Enviar pesquisa
Carregar
Dip Your Toes in the Sea of Security (PHP Cambridge)
•
0 gostou
•
719 visualizações
James Titcumb
Seguir
Tecnologia
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 57
Baixar agora
Baixar para ler offline
Recomendados
Dip Your Toes in the Sea of Security (DPC 2015)
Dip Your Toes in the Sea of Security (DPC 2015)
James Titcumb
Dip Your Toes in the Sea of Security (PHP UK 2016)
Dip Your Toes in the Sea of Security (PHP UK 2016)
James Titcumb
Dip Your Toes in the Sea of Security (PHP Dorset, 2nd June 2014)
Dip Your Toes in the Sea of Security (PHP Dorset, 2nd June 2014)
James Titcumb
OWASP PHPIDS talk slides
OWASP PHPIDS talk slides
guestd34230
PHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
Open source e cloud per il non profit - settembre 2016 -
Open source e cloud per il non profit - settembre 2016 -
Claudio Tancini
UPFRONT TRANSPLANT IN ALL-HL
UPFRONT TRANSPLANT IN ALL-HL
spa718
Trabalhoredes
Trabalhoredes
Kilder Silveira
Recomendados
Dip Your Toes in the Sea of Security (DPC 2015)
Dip Your Toes in the Sea of Security (DPC 2015)
James Titcumb
Dip Your Toes in the Sea of Security (PHP UK 2016)
Dip Your Toes in the Sea of Security (PHP UK 2016)
James Titcumb
Dip Your Toes in the Sea of Security (PHP Dorset, 2nd June 2014)
Dip Your Toes in the Sea of Security (PHP Dorset, 2nd June 2014)
James Titcumb
OWASP PHPIDS talk slides
OWASP PHPIDS talk slides
guestd34230
PHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
Open source e cloud per il non profit - settembre 2016 -
Open source e cloud per il non profit - settembre 2016 -
Claudio Tancini
UPFRONT TRANSPLANT IN ALL-HL
UPFRONT TRANSPLANT IN ALL-HL
spa718
Trabalhoredes
Trabalhoredes
Kilder Silveira
Michael Durante Western Reserve Blackwall Partners 1Q12
Michael Durante Western Reserve Blackwall Partners 1Q12
Michael Durante
Reputation Advocate - The Value of Reviews
Reputation Advocate - The Value of Reviews
Reputation Advocate
Инструкция по настройке сервиса Daas на базе мини пк
Инструкция по настройке сервиса Daas на базе мини пк
Елена Кузовкина
Composer Tutorial (PHP Hampshire Sept 2013)
Composer Tutorial (PHP Hampshire Sept 2013)
James Titcumb
программа «пять ролей менеджера компании франчайзора
программа «пять ролей менеджера компании франчайзора
Елена Виль-Вильямс
Инструкция по настройке сервиса Daas для Windows
Инструкция по настройке сервиса Daas для Windows
Елена Кузовкина
krishna
krishna
mjfire
Aula nefropatias agudas e cronicas 2
Aula nefropatias agudas e cronicas 2
Ana Carolina Simoneti
Thalassemia and Stem cell transplant
Thalassemia and Stem cell transplant
spa718
Rockin Online Course for All Learners
Rockin Online Course for All Learners
TeachGoodStuff
Floating Point Unit (FPU)
Floating Point Unit (FPU)
Silicon Mentor
스펙 없이 대기업 들어가기
스펙 없이 대기업 들어가기
Ji Hyeok Kim
unity in diversity
unity in diversity
Samkit Jhabak
Slidej
Slidej
JacobCastillo19
Trabajo de carlos salazar
Trabajo de carlos salazar
Carhumsapro
Sickle cell disease” (SCD): a project of curative treatment and informatics...
Sickle cell disease” (SCD): a project of curative treatment and informatics...
