Enviar pesquisa
Carregar
PHP SA 2013 - The weak points in our PHP projects
•
Transferir como PPT, PDF
•
0 gostou
•
947 visualizações
X
xsist10
Seguir
The weak points in our PHP projects Are your dependencies getting you down
Leia menos
Leia mais
Tecnologia
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 18
Baixar agora
Recomendados
A Slide!
A Slide!
webhostingguy
Wordpress podcamp2011
Wordpress podcamp2011
Findability Solutions
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
ryanduff
Installing WordPress The Right Way
Installing WordPress The Right Way
Chris Burgess
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
Meagan Hanes
Practical Blogs for Writers
Practical Blogs for Writers
Susan Stewart
Speed & Uptime with Wordpress
Speed & Uptime with Wordpress
toddhdow
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Chris Burgess
Recomendados
A Slide!
A Slide!
webhostingguy
Wordpress podcamp2011
Wordpress podcamp2011
Findability Solutions
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
ryanduff
Installing WordPress The Right Way
Installing WordPress The Right Way
Chris Burgess
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
Meagan Hanes
Practical Blogs for Writers
Practical Blogs for Writers
Susan Stewart
Speed & Uptime with Wordpress
Speed & Uptime with Wordpress
toddhdow
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Chris Burgess
Word press security 101
Word press security 101
Kojac801
A Slide!
A Slide!
webhostingguy
Secure pl-sql-coding
Secure pl-sql-coding
Trần Bình Hậu
Open Source in the Enterprise
Open Source in the Enterprise
Social Media Performance Group
Using Information Technology
Using Information Technology
Universitas Teknokrat Indonesia
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
wordcampgc
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
distortdistort
wcm domino
wcm domino
dominion
Joomla Security
Joomla Security
ViryaTechnologies
Joomla Security
Joomla Security
Ruth Cheesley
Secure programming with php
Secure programming with php
Mohmad Feroz
Technologies for startup
Technologies for startup
Dzung Nguyen
Survey Presentation About Application Security
Survey Presentation About Application Security
Nicholas Davis
Wpd09 Sydney
Wpd09 Sydney
virginiachoy
Community dynamics
Community dynamics
Dave Neary
Lotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 Commandments
Bill Buchan
SharePoint Development and the Cloud
SharePoint Development and the Cloud
charelenetorres
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings
10n Software, LLC
Y4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should Learn
calenlegaspi
Security theatre (Scotland php)
Security theatre (Scotland php)
xsist10
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
xsist10
Mais conteúdo relacionado
Semelhante a PHP SA 2013 - The weak points in our PHP projects
Word press security 101
Word press security 101
Kojac801
A Slide!
A Slide!
webhostingguy
Secure pl-sql-coding
Secure pl-sql-coding
Trần Bình Hậu
Open Source in the Enterprise
Open Source in the Enterprise
Social Media Performance Group
Using Information Technology
Using Information Technology
Universitas Teknokrat Indonesia
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
wordcampgc
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
distortdistort
wcm domino
wcm domino
dominion
Joomla Security
Joomla Security
ViryaTechnologies
Joomla Security
Joomla Security
Ruth Cheesley
Secure programming with php
Secure programming with php
Mohmad Feroz
Technologies for startup
Technologies for startup
Dzung Nguyen
Survey Presentation About Application Security
Survey Presentation About Application Security
Nicholas Davis
Wpd09 Sydney
Wpd09 Sydney
virginiachoy
Community dynamics
Community dynamics
Dave Neary
Lotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 Commandments
Bill Buchan
SharePoint Development and the Cloud
SharePoint Development and the Cloud
charelenetorres
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings
10n Software, LLC
Y4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should Learn
calenlegaspi
Semelhante a PHP SA 2013 - The weak points in our PHP projects
(20)
Word press security 101
Word press security 101
A Slide!
A Slide!
