Mini-Security Site Proposal (see phptherightway.com)

[Pádraic Brady]

I've been considering a few ideas for mini-projects - something that takes a few minutes to contribute to as opposed to many hours (which not everyone can spare). In trying to raise security awareness in programmmers' minds there are a few larger projects in motion but these will always suffer from TL;DR complaints. Even a well received book will be frowned at I have no doubt.

The phptherightway.com site offers one example of a mini-project. A single-paged site with condensed information on best practice in PHP. I'd like to propose adding it as a deliverable (see earlier topic).

Since it's as small as it sounds, I can setup the repo at the weekend to get the ball rolling. I've created a phpsectg organisation on Github so it's easier to add anywhere here interested in reviewing future PRs: https://github.com/organizations/phpsectg

The floor is open for site name suggestions (check if a domain is available too!). If interested, please vote +1/-1 and any ideas/comments.

Paddy

[Jesper Jarlskov]

I really like the idea. If it's actually possible to get useful information out in this short format it will be great, god knows PHP developers could benefit from an increased focus on security.

Regarding the name, it's possible to follow the naming scheme of phptherightway.com, both securephptherightway.com and phpsecuritytherightway.com is available.

+1

Jesper Jarlskov

--
 
 

--
Jesper Jarlskov

[Sky Gunning]

Its nice to have more languages also !
(i can help for french)

I like the idea and willing to help along a bit if i can.

I already found myself updating my Auth class just by reading this group.
I like it :)

Regards.

Sky

--
 
 

[Chris Cornutt]

Why not just work with them and make a security.phptherightway.com instead? I'm fine with having another domain for it, but imho it'd fit better with the already popular phptherightway project that way. It doesn't have to be contained in the same project repo...subdomains and all.

-chris

--
 
 

--
Senior Editor
PHPDeveloper.org
ccor...@phpdeveloper.org

@enygma

[Pádraic Brady]

Independence for one but I also tried contributing security summaries to phptherightway already - check the o/s PRs for one of mine. It was blocked by a couple of minor terminology objections and hasn't moved since. I have no objections if a subdomain is  preferred by others however! I could ask Phil or someone if we want to take that route.

Paddy

--
 
 

[Chris Cornutt]

I'm a +1 for the subdomain, personally. I'd rather present a unified front for best practices, even if it's two different projects combined under the same banner. Templates are pretty easy to duplicate ;)

-chris

[Jeremy Hutchings]

security.php.net would be nice ;) 

Though they have some bits at : http://php.net/manual/en/security.php

[Pádraic Brady]

Hey Chris,

I'll grab one of the guys and run it past them.

Paddy

> --
>
>



--
Pádraic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team

[Kamil Węgrzynowicz]

I really like the idea of such simple/small website. So I vote +1 for that. As for domain, it doesn't matter for me, but it should be easy to remember.

I also like the idea of internationalization (+1), and I'm ready to contribute any Polish translations.

BR,
Kamil Węgrzynowicz

2012/9/6 Pádraic Brady <padrai...@gmail.com>

--

[Mario Bittencourt]

Hi,

+1 here.

The problem is to present security in a way that the novice does not feel scared and move to more "advanced"  stuff (like UTF-* conversion) gradually.

[Pádraic Brady]

Hi all,

Just a short note that I made contact with Josh Lockhart (creator of
the Slim Framework) who operates phptherightway.com and he appears
enthusiastic about having a secure.phptherightway.com sub site. He'll
be responding in more detail over the weekend so I guess we now appear
to have found a good home for the mini-site!

Paddy

[Chris Cornutt]

Excellent news :) I'm very excited about getting this rolling
-chris

--

[Pádraic Brady]

As am I! Josh was busy over the weekend but will respond at length late today his time - I'll let everyone here know what that is but I'd suggest willing contributors start considering what kind of highlights or organisation this site should have.

Also unless we have any objections the voting so far has been positive so I guess this our first adopted deliverable from SECTG!

Now, please don't make me write it all by myself ;).

Paddy

--
 
 

[Mario Bittencourt]

Hi,

Do we have an outline of the topics?  This way I think will be easier to start contributing, at least for me.

- Mario

[Chris Cornutt]

Yeah, I agree...that'd make it easier if anyone else wants to come through and pick up a section (people with more knowledge on other subjects too).

I know it seems tired, but there's a lot of "usual" topics that could be covered at the first...

-chris

--
 
 

[Pádraic Brady]

Hey all,

In terms of a starting point, here's the OWASP Top 10 Security Risks.
You will recognise many a familiar face ;).
https://www.owasp.org/index.php/Top_10_2010-Main

I would suggest using those risks as guiding categories since
addressing them would itself cover a lot of ground. We should probably
focus on some basic pattern to what we write. e.g.

