them to post things that they just want to remember later on. This is all well and good, but don’t forget that blogs aren’t just about code snippets and tutorials. Sometimes you need to share a bit about you and what you’re passionate about too. Take some time to sit and reflect on what you do on a daily basis and think about how knowing that process could help others. I’d encourage you to write not only code-related posts, but also keep the rest of the world up to date on the interesting things you’re doing. Nothing builds communities like people sharing more than just code.

Finally, I’d like to end this post jammed full of suggestions with one final challenge – get out there and share. My recommendations aside, if all you do is write up one or two posts this month (and keep going) with a few paragraphs each, I think the web would be a better place. Sharing knowledge is what it’s all about and if you discover something, no matter how small, you could be sharing exactly what someone needs. Remember, just because you think it’s simple, doesn’t mean someone new to the tech does….get out there and share!

Comment » | Community, PHP

Speaking at DPC12 & a Lone Star PHP Update

February 22nd, 2012 — 9:55am

Well, I’ve been a little lazy around here and haven’t posted since the beginning of the year. I figured I’d fix that by posting an update about a few things going on around here.

First off, since the schedule was just released, I’ll mention that I’ll be presenting at this year’s Dutch PHP Conference with three different sessions (well, kind of just two):

  • Agile Applications with ExtJS and Zend Framework
    ExtJS is an enterprise-level Javascript framework, the Zend Framework is one of the most powerful and flexible PHP frameworks to date – its a match made in heaven. I’ll introduce you to these two technologies and how to combine them into an easy to maintain, agile application that can move as fast as your project needs. I’ll show you how to build a sample application including a frontend MVC, REST backend and unit testing the result. (Tutorial)
  • The API Dilema
    Creating a good, useful and functional API for your application can be one of the most difficult parts of a project. With more and more things becoming API-powered, it’s important to plan well and provide what the user expects. I’ll look at some principles you can follow to make sure the API you write is the right one, both from the developer perspective and what you, as a user, should expect of a quality web service API. (Session)
  • Agile Applications with ExtJS and Zend Framework
    ExtJS is an enterprise-level Javascript framework, the Zend Framework is one of the most powerful and flexible PHP frameworks to date – its a match made in heaven. I’ll introduce you to these two technologies and how to combine them into an easy to maintain, agile application that can move as fast as your project needs. I’ll show you how to build a sample application including a frontend MVC, REST backend and unit testing the result. (Session)

No, I didn’t repeat myself – the first session and the last session are on the same topics – they’re just different lengths. The tutorial on the first day will get more into coding and examples of ExtJS+ZF and the second shorter session will just give a high level overview of each tool and how they hook together. If you’re interested in the “guts” of an Ext-based app, you’d do better in the Tutorial.

Also, for those that don’t know me, I’m a co-organizer of the Dallas PHP User Group. Last year we decided to put on a local PHP-centric event and it was a great success. So, we’re back this year with the Lone Star PHP Conference 2012. We’ve just wrapped up our Call for Papers and are in the process of selecting the best fits for our schedule.

We’ll be announcing the schedule and opening the registration soon, so keep an eye out on the Lone Star PHP conference site for more updates!

Comment » | Community, PHP, Presentation

Top three posts of 2011

December 29th, 2011 — 3:11pm

With a nod to this post from Cal Evans, I’m presenting my own “Top Three” posts from 2011, in order of descending popularity:

  • I don’t understand the 9-to-5:
    This one is easily the tops of the popularity list…thanks to another PHP community member, this one made the front page of Hacker News for a little while and received almost five thousand hits in a day. My poor little slice didn’t know what hit it. I scrambled to put up something – anything – to be able to keep the site alive. Ultimately I ended up rendering a static version of the page to a buffer and manually refreshing it as new comments came in and were approved (39 of them!)

    The post was basically my views on developers who are genuinely interested in the work that they do and the ones that are more of the clock-in/clock-out coders that just “do the job”. There were tons of comments that both agreed and disagreed…and several that basically told me I needed to get a life or must not have kids (I have both, thankyouverymuch).

  • Process Oriented versus Product Driven:
    This post was actually a quote from an interesting book on architecture and some of the things the author had learned during his time in school. This particular nugget of wisdom shows the difference between letting your work drive you and, instead, learning how to drive and shape what you do into something even better.

  • How long is too long (for unit test names)?:
    This fun little post was a log of some tweets after I asked “how long is too long for a method name in a unit test”? It’s common to see things like “testValueIsValidInternalUrl” or “testUserCanExecuteTransaction” kinds of names so I wondered what other people’s experience with it was. One interesting point that came up was the use of “testdox” to translate out the name into something more readable.

These were just the most popular ones added in 2011…there’s a few others that were popular but were posted previously (like pdo+oracle and php+mq).

Hope your holidays were/are good and here’s to another great year of blogging and PHP community!

UPDATE: Besides Cal, other PHP community members are getting into the spirit – Matthew Turland, Joe Devon, Bradley Holt

1 comment » | Community, PHP

Back to top