Claudio Tancini
Visual resume
Visual resume
giuseppinanapoleone1985
166 ок
166 ок
Ольга Захарова
คำราชาศัพท์
คำราชาศัพท์
Marr Ps
Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)
Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)
James Titcumb
Dip Your Toes in the Sea of Security
Dip Your Toes in the Sea of Security
James Titcumb
Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)
Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)
James Titcumb
Mais conteúdo relacionado
Destaque
Michael Durante Western Reserve Blackwall Partners 1Q12
Michael Durante Western Reserve Blackwall Partners 1Q12
Michael Durante
Reputation Advocate - The Value of Reviews
Reputation Advocate - The Value of Reviews
Reputation Advocate
Инструкция по настройке сервиса Daas на базе мини пк
Инструкция по настройке сервиса Daas на базе мини пк
Елена Кузовкина
Composer Tutorial (PHP Hampshire Sept 2013)
Composer Tutorial (PHP Hampshire Sept 2013)
James Titcumb
программа «пять ролей менеджера компании франчайзора
программа «пять ролей менеджера компании франчайзора
Елена Виль-Вильямс
Инструкция по настройке сервиса Daas для Windows
Инструкция по настройке сервиса Daas для Windows
Елена Кузовкина
krishna
krishna
mjfire
Aula nefropatias agudas e cronicas 2
Aula nefropatias agudas e cronicas 2
Ana Carolina Simoneti
Thalassemia and Stem cell transplant
Thalassemia and Stem cell transplant
spa718
Rockin Online Course for All Learners
Rockin Online Course for All Learners
TeachGoodStuff
Floating Point Unit (FPU)
Floating Point Unit (FPU)
Silicon Mentor
스펙 없이 대기업 들어가기
스펙 없이 대기업 들어가기
Ji Hyeok Kim
unity in diversity
unity in diversity
Samkit Jhabak
Slidej
Slidej
JacobCastillo19
Trabajo de carlos salazar
Trabajo de carlos salazar
Carhumsapro
Sickle cell disease” (SCD): a project of curative treatment and informatics...
Sickle cell disease” (SCD): a project of curative treatment and informatics...
Claudio Tancini
Visual resume
Visual resume
giuseppinanapoleone1985
166 ок
166 ок
Ольга Захарова
คำราชาศัพท์
คำราชาศัพท์
Marr Ps
Destaque
(19)
Michael Durante Western Reserve Blackwall Partners 1Q12
Michael Durante Western Reserve Blackwall Partners 1Q12
Reputation Advocate - The Value of Reviews
Reputation Advocate - The Value of Reviews
Инструкция по настройке сервиса Daas на базе мини пк
Инструкция по настройке сервиса Daas на базе мини пк
Composer Tutorial (PHP Hampshire Sept 2013)
Composer Tutorial (PHP Hampshire Sept 2013)
программа «пять ролей менеджера компании франчайзора
программа «пять ролей менеджера компании франчайзора
Инструкция по настройке сервиса Daas для Windows
Инструкция по настройке сервиса Daas для Windows
krishna
krishna
Aula nefropatias agudas e cronicas 2
Aula nefropatias agudas e cronicas 2
Thalassemia and Stem cell transplant
Thalassemia and Stem cell transplant
Rockin Online Course for All Learners
Rockin Online Course for All Learners
Floating Point Unit (FPU)
Floating Point Unit (FPU)
스펙 없이 대기업 들어가기
스펙 없이 대기업 들어가기
unity in diversity
unity in diversity
Slidej
Slidej
Trabajo de carlos salazar
Trabajo de carlos salazar
Sickle cell disease” (SCD): a project of curative treatment and informatics...
Sickle cell disease” (SCD): a project of curative treatment and informatics...
