SlideShare a Scribd company logo

ZendCon Security

P
philipo
Education
1 of 23
Download to read offline
State of PHP Security Ilia Alshanetsky ZendCon 2007 1
2
Reactive rather then proactive ✦ Depends entirely on people reporting issues ✦ Little done to audit existing code for security ✦ concerns Limited test-suit and tools to identify issues ✦ Design with features and not security in mind ✦ 3
The Consequences? Frustrated security researchers ✦ Bug reporters prompt for 0-day ✦ rather then responsible disclosure Bugs being solved and similar ones are being ✦ introduced in other areas of the code Security regressions and/or incomplete fixes ✦ 4
Solutions 5
Automated Code Analysis Improve quality of Coverity automated scanning by ✦ working together with Coverity team Fewer false positives ✦ More meaningful results ✦ Easy to identify real issues and deploy solutions ✦ Close attention being paid to scan results ✦ Until September 13th 2007 - No defects for 3 months Of 37 new issues identified - 30 resolved or identified as false positives in less then 10 days. 6
Test Suite Expansion More new tests ✦ # of Tests Write tests for resolved ✦ 4,000 security bugs to prevent 3,886 regressions 3,000 2,699 Focus more on corner cases ✦ 2,000 then common behavior 1,914 1,0001,250 Filter tests through ✦ valgrind 0 5.0 5.1 5.2 5.2.4 Focus on improving code ✦ http://gcov.php.net/ coverage 7
Use Fuzzing to Find Bugs Develop a series of tools to try and identify ✦ issues by generating bogus inputs and passing them to functions Overly long strings (1 MB and longer) ✦ Strings with “strange” characters ✦ embedded in them. (0x00, 0x0A, , etc…) Big integers 2^24 ✦ Bogus resources ✦ 8
Give Credit Where It is Due Give credit in release ✦ announcements & ChangeLog to people discovering security bugs Communicate more rapidly with people ✦ reporting security issues and be more open in terms of expected resolution Try to involve bug reporters in the resolution ✦ process 9
What did we fix? 10
Per-Release Security Fixes The big push in 5.2.0-5.2.1 ✦ was thanks to fuzzing performed by Stas, Tony 20 and myself. 19 15 15 5.2.0 - 5.2.2 resolved many ✦ 10 12 issues that were identified 10 by Stefan Esser as part of 5 M.O.P.B. 6 0 Contributions by many 5.2.0 5.2.1 5.2.2 5.2.3 5.2.4 ✦ different security researchers. 11
What were the problems? open_basedir and safe_mode bypasses ✦ A fair number of buffer and integer overflows ✦ Denial of service attacks by crashing PHP and ✦ subsequently a web-server thread Validator issues inside the newly added filter ✦ extension Several string format vulnerabilities ✦ 12
Exploitability Majority of the identified issues can only be ✦ triggered by a local user. The ones that are remote, require certain, not trivial to match conditions. However, it takes just one hostile local user ✦ on an shared server or a badly written script to turn a local exploit into a remote one! 13
Most Affected Areas String functions inside ext/standard ✦ Session, GD, mbstring, interbase, imap, ✦ filter, zip and ODBC extensions. File operations inside ext/standard ✦ mail() function ✦ SOAP and XMLRPC extension (remote ✦ exploit) 14
Security Enhancements Added internal heap protection to reduce ✦ consequences of buffer overflows Memory limit is now always enabled ✦ Filter extension was introduced and enabled ✦ by default Introduced allow_url_include setting that is ✦ disabled by default Added nesting limit on input arrays ✦ 15
What else is needed? 16
Get People to Upgrade 5.2.3 5.1.6 5.2.0 5.2.1 5.0.4 4.4.7 4.4.4 4.3.10 4.4.2 5.1.4 5.1.2 5.2.2 Other 4.4.6 4.3.11 Other Overall PHP 4 still comprises 77.72% of all installations Data provided by Damien Seguy 17
Improve Code Coverage As you saw from previous ✦ slides the number of tests had increased by nearly 200%. Conversely code coverage ✦ went up only by about 4% in the last year **The drop in coverage was caused by addition of new code through new extensions. 18
Manual Code Auditing More manual code auditing needs to be ✦ performed with a focus on security Newly added code (extensions, functions, ✦ etc…) needs to be examined for security as a criterial for inclusion Looks at all crash bugs as potential exploits ✦ until examination is done to prove otherwise 19
Better Communication Improve communication with Open Source ✦ distributions in respect to security fixes More informative news announcements in ✦ regard to security issues Better interaction with security researchers & ✦ encourage more people to look at PHP’s security 20
Rapid Release Cycle Release early, release often ✦ Micro-security releases PHP-X.X.X-s[N] ✦ 21
More security features Look at common challenges developers have ✦ when trying to develop secure PHP applications and provide tools, not automation (Ex. magic_quotes) to make it simpler 22
Thank you for listening Additional Resources: These slides - http://ilia.ws ๏ Test suite & code coverage results - http:// ๏ gcov.php.net Writing new tests & testing snapshots - ๏ http://qa.php.net/ PHP 5 ChangeLog - http://www.php.net/ ๏ ChangeLog-5.php 23

