OSEVENTS (PHP West) PHP & Open Source Security Conference

Yesterday I attend the PHP & Open Source Security Conference put on by OSEVENTS (formerly PHP West) at the HR MacMillan Space Centre here in Vancouver. I was very much looking forward to this conference as lately I have been working on making security a lot bigger issue in the code I am writing.

The first talk of the day was by Bruce Perens about security in open source development in general. We entered the conference room and Bruce was already up on the stage talking. He hadn’t started his presentation yet, but was spending the time talking about an issue that seemed very important to him, that was the issue of software patenting. Perens painted a very grim future of how archaic patent laws if (or when) applied to software will end up supporting big corporations and literally kill small/medium business as well as open source development. I will write more on the patent issues at a later time.

After everyone was registered and settled into the conference room Perens begin his first talk regarding security in open source. He talked about some of the good things the open source community had going for it such as “many eyes”, a commitment to fixing problems not hiding them, and the ability for organizations to make changes themselves that are needed.

One of the biggest issues Bruce brought up during his talk was regarding communication of information. The problem being an often lack of skills from the people within the community to communicate information to non technical people. This presents a problem in several aspects because it often gets the non technical user to go to other sources for information which often have wrong information, or will cause media to report on things they don’t fully understand and often over sensationalize. One way to combat this was for people within the community who can write and communicate well should use their ability and share their knowledge. He thinks that this needs to be done more than just on Blogs and advocates writing editorials or letters to the editor.

In Perens eyes another major problem in open source development that needs attention is that of tracking the identity of the people writing the code on open source projects. Perens thinks that in the future it is very possible for larger corporations to plant senior developers on open source projects in the attempt to sabotage the project and make it look bad in the medias eyes. In our current development paradigm this is a real threat Perens explained because the identity of the developers writing the code is unknown. A solution to this that Perens helped implement at Debian was that all developers had to digitally sign their code whenever they checked it in. Whenever there was a meet-up of Debian developers they would then share their drivers license and passport information with the other developers to prove their identity. In this way they were able to link identities to all of their developers and link them to their signatures. In this way if their was ever a major exploit or back door programed into the code they would have a direct link to the person who programmed this and would be able to prosecute them swiftly.

While Perens talk was not PHP specific, I still quite enjoyed it. He brought up several issues I hadn’t really paid attention to in the past and other issues I wasn’t even aware of. Perens also impressed me with his vast amount of knowledge of Open Source in general.

Next to talk was Christian Wenz from Germany. His talk was titled “New Trends in Web Hacking”. Christian’s began by first going over some older security problems that still face many php applications such as Cross Site Scripting (XSS) and SQL injections and the importance to protect against these attacks. He then went on to talk about new problems that are arising such blog spamming. Christian used good use of code examples to quickly show how these hacking attempts were being performed. Christian obviously knew a lot about the subject matter and gave a good talk. I was a little disappointed however that his talk was only 45 minutes. It seemed a bit rushed to me and it didn’t really give him time to talk indepth on solutions to the problems, but rather had him saying things like “This is bad.” and moving on. One thing that I really enjoyed about Christian was his sense of humor, it reminded me a little of Cal Henderson’s humor during his talk at the web services conference. One of Christian’s funnest jokes of the day was when he showed us how people are baiting users to pass Text CAPCHA’s for them by promising ‘hardcore XXX porn’. “Because I hear when people are up late at night and are bored they like to surf for porn. So I have heard.”, too funny.

Lunch was served after Christians talk. It was a basic sandwich lunch, which I suppose sufficed. Actually the bread they had was very excellent. I was a however a little disappointed with the lack of anything else. They could have at least provided cookies, juice and other such snacks to round off the meal. Regardless the sandwiches were good.

After lunch the next speaker was Chris Shiflett, someone who I really looked forward to hearing. His talk was title “PHP Security Audit HOWTO” and was a practical guide on how to perform in house security audits on other team members code. Chris started by talking about the two most important things a PHP developer should do, and that is to Filter Input and Escape Output. This is something Chris talks very often about on his blog and he reiterated the importance of it here. Below is a summary of key points I thought were interesting:

• When filtering input never modify invalid data to make it valid. A whitelist approach should be used (Reject everything except that what is specified).
• You should never trust what is in $_SERVER
• Escaped output should never have to be undone. If it does it means you have done something wrong.
• Some key things to turn off in your php.ini file: register_globals, allow_url_fopen, display_errors, magic_quotes.
• When conducting an audit follow the process of finding where input happens (such as form data), then determine where output occurs (database interaction, output to html). Use the input as your starting point of your audit then trace your way back to where those variables are defined. When you find where the variables are defined you can then determine if they have been properly filtered/escaped before being used or outputted. Other things to watch out for is error suppressing, dynamic includes (make sure the variable is clean).
• Cookies should not be trusted.
• Only include files in your document root that you want accessible by a url.

