SlideShare uma empresa Scribd logo

Eight simple rules to writing secure PHP programs

Aleksandr Yampolskiy
Aleksandr Yampolskiy
TecnologiaEducação
1 de 46
Eight Simple Rules… for Writing Secure PHP Programs Aleksandr Yampolskiy
Security: Bird’s Eye View ... Hash Key Management Signature Encryption Security Toolbox DL(g x ) Fact(p*q) Hard problems Prob[ Attack ] ≤ ɛ Proof of security
Building Secure Systems … Looks safe to me
Building Secure Systems ,[object Object]
This Talk ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],vs.
Rule 1: Use proper cryptography ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Common mistakes ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Randomness
In Theory ,[object Object],[object Object],[object Object],[object Object],[object Object]
Examples of Real Problems ,[object Object],[object Object],[object Object],Problem: Secret keys aren’t truly random!
Lessons Learnt ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
What is (Pseudo)-Random? PRG random seed pseudorandom string random string look indistinguishable to any efficient observer Definition [Blum-Micali-Yao]: PRG is a polytime function whose output is indistinguishable from random by any efficient observer 01010111001… 11010011010… 1001
Implementation ,[object Object],[object Object],[object Object],[object Object]
Rule 2 – Validate all input ,[object Object],[object Object],[object Object]
Rule 2 – Validate all input (cont.) ,[object Object],[object Object],[object Object],[object Object],[object Object]
Rule 2 – Validate all input (cont.) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Tainted Variables ,[object Object],[object Object]
Rule 2 – Validate all input (cont.) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Rule 2 – Validate all input (cont.) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Example of Real Problem - XSS ,[object Object],[object Object],[object Object],[object Object]
Rule 3 - Sanitize data sent to other systems ,[object Object],[object Object],[object Object]
SQL Injection ,[object Object],[object Object],[object Object],[object Object]
SQL Injection (cont.) ,[object Object],[object Object],[object Object],[object Object],[object Object]
Global Variables ,[object Object],[object Object],[object Object],[object Object]
PHP.INI Security Settings ,[object Object],[object Object],[object Object],[object Object]
PHP.INI Security Settings ,[object Object],[object Object],[object Object],[object Object]
PHP.INI Security Settings ,[object Object],[object Object],[object Object],[object Object]
Rule 4 – Avoid information leakage ,[object Object],[object Object],[object Object],[object Object],[object Object]
Information Leakage - Example ,[object Object],[object Object],[object Object],[object Object],[object Object],<script type=&quot;text/javascript&quot;> $(function() {$(&quot;#19468751&quot;).qtip({content: '<div class=&quot;calendar_hover&quot;><div class=&quot;title_bar&quot;><h2 class=&quot;on&quot; lang=&quot;en&quot;>OGIO Bags</h2></div><img oncontextmenu=&quot;return false;&quot; galleryimg=&quot;no&quot; src=&quot;http://cdn1.gilt.com/images/share/uploads/0000/0000/1991/19911713/orig.jpg?43_1258590331&quot; height=&quot;207&quot; border=&quot;0&quot; alt=&quot;OGIO Bags&quot; width=&quot;303&quot; /></div>',style: {padding: 0,width: 303 + 2,border: {width: 0//color: '#575757',//radius: 1}},position: {target: 'mouse',adjust: {mouse: true,screen: true,x: 30,y: 0 }}});// Last resort if Andy can't figure out how to style a border/*var api = $(&quot;#19468751 &quot;).qtip(&quot;api&quot;);api.beforeRender = function() {// Strip out the default styledelete this.options.style.background;delete this.options.style.color;delete this.options.style.textAlign;this.options.style.width = {};delete this.options.style.padding;this.options.style.border = {};this.options.style.title = {};};*/});</script>
Information Leakage - Logging ,[object Object],[object Object],[object Object],[object Object]
Information Leakage - Logging
Rule 5 – Proper session management ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Example 1 - Session Hijacking ,[object Object],[object Object],[object Object],[object Object]
Example 2- CSRF Website Evil Doer ,[object Object],[object Object],1 2
Example 2- CSRF (cont.) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Proper session mgmt ,[object Object],[object Object],[object Object],[object Object]
Proper session mgmt (cont.) ,[object Object],[object Object],[object Object],[object Object],[object Object]
Proper session mgmt (cont). ,[object Object],[object Object],[object Object]
Rule 6 – Authentication & Entitlements ,[object Object],[object Object],[object Object],[object Object]
Authentication & Entitlements (cont.) ,[object Object],[object Object],[object Object],[object Object],[object Object]
Authentication & Entitlements (cont.) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Rule 7 – Use Secure Communication Channels ,[object Object],[object Object],[object Object],[object Object],[object Object]
Rule 8 – Keep Security Simple ,[object Object],[object Object],[object Object],[object Object],[object Object]
Recap : the 8 rules ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Often the easiest way to break security is to circumvent it rather than defeat it. Parting Thought
Eight simple rules to writing secure PHP programs