Secure pl-sql-coding
Secure pl-sql-coding
Open Source in the Enterprise
Open Source in the Enterprise
Using Information Technology
Using Information Technology
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
wcm domino
wcm domino
Joomla Security
Joomla Security
Joomla Security
Joomla Security
Secure programming with php
Secure programming with php
Technologies for startup
Technologies for startup
Survey Presentation About Application Security
Survey Presentation About Application Security
Wpd09 Sydney
Wpd09 Sydney
Community dynamics
Community dynamics
Lotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 Commandments
SharePoint Development and the Cloud
SharePoint Development and the Cloud
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings
Y4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should Learn
Mais de xsist10
Security theatre (Scotland php)
Security theatre (Scotland php)
xsist10
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
xsist10
Security Theatre - Confoo
Security Theatre - Confoo
xsist10
I put on my mink and wizard behat - Confoo Canada
I put on my mink and wizard behat - Confoo Canada
xsist10
Security Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
xsist10
Security Theatre - Benelux
Security Theatre - Benelux
xsist10
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHP
xsist10
I put on my mink and wizard behat (talk)
I put on my mink and wizard behat (talk)
xsist10
I put on my mink and wizard behat (tutorial)
I put on my mink and wizard behat (tutorial)
xsist10
I put on my mink and wizard behat
I put on my mink and wizard behat
xsist10
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Project
xsist10
Mais de xsist10
(11)
Security theatre (Scotland php)
Security theatre (Scotland php)
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
Security Theatre - Confoo
Security Theatre - Confoo
I put on my mink and wizard behat - Confoo Canada
I put on my mink and wizard behat - Confoo Canada
Security Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
Security Theatre - Benelux
Security Theatre - Benelux
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHP
I put on my mink and wizard behat (talk)
I put on my mink and wizard behat (talk)
I put on my mink and wizard behat (tutorial)
I put on my mink and wizard behat (tutorial)
I put on my mink and wizard behat
I put on my mink and wizard behat
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Project
Último
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Sinan KOZAK
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
gurkirankumar98700
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Paola De la Torre
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
Último
(20)
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
PHP SA 2013 - The weak points in our PHP projects
1.
The weak points
in our systems Are your dependencies getting you down? Thomas Shone – Senior PHP Developer PHP South Africa - Oct 2013
2.
Copyright © 2012
Clickatell. All rights reserved. About me Senior developer for Clickatell Work remotely from Grahamstown in the Eastern Cape I like to break things
3.
Copyright © 2012
Clickatell. All rights reserved. The bare minimum we SHOULD be doing Preventing SQL injection and sanitizing user input Email and cellphone verification – Mitigate social engineering against support team Salting and using strong hashing for passwords – As of PHP 5.5, www.php.net/password will make this trivial Forgotten password resets done by email link Use OAuth or OpenID Two factor authentication – High risk data – Premium support verification – Off-site staff authentication method
4.
Copyright © 2012
Clickatell. All rights reserved. What the blogs haven't warned us about No coder is an island We all rely on: – 3rd party libraries – Frameworks • Symfony • Zend – CMS packages • Joomla! • Wordpress – E-Commerce software • osCommerce • Magento – CRM software • SugarCRM
5.
Copyright © 2012
Clickatell. All rights reserved. So... time to come clean... I've done it too Perception – Using a version of Smarty without vulnerabilities (3.1.12) Reality – 4 versions of Smarty. – Version 2.6.26 with 11 Vulnerabilities (7 critical) – Version 2.6.28 with 12 Vulnerabilities (7 critical) – Version 2.6.11 with 12 Vulnerabilities (7 critical) The other three were dependencies of another front end system Developers had not updated Smarty since 2009 (the version they are using was released in Dec 2005)
6.
Copyright © 2012
Clickatell. All rights reserved. Lets get some real world data 43 popular open source web applications, libraries and frameworks. 3,421 versions 5.6 million files
7.
Worst offender
8.
Copyright © 2012
Clickatell. All rights reserved. Some graph explanation Mean / Average Median The Doom Line
9.
Insert the title
of your long presentation names here Enter your subtitle here Some actual numbers please
10.
What are SMBs
using?
11.
Copyright © 2012
Clickatell. All rights reserved. Where does the blame lie? Wordpress and Joomla! – Highly popular = Highly targeted. – Fix released before the vulnerability disclosed Libraries not so well behaved – Most of the libraries found where vulnerable – OpenX had a backdoor in their code base Frameworks came off well – No vulnerabilities for the versions found Reference: http://blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.htm
12.
Insert the title
of your long presentation names here Enter your subtitle here Lets get a little ageist here
13.
Insert the title
of your long presentation names here Enter your subtitle here What's the sell by date
14.
Insert the title
of your long presentation names here Enter your subtitle here Lets just put those together
15.
Copyright © 2012
Clickatell. All rights reserved. Some good news at least We were looking at the worst of the worst – SMB with little technical knowledge – Freelancer CMS deploy People will fix what they know is broken – Growing awareness – Emergence of auto update tools – Software houses and freelances, up-sell those maintenance contracts
16.
Insert the title
of your long presentation names here Enter your subtitle here How much has the situation improved
17.
Copyright © 2012
Clickatell. All rights reserved. And for the developers Means of distributing 3rd party code is improving – Composer • Don't commit dependencies... specify • Major release locking • Simple update mechanism
18.
@thomas_shone www.shone.co.za Questions?
Baixar agora