Recommended

BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat Security Conference
 
Naxsi, an open source WAF for Nginx
Naxsi, an open source WAF for NginxNaxsi, an open source WAF for Nginx
Naxsi, an open source WAF for NginxPositive Hack Days
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat Security Conference
 
CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1CanSecWest
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection Abhishek Singh
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?Eric Smalling
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat Security Conference
 

Recommended

BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat Security Conference
 
Naxsi, an open source WAF for Nginx
Naxsi, an open source WAF for NginxNaxsi, an open source WAF for Nginx
Naxsi, an open source WAF for NginxPositive Hack Days
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat Security Conference
 
CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1CanSecWest
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection Abhishek Singh
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?Eric Smalling
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat Security Conference
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat Security Conference
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat Security Conference
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
Student Spring 2021
Student Spring 2021Student Spring 2021
Student Spring 2021Denis Zakharov
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkPriyanka Aash
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CanSecWest
 
Securing an NGINX deployment for K8s
Securing an NGINX deployment for K8sSecuring an NGINX deployment for K8s
Securing an NGINX deployment for K8sDevOps Indonesia
 
F5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsF5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsDenis Kolegov
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
Network Security Open Source Software Developer Certification
Network Security Open Source Software Developer CertificationNetwork Security Open Source Software Developer Certification
Network Security Open Source Software Developer CertificationVskills
 
2018 FRSecure CISSP Mentor Program- Session 5
2018 FRSecure CISSP Mentor Program- Session 52018 FRSecure CISSP Mentor Program- Session 5
2018 FRSecure CISSP Mentor Program- Session 5FRSecure
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldJames Wickett
 
Docker security - OWASP Seasides
Docker security - OWASP SeasidesDocker security - OWASP Seasides
Docker security - OWASP SeasidesOWASPSeasides
 
Security Vulnerabilities in Third Party Code - Fix All the Things!
Security Vulnerabilities in Third Party Code - Fix All the Things! Security Vulnerabilities in Third Party Code - Fix All the Things!
Security Vulnerabilities in Third Party Code - Fix All the Things! Kymberlee Price
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Phpcompilerinternals 090824022750-phpapp02
Phpcompilerinternals 090824022750-phpapp02Phpcompilerinternals 090824022750-phpapp02
Phpcompilerinternals 090824022750-phpapp02philipo
 
PHP on Java (BarCamp London 7)
PHP on Java (BarCamp London 7)PHP on Java (BarCamp London 7)
PHP on Java (BarCamp London 7)Robin Fernandes
 

More Related Content

What's hot

Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat Security Conference
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat Security Conference
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkPriyanka Aash
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CanSecWest
 
Securing an NGINX deployment for K8s
Securing an NGINX deployment for K8sSecuring an NGINX deployment for K8s
Securing an NGINX deployment for K8sDevOps Indonesia
 
F5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsF5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsDenis Kolegov
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
Network Security Open Source Software Developer Certification
Network Security Open Source Software Developer CertificationNetwork Security Open Source Software Developer Certification
Network Security Open Source Software Developer CertificationVskills
 