Preventing Cross-Site Scripting [the Goal]
What is Cross-Site Scripting? [the Intro]
Cross-Site Scripting Example [the..er..Example]
Recommended Defenses [list any rules, recommendations, pitfalls]
Further Reading [links to additional information/examples - esp.
useful libraries]

From experience this is a loose pattern - some topics need a little
bit more granularity, others require less, and above all else we need
to be economical with our words so users can scan through all this
rapidly - if we find outselves expanding too much, might be better to
link to something more comprehensive and then get to point quickly.

Once we have something to actually edit - let's also perhaps reserving
a section via an email here or a [WIP] PR on Github to prevent
duplication of effort.

Any thoughts?

Paddy

[Pádraic Brady]

Hi all,

We have a green light from Josh! Just one final decision (let me know
your preference):

secure.phptherightway.com OR
security.phptherightway.com

Both seem to have advantages/disadvantages. We might be able to get a
301 redirect from the loser to the winner should there be any
confusion.

I'll look into getting the barebones layout in place at the weekend
(if anyone wants to beat me to it, please do - I'll create the
repository and add you to the phpsectg organisation on Github for
commit privs). We should have something minimal building successfully
for GH's jekyll before the subdomain can be switched on.

Any questions for myself or to pass to Josh?

Paddy

[Jonathan Sundquist]

Although I mainly joined this mailing list in order to follow a long and get some tips. Personally I would be doing a search for php security more often then securing php. With that in mind I would vote for security.phptherightway.com. Just food for though.

--

[Sky Gunning]

security !

looking forward to be able to help along when i can

Gunning Sky

--
 
 

[Ryan Chouinard]

+1 for security.phptherightway.com.

To me, secure.phptherightway.com just sounds like the SSL version of the site.

[Chris Cornutt]

Agreed...+1 for "security" from me

-chris

[Kamil Węgrzynowicz]

I also vote for "security". I share the save feeling about "secure" as Ryan Chouinard.

BR
Kamil Węgrzynowicz

2012/9/12 Chris Cornutt <eny...@phpdeveloper.org>

--
 
 

[Mark Nielsen]

+1 for security.phptherightway.com

[Jeremy Hutchings]

+1 security

[Pádraic Brady]

Looks like we have a runaway winner ;)

Paddy

[Evan Coury]

Not that it matters at this point, but put me down as another +1 for "security". 

Yes, I lurk here too. ;)

(Re-post from the web interface... It didn't detect the quoted text from my top-post in Gmail, sorry!)

[wlfrm]

+1 from me for security.phptherightway.com

[Ryan Chouinard]

So uh... we haven't run out of steam already have we? Any progress on getting a mini-site established? Do we have an ideas/proposals for managing editing rights and content review?

[Chris Cornutt]

Well, I think we have two things pending right now:

1) the addition of the hostname to the phptherightway.com project (Paddy?)

2) the outlining of the topics (the OWASP Top Ten was suggested)

3) the delegation of the writing

4) the setup of the github repo

If we get enough in the way of immediate volunteers for the writing, we can get started on that - I'm happy to dole out topics :)

Any takers? :)

Here's the list to help you along:

1) Injection

2) XSS

3) Broken Auth/Session Management

4) Insecure direct object references

5) CSRF

6) Security misconfiguration

7) Insecure Crypto Storage

8) Unrestricted URL access

9) Bad transport layer protection

10) Unvalidated redirects/forwards

-chris

--
 
 

[Pádraic Brady]

:P

Not at all, I needed to spend some time with my Mockery library since
it needs a little maintenance and new feature love. Then I got
distracted playing Kerbal Space Program which made me realise that
space travel is damn hard. Then I got distracted about SSL issues in
Composer which need to be fixed. Then... Suffice it to say, I've just
been busy.

FYI - for those interested in SSL security for PHP there have been
seismic movements recently for the language's built-in SSL support
(e.g. when using sockets or file_get_contents() instead of CURL).
There's a PHP patch in the works (to support proper peer
verification), Ralph Schindler has proposed building in CA cert file
paths into the openssl extension on PHP Internals just today (not
provided by default so verifying an SSL connection is sort of hard)
and Evan Coury has a new SSLurp library on Github with some other
handy features as a result of Evan, Kevin McArthur (resident
Peerjacking expert) and I digging into Composer's security.

Raising the profile of PHP Security does have positive outcomes.

I was also kept busy for a few days (I think the topic topped out at
100+ emails) fielding questions and, er, the usual nonsense on PHP
Internals for my Escaper RFC to PHP Core (it will hit PECL in the near
future and hopefully make it into PHP 5.5).

Yes, busy...:P. The website is on my list to get bootstrapped in a
few days so once the weekend hits it should be open for PRs.

Paddy

[Pádraic Brady]

Hi Chris,

Agreed. Folk can start writing pieces now and add them as PRs at the
weekend. The domain will be created for us when we have sufficient
material in Github to warrant its publication. Making a splash with a
reasonable set of content is better than leaping early with an empty
page!

Paddy