Visual resume
Visual resume
166 ок
166 ок
คำราชาศัพท์
คำราชาศัพท์
Semelhante a Dip Your Toes in the Sea of Security (PHP Cambridge)
Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)
Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)
James Titcumb
Dip Your Toes in the Sea of Security
Dip Your Toes in the Sea of Security
James Titcumb
Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)
Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)
James Titcumb
Dip Your Toes In The Sea Of Security (PHPNW16)
Dip Your Toes In The Sea Of Security (PHPNW16)
James Titcumb
Dip Your Toes in the Sea of Security (phpDay 2016)
Dip Your Toes in the Sea of Security (phpDay 2016)
James Titcumb
Dip Your Toes in the Sea of Security (CoderCruise 2017)
Dip Your Toes in the Sea of Security (CoderCruise 2017)
James Titcumb
Proposed PHP function: is_literal()
Proposed PHP function: is_literal()
Craig Francis
Dip Your Toes in the Sea of Security (PHP South Africa 2017)
Dip Your Toes in the Sea of Security (PHP South Africa 2017)
James Titcumb
Dip Your Toes in the Sea of Security (IPC Fall 2017)
Dip Your Toes in the Sea of Security (IPC Fall 2017)
James Titcumb
Dip Your Toes in the Sea of Security (ConFoo YVR 2017)
Dip Your Toes in the Sea of Security (ConFoo YVR 2017)
James Titcumb
PHPUG Presentation
PHPUG Presentation
Damon Cortesi
Slides
Slides
vti
Ajax Security
Ajax Security
Joe Walker
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
Aleksandr Yampolskiy
My app is secure... I think
My app is secure... I think
Wim Godden
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
ConFoo
Application Security around OWASP Top 10
Application Security around OWASP Top 10
Sastry Tumuluri
Php Security
Php Security
guest7cf35c
Questioning the status quo
Questioning the status quo
Ivano Pagano
Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)
Damien Seguy
Semelhante a Dip Your Toes in the Sea of Security (PHP Cambridge)
(20)
Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)
Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)
Dip Your Toes in the Sea of Security
Dip Your Toes in the Sea of Security
Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)
Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)
Dip Your Toes In The Sea Of Security (PHPNW16)
Dip Your Toes In The Sea Of Security (PHPNW16)
Dip Your Toes in the Sea of Security (phpDay 2016)
Dip Your Toes in the Sea of Security (phpDay 2016)
Dip Your Toes in the Sea of Security (CoderCruise 2017)
Dip Your Toes in the Sea of Security (CoderCruise 2017)
Proposed PHP function: is_literal()
Proposed PHP function: is_literal()
Dip Your Toes in the Sea of Security (PHP South Africa 2017)
Dip Your Toes in the Sea of Security (PHP South Africa 2017)
Dip Your Toes in the Sea of Security (IPC Fall 2017)
Dip Your Toes in the Sea of Security (IPC Fall 2017)
Dip Your Toes in the Sea of Security (ConFoo YVR 2017)
Dip Your Toes in the Sea of Security (ConFoo YVR 2017)
PHPUG Presentation
PHPUG Presentation
Slides
Slides
Ajax Security
Ajax Security
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
My app is secure... I think
My app is secure... I think
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Application Security around OWASP Top 10
Application Security around OWASP Top 10
Php Security
Php Security
Questioning the status quo
Questioning the status quo
Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)
Mais de James Titcumb
Living the Best Life on a Legacy Project (phpday 2022).pdf
Living the Best Life on a Legacy Project (phpday 2022).pdf
James Titcumb
Tips for Tackling a Legacy Codebase (ScotlandPHP 2021)
Tips for Tackling a Legacy Codebase (ScotlandPHP 2021)
James Titcumb
Climbing the Abstract Syntax Tree (Midwest PHP 2020)
Climbing the Abstract Syntax Tree (Midwest PHP 2020)
James Titcumb
Best practices for crafting high quality PHP apps (Bulgaria 2019)
Best practices for crafting high quality PHP apps (Bulgaria 2019)
James Titcumb
Climbing the Abstract Syntax Tree (php[world] 2019)
Climbing the Abstract Syntax Tree (php[world] 2019)
James Titcumb
Best practices for crafting high quality PHP apps (php[world] 2019)
Best practices for crafting high quality PHP apps (php[world] 2019)
James Titcumb
Crafting Quality PHP Applications (PHP Joburg Oct 2019)
Crafting Quality PHP Applications (PHP Joburg Oct 2019)
James Titcumb
Climbing the Abstract Syntax Tree (PHP Russia 2019)
Climbing the Abstract Syntax Tree (PHP Russia 2019)
James Titcumb
Best practices for crafting high quality PHP apps - PHP UK 2019
Best practices for crafting high quality PHP apps - PHP UK 2019
James Titcumb
Climbing the Abstract Syntax Tree (ScotlandPHP 2018)
Climbing the Abstract Syntax Tree (ScotlandPHP 2018)
