Opinions on PHP Security Software

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
vanguard
Forum Newbie
Posts: 13
Joined: Mon Jan 11, 2010 9:10 am

Opinions on PHP Security Software

Post by vanguard »

Hello,
I am currently developing a security panel written in PHP for improving the security of PHP-driven websites and web applications. At the moment I am trying to gather opinions on the ideas I have had and generally get feedback from the PHP developer community as to whether this idea should and could come to fruition as a business idea.

I have a few questions I would like to pose to you, with the aim that I can tailor the software to best suit the needs of developers with regards to creating additional security for their websites. Any and all feedback is welcome, and I appreciate any comments you might want to offer on my ideas.

The questions I would like to ask are:
- Would you be willing to buy this software in order to provide your website with additional protection against hackers, spammers and malware?
- What features would you like to see in such an application? (I have a number of ideas already, including GET, POST and FILES variable filtering, Email scrambling with javascript decoding, and mysql emulation for test-bed creation, but I would like to see what features active PHP developers would like to see.)
- Would you want access to an API for creating new modules, creating hooks in the existing modules, etc? If so, what functions would you want to be available to you through this?
- What price do you feel is fair for this form of protection? If you feel that this project should be nothing but FOSS, i'd like to hear about your opinion on this.
- Any additional comments are more than welcome.

Thank you for reading this, I am looking forward to hearing opinions on this as I have been building the concept for quite some time.

Alex
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Opinions on PHP Security Software

Post by Christopher »

What is a "security panel" and how will it improve "the security of PHP-driven websites and web applications"?
(#10850)
vanguard
Forum Newbie
Posts: 13
Joined: Mon Jan 11, 2010 9:10 am

Re: Opinions on PHP Security Software

Post by vanguard »

Ah, sorry for not explaining the concept very well. What will happen when you install my software is it will install itself to a directory and provide an interface for managing "security modules" that implement different protective mechanisms on the website. By automatically including a PHP file from this system into admin-chosen pages on the website, the panel will provide flexible widgets for a variety of functions. I have listed a few of my ideas below, to show the general idea of the software:

Signature based detection of attacks such as SQL injection and XSS using regular expressions (similar functionality to http://www.phpids.org)
MySQL emulation for use in testing mysql queries
Scrambling emails on the server side and unscrambling them client side to protect against spam crawlers

I have quite a few more ideas, but if I put this into proper development then modules will be added continually to meet clients' requirements and thus I can implement these ideas when required.

I hope that clears up what my software will do, if you want me to elaborate on particular elements then I will be happy to do so.

Thanks,
Alex
vanguard
Forum Newbie
Posts: 13
Joined: Mon Jan 11, 2010 9:10 am

Re: Opinions on PHP Security Software

Post by vanguard »

Surely someone has an opinion on this idea? Even if its just "I dont think the idea is very good", Id much rather know whether there is a market for the idea im developing than be standing in the dark.

Thanks,
Alex
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Opinions on PHP Security Software

Post by alex.barylski »

I think my biggest issue with something like this, would be integration.

Security is something that must be donet at very specific times during execution. For instance it would make no sense to escape input using mysql_escape_real_string() at the context of an action controller or pre-dispatch. It has to be done in the DAL/TDG as the context makes perfect sense.

How do you integrate your security modules into all my modules? My applications are built as a series of layers, starting with my framework (front controller) which dispatches to an action controller, which creates a model which creates a gateway to a specific data store, also a view (sometimes) which initializes a template (sometimes).

So you have templates and gateways as the lowest level and which is where most security exploits occur.

While you could escape input at one place (right in the index.php) using a loop on the GPC data, this is defienetly a hack and not elegant code. I would rather see it done individually (despite the increase in SLOC) within the specific gateways. It's explicit and very easy to quickly check for security loop holes. Every day I run a custom script which basically checks my gateways to ensure every parameter is properly escaped. Any human error in missing a step is caught automatically. I'm working on something very similar with templates as well (I use PHP alternative syntax although I am gradually switching over to Smarty).