2018 FRSecure CISSP Mentor Program- Session 5
2018 FRSecure CISSP Mentor Program- Session 52018 FRSecure CISSP Mentor Program- Session 5
2018 FRSecure CISSP Mentor Program- Session 5FRSecure
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldJames Wickett
 
Docker security - OWASP Seasides
Docker security - OWASP SeasidesDocker security - OWASP Seasides
Docker security - OWASP SeasidesOWASPSeasides
 
Security Vulnerabilities in Third Party Code - Fix All the Things!
Security Vulnerabilities in Third Party Code - Fix All the Things! Security Vulnerabilities in Third Party Code - Fix All the Things!
Security Vulnerabilities in Third Party Code - Fix All the Things! Kymberlee Price
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 

What's hot (20)

Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
 
Student Spring 2021
Student Spring 2021Student Spring 2021
Student Spring 2021
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT Framework
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
 
Securing an NGINX deployment for K8s
Securing an NGINX deployment for K8sSecuring an NGINX deployment for K8s
Securing an NGINX deployment for K8s
 
F5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsF5 BIG-IP Misconfigurations
F5 BIG-IP Misconfigurations
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
 
Network Security Open Source Software Developer Certification
Network Security Open Source Software Developer CertificationNetwork Security Open Source Software Developer Certification
Network Security Open Source Software Developer Certification
 
2018 FRSecure CISSP Mentor Program- Session 5
2018 FRSecure CISSP Mentor Program- Session 52018 FRSecure CISSP Mentor Program- Session 5
2018 FRSecure CISSP Mentor Program- Session 5
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real World
 
Docker security - OWASP Seasides
Docker security - OWASP SeasidesDocker security - OWASP Seasides
Docker security - OWASP Seasides
 
Security Vulnerabilities in Third Party Code - Fix All the Things!
Security Vulnerabilities in Third Party Code - Fix All the Things! Security Vulnerabilities in Third Party Code - Fix All the Things!
Security Vulnerabilities in Third Party Code - Fix All the Things!
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 

Viewers also liked

Phpcompilerinternals 090824022750-phpapp02
Phpcompilerinternals 090824022750-phpapp02Phpcompilerinternals 090824022750-phpapp02
Phpcompilerinternals 090824022750-phpapp02philipo
 
PHP on Java (BarCamp London 7)
PHP on Java (BarCamp London 7)PHP on Java (BarCamp London 7)
PHP on Java (BarCamp London 7)Robin Fernandes
 
PHP Day 2011 Quercus – PHP in JAVA
PHP Day 2011 Quercus – PHP in JAVAPHP Day 2011 Quercus – PHP in JAVA
PHP Day 2011 Quercus – PHP in JAVAQuang Anh Le
 
PHP, Under The Hood - DPC
PHP, Under The Hood - DPCPHP, Under The Hood - DPC
PHP, Under The Hood - DPCAnthony Ferrara
 
Usage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP LanguagesUsage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP LanguagesWilliam Lee
 

Viewers also liked (6)

Phpcompilerinternals 090824022750-phpapp02
Phpcompilerinternals 090824022750-phpapp02Phpcompilerinternals 090824022750-phpapp02
Phpcompilerinternals 090824022750-phpapp02
 
PHP on Java (BarCamp London 7)
PHP on Java (BarCamp London 7)PHP on Java (BarCamp London 7)
PHP on Java (BarCamp London 7)
 
PHP Day 2011 Quercus – PHP in JAVA
PHP Day 2011 Quercus – PHP in JAVAPHP Day 2011 Quercus – PHP in JAVA
PHP Day 2011 Quercus – PHP in JAVA
 
Cloud & PHP
Cloud & PHPCloud & PHP
Cloud & PHP
 
PHP, Under The Hood - DPC
PHP, Under The Hood - DPCPHP, Under The Hood - DPC
PHP, Under The Hood - DPC
 
Usage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP LanguagesUsage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP Languages
 

Similar to ZendCon Security

Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateMahaut Gouhier
 
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...MindShare_kk
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?AFUP_Limoges
 
VMworld 2016: Troubleshooting 101 for Horizon
VMworld 2016: Troubleshooting 101 for HorizonVMworld 2016: Troubleshooting 101 for Horizon
VMworld 2016: Troubleshooting 101 for HorizonVMworld
 