James Titcumb
Best practices for crafting high quality PHP apps (ScotlandPHP 2018)
Best practices for crafting high quality PHP apps (ScotlandPHP 2018)
James Titcumb
Kicking off with Zend Expressive and Doctrine ORM (PHP South Africa 2018)
Kicking off with Zend Expressive and Doctrine ORM (PHP South Africa 2018)
James Titcumb
Best practices for crafting high quality PHP apps (PHP South Africa 2018)
Best practices for crafting high quality PHP apps (PHP South Africa 2018)
James Titcumb
Climbing the Abstract Syntax Tree (PHP Developer Days Dresden 2018)
Climbing the Abstract Syntax Tree (PHP Developer Days Dresden 2018)
James Titcumb
Climbing the Abstract Syntax Tree (Southeast PHP 2018)
Climbing the Abstract Syntax Tree (Southeast PHP 2018)
James Titcumb
Crafting Quality PHP Applications (PHPkonf 2018)
Crafting Quality PHP Applications (PHPkonf 2018)
James Titcumb
Best practices for crafting high quality PHP apps (PHP Yorkshire 2018)
Best practices for crafting high quality PHP apps (PHP Yorkshire 2018)
James Titcumb
Crafting Quality PHP Applications: an overview (PHPSW March 2018)
Crafting Quality PHP Applications: an overview (PHPSW March 2018)
James Titcumb
Kicking off with Zend Expressive and Doctrine ORM (PHP MiNDS March 2018)
Kicking off with Zend Expressive and Doctrine ORM (PHP MiNDS March 2018)
James Titcumb
Climbing the Abstract Syntax Tree (PHP UK 2018)
Climbing the Abstract Syntax Tree (PHP UK 2018)
James Titcumb
Mais de James Titcumb
(20)
Living the Best Life on a Legacy Project (phpday 2022).pdf
Living the Best Life on a Legacy Project (phpday 2022).pdf
Tips for Tackling a Legacy Codebase (ScotlandPHP 2021)
Tips for Tackling a Legacy Codebase (ScotlandPHP 2021)
Climbing the Abstract Syntax Tree (Midwest PHP 2020)
Climbing the Abstract Syntax Tree (Midwest PHP 2020)
Best practices for crafting high quality PHP apps (Bulgaria 2019)
Best practices for crafting high quality PHP apps (Bulgaria 2019)
Climbing the Abstract Syntax Tree (php[world] 2019)
Climbing the Abstract Syntax Tree (php[world] 2019)
Best practices for crafting high quality PHP apps (php[world] 2019)
Best practices for crafting high quality PHP apps (php[world] 2019)
Crafting Quality PHP Applications (PHP Joburg Oct 2019)
Crafting Quality PHP Applications (PHP Joburg Oct 2019)
Climbing the Abstract Syntax Tree (PHP Russia 2019)
Climbing the Abstract Syntax Tree (PHP Russia 2019)
Best practices for crafting high quality PHP apps - PHP UK 2019
Best practices for crafting high quality PHP apps - PHP UK 2019
Climbing the Abstract Syntax Tree (ScotlandPHP 2018)
Climbing the Abstract Syntax Tree (ScotlandPHP 2018)
Best practices for crafting high quality PHP apps (ScotlandPHP 2018)
Best practices for crafting high quality PHP apps (ScotlandPHP 2018)
Kicking off with Zend Expressive and Doctrine ORM (PHP South Africa 2018)
Kicking off with Zend Expressive and Doctrine ORM (PHP South Africa 2018)
Best practices for crafting high quality PHP apps (PHP South Africa 2018)
Best practices for crafting high quality PHP apps (PHP South Africa 2018)
Climbing the Abstract Syntax Tree (PHP Developer Days Dresden 2018)
Climbing the Abstract Syntax Tree (PHP Developer Days Dresden 2018)
Climbing the Abstract Syntax Tree (Southeast PHP 2018)
Climbing the Abstract Syntax Tree (Southeast PHP 2018)
Crafting Quality PHP Applications (PHPkonf 2018)
Crafting Quality PHP Applications (PHPkonf 2018)
Best practices for crafting high quality PHP apps (PHP Yorkshire 2018)
Best practices for crafting high quality PHP apps (PHP Yorkshire 2018)
Crafting Quality PHP Applications: an overview (PHPSW March 2018)
Crafting Quality PHP Applications: an overview (PHPSW March 2018)
Kicking off with Zend Expressive and Doctrine ORM (PHP MiNDS March 2018)
Kicking off with Zend Expressive and Doctrine ORM (PHP MiNDS March 2018)
Climbing the Abstract Syntax Tree (PHP UK 2018)
Climbing the Abstract Syntax Tree (PHP UK 2018)
Último
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
rafiqahmad00786416
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
apidays
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
The Digital Insurer
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Zilliz
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Zilliz
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Deepika Singh
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
Último
(20)
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Dip Your Toes in the Sea of Security (PHP Cambridge)
1.
Dip Your Toes in
the Sea of Security James Titcumb PHP Cambridge 28th January 2015
2.
James Titcumb www.jamestitcumb.com www.protected.co.uk www.phphants.co.uk www.phpsouthcoast.co.uk @asgrim Who is
this guy?