There are other exploits, than XSS and SQLi, header poisoning (or whatever its called -- I am no security expert I am only moderately familiar with exploits). Each of which can be addressed by hooking into various parts of my framework and application. For instance I have a plugin to preventing CSRF exploits, which when installed protects all forms by -- at least to my knowledge.

The problem with your security modules (as I see it) is again, integration. How would they integrate effectively and elegantly into my source? You would have to implement adapters to match my interfaces and various extension points. Otherwise you would be relying on very hackish techniques, such as including the file.

I need more details on how your system would work before I comment any further. From what I understand of the problems and your proposed solution, I don't think I would persue it.

p.s-Rockin name dude (urbandictionary.com: Someone that is of extreme greatness. Often considered as a god in some religions. Also means cool) :P

Cheers,
Alex
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Opinions on PHP Security Software

Post by kaisellgren »

vanguard wrote: - Would you be willing to buy this software in order to provide your website with additional protection against hackers, spammers and malware?
The question you asked is way too abroad. Personally I don't need software to "fix" my code, but for most of the people it depends on the software / cost ratio. They would need to ask themselves: is it worth to spend the money on the software or should they hire someone else to secure their site?
vanguard
Forum Newbie
Posts: 13
Joined: Mon Jan 11, 2010 9:10 am

Re: Opinions on PHP Security Software

Post by vanguard »

Hi, sorry I did not reply earlier, I thought I was not going to get a response. Thanks for the comprehensive replies.

In response to your concerns PCSpectra, I completely agree, simply escaping the input would lead to disaster in some application or another. I can appreciate that developers may use wildly different formats for receiving input, as well as different structures for programming. This is why I intend to tread very delicately when writing this software. However, the base idea behind the main module (the IDS/firewall segment) is that many types of exploit can be profiled by looking at arrangements of keywords. For example, someone entering a name like Susanne O'sullivan could cause a query error, but at the same time is not malicious. However, input like the following is likely to be malicious: ' AND 1=0 UNION ALL SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLE--

Of course not all exploits are so obvious, which is why there would be multiple layers to this protection. Concepts I am currently playing with are scrubbing errors to prevent detection combined with alerting the administrator, statistically profiling the input of users to detect whether a particular user's actions seem suspicious, actively adjusting the reliability of a particular "attack signature" on a particular page depending on the quantity of users triggering the alarm, and other similar ideas. All modules would be activated at the beginning and/or end of execution of a particular page, using .htaccess options and php functions. This way they should be able to simply look at the raw input a user is providing as well as the output the page is generating, without having to fit into the developer's systems.
**EDIT**
This may seem like a hacky method, but the intention is to be both unobtrusive and to work across a wide range of systems. It also runs a lot faster than if the control panel were to integrate itself deeply into the system, and doing so might make it difficult to remove as well as cause quite a steep overhead.

Also, the name came from the military term for a squad that scouts ahead of the main unit, and I intend to register it as part of my business name :)

In response to your comment kaisellgren, I understand that it is definitely a broad question, which is why getting developers' opinions is so important for me. I do intend to offer various solutions for different levels of customer, to support different groups' needs (active support for enterprise clients, email support for SMBs, regular updates for all). From experience i've had and companies i've researched, I know that security consultants could charge anything from $200 to $20,000 to fix all holes in a medium sized website, so the price a company/individual might be willing to pay for data security can vary wildly. Of course my software would not guarantee protection, but it could act as both a deterrant and a measure against web application attacks. For those who do own websites that have been hacked using common methods like SQLi and RFI, or are not so confident about their website's security, this sort of software may be a valuable investment for them. These are the types of people I would like to reach, and I do not want to price my potential product out of the market, which is why I am asking the opinions of other developers as to what price they personally feel is fair. This way I can get a feel for the general opinion of developers when it comes to security and paid-for software, as well as a rough price guide for later reference.

Thanks again both of you, I really appreciate the input you have provided.

Vanguard
Post Reply