Chris’s talk was very helpful and practical. It reiterated a lot of the security practices I have read about in the past and made me feel pretty good about the code I have been writing lately. I found Chris to be a very good public speaker, his talk was organized and complete and he explained things clearly and thoroughly. Mostly though I was blown away by his vast knowledge of security in general, he has a very strong grasp on security from a theoretical and a practical standpoint. I think Chris’s talk alone made this conference worth while for me.

Following Chris Shiflett at a conference dedicated to PHP security is a very difficult thing to do. The next person to speak was Tom Robinson a freelance developer from Vancouver. Tom took the stage and didn’t do much of introducing himself and sort of mumbled that the other speakers had already talked about a lot of what he was going to say. He then started to open up browser windows without too much explanation and started to show HTTP headers and the information being passed between the web server and the user. Again with only a few words here and there he started to show how to turn off things like php signature on the webserver or change your scripts from .php extensions to like .html. Basically security through obscurity, something the previous 3 speakers all advocated against. Within the initial 5 minutes of his talk he already received a very excellent comment about this and the effectiveness of it. After a few more minutes of this mind numbing presentation I decided to leave. This may have been rude of me and maybe I didn’t give him enough of a chance, but in my opinion this guy did not belong at this conference. It was a little disappointing to have 1 hour of this conference wasted when someone like Christian could have used it talk more indepth.

So after spending an hour outside in the sun we came in to the hear the last speaker Chris Hubbard talk about Data Validation in PHP. Hubbard had a very well researched presentation and explained the many ways in which to validate input. He showed us several examples of validation, and the difference between simple checking (is it an integer?) and more complex checks (is this a valid email address?). He showed us examples of several third party applications that can be used for data validation and how they could be used. He also made it very clear that when using any type of third party application one should be cautious about trusting it and that you should really know what it does before you use it.

I really liked the way Chris Hubbard used real word examples of why data validation is so important and what can happen when you don’t validate data properly. He had a very strong presentation and obviously knew a lot about his subject matter. One thing that pissed me off during his presentation was that Tom (see above Stefan walking out) started to be very vocal and asked some pretty stupid questions. It was almost like he realized his presentation bombed and he wanted to sabotage Chris’s talk. At one point Chris was talking a bout regular expressions and Tom commented “That top one looks really good actually!”. What was funny is that Chris had just stated that the top regular expression was the one that was the worst of the three. Anyway these interruption only made me dislike this Tom guy even more.

After Chris Hubbard’s presentation the day was finished with an open forum with all of the speakers. I asked the first question about the best way to store credit card numbers if you really have to. After the expected “don’t” responses, I got some good answers on ways to protect the information by using mcrypt or even just storing the last 4 digits and possibly a hash of the credit card, or even just using a third party to handle that type of information. After the speakers brought up that a third party could be used a guy from Victoria become very vocal (very reminiscent of Tom earlier) about his company and what a good company they were. Basically his company handles the credit cards for you and thus you never have to store them. For the rest of the forum he continued to chime in about what his company was doing. Anyway after a few more questions about related issues the talk then swung to software patenting and the future. Bruce Perens was very bleak regarding the future, and really made it clear that action needs to be taken to fight these patents.

I am glad I attended this event. I was a bit disappointed however with some of the co-ordination and the additional costs of the conference in comparison with what was offered at the previous conference. I was also disappointed to hear that additional conferences held by OSEVENTS would no longer be PHP specific but rather open source events. While Vancouver has a need for open source events I find that there was a real opportunity and a solid niche to fill with PHP specific conferences. I don’t think it would be hard to come up with new topics or to fill events specifically on PHP. I hope this new direction by OSEVENTS will still maintain it’s core supporters (those from the PHP community) by having a heavy PHP contingent in upcoming conferences.