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeDevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeMatt Ray
 
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...Mike Spaulding
 
Mitigate potential compliance risks
Mitigate potential compliance risksMitigate potential compliance risks
Mitigate potential compliance risksJürgen Brüder
 
stackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelinesstackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelinesNETWAYS
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack
 
Virtual Data : Eliminating the data constraint in Application Development
Virtual Data : Eliminating the data constraint in Application DevelopmentVirtual Data : Eliminating the data constraint in Application Development
Virtual Data : Eliminating the data constraint in Application DevelopmentKyle Hailey
 
How the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to DevelopmentHow the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to DevelopmentErika Barron
 
How to improve code quality for iOS apps?
How to improve code quality for iOS apps?How to improve code quality for iOS apps?
How to improve code quality for iOS apps?Kate Semizhon
 
Srikanth_testing resume
Srikanth_testing resumeSrikanth_testing resume
Srikanth_testing resumesrikanth Burra
 
SCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, JapanSCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, JapanSignalSEC Ltd.
 
VMworld 2015: Troubleshooting for vSphere 6
VMworld 2015: Troubleshooting for vSphere 6VMworld 2015: Troubleshooting for vSphere 6
VMworld 2015: Troubleshooting for vSphere 6VMworld
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017AgileNZ Conference
 
InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017Mandi Walls
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 

Similar to ZendCon Security (20)

Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.Monate
 
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?
 
VMworld 2016: Troubleshooting 101 for Horizon
VMworld 2016: Troubleshooting 101 for HorizonVMworld 2016: Troubleshooting 101 for Horizon
VMworld 2016: Troubleshooting 101 for Horizon
 
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeDevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
 
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
 
Mitigate potential compliance risks
Mitigate potential compliance risksMitigate potential compliance risks
Mitigate potential compliance risks
 
stackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelinesstackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelines
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
 
Virtual Data : Eliminating the data constraint in Application Development
Virtual Data : Eliminating the data constraint in Application DevelopmentVirtual Data : Eliminating the data constraint in Application Development
Virtual Data : Eliminating the data constraint in Application Development
 
How the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to DevelopmentHow the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to Development
 
How to improve code quality for iOS apps?
How to improve code quality for iOS apps?How to improve code quality for iOS apps?
How to improve code quality for iOS apps?
 
Srikanth_testing resume
Srikanth_testing resumeSrikanth_testing resume
Srikanth_testing resume
 
SCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, JapanSCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, Japan
 
VMworld 2015: Troubleshooting for vSphere 6
VMworld 2015: Troubleshooting for vSphere 6VMworld 2015: Troubleshooting for vSphere 6
VMworld 2015: Troubleshooting for vSphere 6
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
 
InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 

Recently uploaded

mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfUmakantAnnand
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
PSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPoojaSen20
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 

Recently uploaded (20)

mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.Compdf
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
PSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptx
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 

