Security in LAMP stack
an overview of webrelated security
... and why this is important
1. The necessity of security
What happens when a website is hacked?
What are the consequences?
What are the costs?
Why is security an issue?
Websites based on languages like PHP, Python or
Perl may contain security issues
Hacked websites are the results
and that's costing money
How easy is it?
You don't have to be an expert to breakin
Script kiddies” use automated tools
Rising number of website defacements
More websites with a lack of security measures
More script kiddies
is mandatory !! (1)
* Make sure it does NOT happen again
* What did the hacker accomplish?
* What's the damage?
Breakin analysis is
mandatory !! (2)
Possible difficulties due to lack of evidence:
* Removed by the hacker himself
* Removed in the panic at the time of discovery
!! DO NOT PANIC !!
Dependant on how far the hacker came
* Restore of data
* Analysis of hack
* Professional security audits
* Hidden costs (f.i. damage to the business image)
difficult to point out
Breakin prevention is like a costly issurance
Adequate security costs time and money
but doing nothing may cost a lot more!
2. What needs to be secured?
in the IT infrastructure
need to be secured?
Where is security an issue?
* Public website
* CRM application
* Financial applications
Public website is placed on a webserver
Operating system (Linux, Windows)
Webserver application (Apache, IIS)
Database application (MySQL, Microsoft SQL)
Website itself (HTML, JS, PHP, Perl, Python, ASP, JSP)
Open source webserver
Linux/BSD operating system
Joomla, Drupal, SugarCRM, Symfony
open source = safe?
more secure than closed source?
* Continuous reviews by the community
Example: Exploits within Linux are discovered and
than exploits within MS Windows
But only if the community is large enough
Open & closed source”
* Difficult to make it fit
Example: Apache is hard to optimize for security
due to the restrictions in the Windows kernelcode
* Difference in security review
Exploits within closed source code are hard to
trace by the public (but the blackhat hacker
always finds a way)
Linux operating system
Linux or Windows or OpenBSD?
Webserver security different than fileserver security
Outofthebox” equals “unsafe”
Default configuration not good enough
For each website a seperate “jail”
Configuration of PHP options
PHP Webapplication (1)
* PHP settings
Register Globals to untrust the stupid
open_basedir to jail your site
Safe Mode is of the past
secure tmp & upload & session paths
PHP Webapplication (2)
* Always use the most recent (stable) version
* Be warned when using 3rd party extensies
* Monitor your website
My website is not interesting enough
My website is complex so an exploit is hard to find
And if my website gets hacked, it's not that bad.
PHP security (1)
Cross Site Scripting / Cross Site Request Forgery
PHP variable insertion
Authentication issues (cookies, session)
PHP security (2)
Weaknesses in AJAX
Myths” among hosting providers
PHP Safe Mode is enough
Using Register Globals is easy
3. What are we going to do?
Which practical steps
need to be taken
to straighten out security?
Levels of activities
technical: logs, code review
human: newspapers, emails
Remain AWARE of all the risks
Stay up to date
What are the risks?
What can you loose?
How many times is security an issue?
What is happening in the security scene?
Keep yourself posted on security issues
New updates bring new risks, but
no updates bring new risks
Prevention is better than cure
Security has to be on the list continuously
Next week your website may
already be hacked ...
Security starts today !