Recomendados

PHP Security
PHP SecurityPHP Security
PHP SecurityMindfire Solutions
 
Php Security
Php SecurityPhp Security
Php Securityguest7cf35c
 
PHP Security
PHP SecurityPHP Security
PHP Securitymanugoel2003
 
PHP security audits
PHP security auditsPHP security audits
PHP security auditsDamien Seguy
 
Code obfuscation, php shells & more
Code obfuscation, php shells & moreCode obfuscation, php shells & more
Code obfuscation, php shells & moreMattias Geniar
 
Filter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireFilter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireRob Ragan
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingRob Ragan
 
PHP - Web Development
PHP - Web DevelopmentPHP - Web Development
PHP - Web DevelopmentNiladri Karmakar
 

Recomendados

PHP Security
PHP SecurityPHP Security
PHP SecurityMindfire Solutions
 
Php Security
Php SecurityPhp Security
Php Securityguest7cf35c
 
PHP Security
PHP SecurityPHP Security
PHP Securitymanugoel2003
 
PHP security audits
PHP security auditsPHP security audits
PHP security auditsDamien Seguy
 
Code obfuscation, php shells & more
Code obfuscation, php shells & moreCode obfuscation, php shells & more
Code obfuscation, php shells & moreMattias Geniar
 
Filter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireFilter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireRob Ragan
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingRob Ragan
 
PHP - Web Development
PHP - Web DevelopmentPHP - Web Development
PHP - Web DevelopmentNiladri Karmakar
 
$kernel->infect(): Creating a cryptovirus for Symfony2 apps
$kernel->infect(): Creating a cryptovirus for Symfony2 apps$kernel->infect(): Creating a cryptovirus for Symfony2 apps
$kernel->infect(): Creating a cryptovirus for Symfony2 appsRaul Fraile
 
PHP Built-in String Validation Functions
PHP Built-in String Validation FunctionsPHP Built-in String Validation Functions
PHP Built-in String Validation FunctionsAung Khant
 
Php Security3895
Php Security3895Php Security3895
Php Security3895Aung Khant
 
Php security3895
Php security3895Php security3895
Php security3895PrinceGuru MS
 
Angular js security
Angular js securityAngular js security
Angular js securityJose Manuel Ortega Candel
 
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)securityxploded
 
Rails and security
Rails and securityRails and security
Rails and securityAndrey Tokarchuk
 
Listen afup 2010
Listen afup 2010Listen afup 2010
Listen afup 2010Gabriele Santini
 
Php tips-and-tricks4128
Php tips-and-tricks4128Php tips-and-tricks4128
Php tips-and-tricks4128PrinceGuru MS
 
PHP MySQL Workshop - facehook
PHP MySQL Workshop - facehookPHP MySQL Workshop - facehook
PHP MySQL Workshop - facehookBrainware Consultancy Pvt Ltd
 
Creating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QACreating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QAarchwisp
 
Php
PhpPhp
PhpRicha Goel
 
Introduction to writing readable and maintainable Perl
Introduction to writing readable and maintainable PerlIntroduction to writing readable and maintainable Perl
Introduction to writing readable and maintainable PerlAlex Balhatchet
 
Back to basics - PHP_Codesniffer
Back to basics - PHP_CodesnifferBack to basics - PHP_Codesniffer
Back to basics - PHP_CodesnifferSebastian Marek
 
Formatul Portable Executable
Formatul Portable Executable Formatul Portable Executable
Formatul Portable Executable DefCamp
 
PHP 2
PHP 2PHP 2
PHP 2Richa Goel
 
Zend Certification Preparation Tutorial
Zend Certification Preparation TutorialZend Certification Preparation Tutorial
Zend Certification Preparation TutorialLorna Mitchell
 
Data Types In PHP
Data Types In PHPData Types In PHP
Data Types In PHPMark Niebergall
 
Text in search queries with examples in Perl 6
Text in search queries with examples in Perl 6Text in search queries with examples in Perl 6
Text in search queries with examples in Perl 6Andrew Shitov
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 

Mais conteúdo relacionado

Mais procurados

$kernel->infect(): Creating a cryptovirus for Symfony2 apps
$kernel->infect(): Creating a cryptovirus for Symfony2 apps$kernel->infect(): Creating a cryptovirus for Symfony2 apps
$kernel->infect(): Creating a cryptovirus for Symfony2 appsRaul Fraile
 
PHP Built-in String Validation Functions
PHP Built-in String Validation FunctionsPHP Built-in String Validation Functions
PHP Built-in String Validation FunctionsAung Khant
 
Php Security3895
Php Security3895Php Security3895
Php Security3895Aung Khant
 
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)securityxploded
 
Php tips-and-tricks4128
Php tips-and-tricks4128Php tips-and-tricks4128
Php tips-and-tricks4128PrinceGuru MS
 
Creating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QACreating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QAarchwisp
 