ZendCon Security

  • 1. State of PHP Security Ilia Alshanetsky ZendCon 2007 1
  • 2. 2
  • 3. Reactive rather then proactive ✦ Depends entirely on people reporting issues ✦ Little done to audit existing code for security ✦ concerns Limited test-suit and tools to identify issues ✦ Design with features and not security in mind ✦ 3
  • 4. The Consequences? Frustrated security researchers ✦ Bug reporters prompt for 0-day ✦ rather then responsible disclosure Bugs being solved and similar ones are being ✦ introduced in other areas of the code Security regressions and/or incomplete fixes ✦ 4
  • 6. Automated Code Analysis Improve quality of Coverity automated scanning by ✦ working together with Coverity team Fewer false positives ✦ More meaningful results ✦ Easy to identify real issues and deploy solutions ✦ Close attention being paid to scan results ✦ Until September 13th 2007 - No defects for 3 months Of 37 new issues identified - 30 resolved or identified as false positives in less then 10 days. 6
  • 7. Test Suite Expansion More new tests ✦ # of Tests Write tests for resolved ✦ 4,000 security bugs to prevent 3,886 regressions 3,000 2,699 Focus more on corner cases ✦ 2,000 then common behavior 1,914 1,0001,250 Filter tests through ✦ valgrind 0 5.0 5.1 5.2 5.2.4 Focus on improving code ✦ http://gcov.php.net/ coverage 7
  • 8. Use Fuzzing to Find Bugs Develop a series of tools to try and identify ✦ issues by generating bogus inputs and passing them to functions Overly long strings (1 MB and longer) ✦ Strings with “strange” characters ✦ embedded in them. (0x00, 0x0A, , etc…) Big integers 2^24 ✦ Bogus resources ✦ 8
  • 9. Give Credit Where It is Due Give credit in release ✦ announcements & ChangeLog to people discovering security bugs Communicate more rapidly with people ✦ reporting security issues and be more open in terms of expected resolution Try to involve bug reporters in the resolution ✦ process 9
  • 10. What did we fix? 10
  • 11. Per-Release Security Fixes The big push in 5.2.0-5.2.1 ✦ was thanks to fuzzing performed by Stas, Tony 20 and myself. 19 15 15 5.2.0 - 5.2.2 resolved many ✦ 10 12 issues that were identified 10 by Stefan Esser as part of 5 M.O.P.B. 6 0 Contributions by many 5.2.0 5.2.1 5.2.2 5.2.3 5.2.4 ✦ different security researchers. 11
  • 12. What were the problems? open_basedir and safe_mode bypasses ✦ A fair number of buffer and integer overflows ✦ Denial of service attacks by crashing PHP and ✦ subsequently a web-server thread Validator issues inside the newly added filter ✦ extension Several string format vulnerabilities ✦ 12
  • 13. Exploitability Majority of the identified issues can only be ✦ triggered by a local user. The ones that are remote, require certain, not trivial to match conditions. However, it takes just one hostile local user ✦ on an shared server or a badly written script to turn a local exploit into a remote one! 13
  • 14. Most Affected Areas String functions inside ext/standard ✦ Session, GD, mbstring, interbase, imap, ✦ filter, zip and ODBC extensions. File operations inside ext/standard ✦ mail() function ✦ SOAP and XMLRPC extension (remote ✦ exploit) 14
  • 15. Security Enhancements Added internal heap protection to reduce ✦ consequences of buffer overflows Memory limit is now always enabled ✦ Filter extension was introduced and enabled ✦ by default Introduced allow_url_include setting that is ✦ disabled by default Added nesting limit on input arrays ✦ 15
  • 16. What else is needed? 16
  • 17. Get People to Upgrade 5.2.3 5.1.6 5.2.0 5.2.1 5.0.4 4.4.7 4.4.4 4.3.10 4.4.2 5.1.4 5.1.2 5.2.2 Other 4.4.6 4.3.11 Other Overall PHP 4 still comprises 77.72% of all installations Data provided by Damien Seguy 17
  • 18. Improve Code Coverage As you saw from previous ✦ slides the number of tests had increased by nearly 200%. Conversely code coverage ✦ went up only by about 4% in the last year **The drop in coverage was caused by addition of new code through new extensions. 18
  • 19. Manual Code Auditing More manual code auditing needs to be ✦ performed with a focus on security Newly added code (extensions, functions, ✦ etc…) needs to be examined for security as a criterial for inclusion Looks at all crash bugs as potential exploits ✦ until examination is done to prove otherwise 19
  • 20. Better Communication Improve communication with Open Source ✦ distributions in respect to security fixes More informative news announcements in ✦ regard to security issues Better interaction with security researchers & ✦ encourage more people to look at PHP’s security 20
  • 21. Rapid Release Cycle Release early, release often ✦ Micro-security releases PHP-X.X.X-s[N] ✦ 21
  • 22. More security features Look at common challenges developers have ✦ when trying to develop secure PHP applications and provide tools, not automation (Ex. magic_quotes) to make it simpler 22
  • 23. Thank you for listening Additional Resources: These slides - http://ilia.ws ๏ Test suite & code coverage results - http:// ๏ gcov.php.net Writing new tests & testing snapshots - ๏ http://qa.php.net/ PHP 5 ChangeLog - http://www.php.net/ ๏ ChangeLog-5.php 23