3.
Some simple code... <?php $a
= (int)$_GET['a']; $b = (int)$_GET['b']; $result = $a + $b; printf('The answer is %d', $result);
4.
The Golden Rules
5.
The Golden Rules (my
made up golden rules)
6.
1. Keep it
simple
7.
2. Know the
risks
8.
3. Fail securely
9.
4. Don’t reinvent
the wheel
10.
5. Never trust
anything
11.
OWASP & the OWASP
Top 10 https://www.owasp.org/
12.
Application Security (mainly PHP
applications)
13.
Always remember… Filter Input Escape
Output
14.
SQL Injection (#1) http://xkcd.com/327/
15.
SQL Injection (#1) 1.
Use PDO / mysqli 2. Use prepared / parameterized statements
16.
SQL Injection (#1) <?php //
user_id=1; DROP TABLE users; -- $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = {$user_id}"; $db->execute($sql); ✘
17.
SQL Injection (#1) <?php $user_id
= $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = :userid"; $stmt = $db->prepare($sql); $stmt->bind('userid', $user_id); $stmt->execute(); ✓
18.
exec($_GET) https://github.com/search?q=exec%28%24_GET&ref=cmdform&type=Code
19.
eval() https://github.com/search?q=eval%28%24_GET&type=Code&ref=searchresults
20.
Cross-Site Scripting /
XSS (#3)
21.
Cross-Site Scripting /
XSS (#3) ● Escape output <?php $unfilteredInput = '<script type="text/javascript">...</script>'; // Unescaped - JS will run :'( echo $unfilteredInput; // Escaped - JS will not run :) echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
22.
Cross-Site Request Forgery /
CSRF (#8)
23.
<?php if (!$isPost) { $csrfToken
= hash("sha512",mt_rand(0,mt_getrandmax())); $_SESSION['csrf_token'] = $csrfToken; // ... output the form ... echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />'; } else if ($isPost) { if ($_SESSION['csrf_token'] != $_POST['csrf_token']) { die("Token invalid..."); } // ... handle the form ... } Cross-Site Request Forgery / CSRF (#8)
24.
Errors, Exceptions & Logging
(#6)
25.
curl + https <?php curl_setopt($ch,
CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); ✘
26.
curl + https <?php curl_setopt($ch,
CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($ch, CURLOPT_CAINFO, "/path/to/certificate"); ✓
27.
WordPress
28.
WordPress Urgh.
29.
We are not
security experts!
30.
We are not
security experts! … but we CAN write secure code
31.
Be the threat Think
Differently
32.
What do you
want? Think Differently
33.
How do you
get it? Think Differently
34.
Threat Modelling D.R.E.A.D.
35.
Authentication & Authorization
36.
Authentication Verifying Identity
37.
CRYPTOGRAPHY IS HARD
38.
CRYPTOGRAPHY IS HARD NEVER EVER “ROLL
YOUR OWN”
39.
CRYPTOGRAPHY IS HARD NEVER EVER “ROLL
YOUR OWN” EVER!!!
40.
Case Study: Custom
Authentication We thought about doing this…
41.
Case Study: Custom
Authentication We thought about doing this…
42.
Case Study: Custom
Authentication We thought about doing this… ✘
43.
Password Hashing password_hash()
44.
Authorization Verifying Access
45.
Linux Server Security
46.
Create an SSH
Fortress
47.
Firewalls
48.
IPTABLES #!/bin/bash IPT="/sbin/iptables" $IPT --flush $IPT --delete-chain $IPT
-P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP # Loopback $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Inbound traffic $IPT -A INPUT -p tcp --dport ssh -j ACCEPT $IPT -A INPUT -p tcp --dport 80 -j ACCEPT # Outbound traffic $IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 -m state
49.
Mitigate Brute Force Attacks
50.
Install Only What You
Need
51.
Case Study: Be
Minimal Internets Postfix Squid Proxy (badly configured) hacker spam
52.
Resources ● http://securingphp.com/ ● https://www.owasp.org/ ●
http://blog.ircmaxell.com/
53.
The Golden Rules 1.
Keep it simple 2. Know the risks 3. Fail securely 4. Don’t reinvent the wheel 5. Never trust anything / anyone
54.
If you follow
all this, you get...
55.
If you follow
all this, you get...
56.
Questions?
57.
James Titcumb @asgrim Thanks for
watching!
Baixar agora