Introduction to writing readable and maintainable Perl
Introduction to writing readable and maintainable PerlIntroduction to writing readable and maintainable Perl
Introduction to writing readable and maintainable PerlAlex Balhatchet
 
Back to basics - PHP_Codesniffer
Back to basics - PHP_CodesnifferBack to basics - PHP_Codesniffer
Back to basics - PHP_CodesnifferSebastian Marek
 
Formatul Portable Executable
Formatul Portable Executable Formatul Portable Executable
Formatul Portable Executable DefCamp
 
Zend Certification Preparation Tutorial
Zend Certification Preparation TutorialZend Certification Preparation Tutorial
Zend Certification Preparation TutorialLorna Mitchell
 
Text in search queries with examples in Perl 6
Text in search queries with examples in Perl 6Text in search queries with examples in Perl 6
Text in search queries with examples in Perl 6Andrew Shitov
 

Mais procurados (19)

$kernel->infect(): Creating a cryptovirus for Symfony2 apps
$kernel->infect(): Creating a cryptovirus for Symfony2 apps$kernel->infect(): Creating a cryptovirus for Symfony2 apps
$kernel->infect(): Creating a cryptovirus for Symfony2 apps
 
PHP Built-in String Validation Functions
PHP Built-in String Validation FunctionsPHP Built-in String Validation Functions
PHP Built-in String Validation Functions
 
Php Security3895
Php Security3895Php Security3895
Php Security3895
 
Php security3895
Php security3895Php security3895
Php security3895
 
Angular js security
Angular js securityAngular js security
Angular js security
 
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
 
Rails and security
Rails and securityRails and security
Rails and security
 
Listen afup 2010
Listen afup 2010Listen afup 2010
Listen afup 2010
 
Php tips-and-tricks4128
Php tips-and-tricks4128Php tips-and-tricks4128
Php tips-and-tricks4128
 
PHP MySQL Workshop - facehook
PHP MySQL Workshop - facehookPHP MySQL Workshop - facehook
PHP MySQL Workshop - facehook
 
Creating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QACreating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QA
 
Php
PhpPhp
Php
 
Introduction to writing readable and maintainable Perl
Introduction to writing readable and maintainable PerlIntroduction to writing readable and maintainable Perl
Introduction to writing readable and maintainable Perl
 
Back to basics - PHP_Codesniffer
Back to basics - PHP_CodesnifferBack to basics - PHP_Codesniffer
Back to basics - PHP_Codesniffer
 
Formatul Portable Executable
Formatul Portable Executable Formatul Portable Executable
Formatul Portable Executable
 
PHP 2
PHP 2PHP 2
PHP 2
 
Zend Certification Preparation Tutorial
Zend Certification Preparation TutorialZend Certification Preparation Tutorial
Zend Certification Preparation Tutorial
 
Data Types In PHP
Data Types In PHPData Types In PHP
Data Types In PHP
 
Text in search queries with examples in Perl 6
Text in search queries with examples in Perl 6Text in search queries with examples in Perl 6
Text in search queries with examples in Perl 6
 

Semelhante a Eight simple rules to writing secure PHP programs

My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Balázs Tatár
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And AnishOSSCube
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Indexwebhostingguy
 
Secure Programming
Secure ProgrammingSecure Programming
Secure Programmingalpha0
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidOwaspCzech
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidFilip Šebesta
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
 

Semelhante a Eight simple rules to writing secure PHP programs (20)

My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Web application security
Web application securityWeb application security
Web application security
 
Application Security
Application SecurityApplication Security
Application Security
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
secure php
secure phpsecure php
secure php
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
Secure Programming
Secure ProgrammingSecure Programming
Secure Programming
 
Rust Hack
Rust HackRust Hack
Rust Hack
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
XSS
XSSXSS
XSS
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
 

Mais de Aleksandr Yampolskiy

New York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome SessionNew York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome SessionAleksandr Yampolskiy
 
"Managing software development" by Peter Bell
"Managing software development" by Peter Bell"Managing software development" by Peter Bell
"Managing software development" by Peter BellAleksandr Yampolskiy
 
Recruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy StepsRecruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy StepsAleksandr Yampolskiy
 
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing ItYou Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing ItAleksandr Yampolskiy
 
Malware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingMalware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingAleksandr Yampolskiy
 
Social Engineering and What to do About it
Social Engineering and What to do About itSocial Engineering and What to do About it
Social Engineering and What to do About itAleksandr Yampolskiy
 
Inoculation strategies for victims of viruses
Inoculation strategies for victims of virusesInoculation strategies for victims of viruses
Inoculation strategies for victims of virusesAleksandr Yampolskiy
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Aleksandr Yampolskiy
 
Threshold and Proactive Pseudo-Random Permutations
Threshold and Proactive Pseudo-Random PermutationsThreshold and Proactive Pseudo-Random Permutations
Threshold and Proactive Pseudo-Random PermutationsAleksandr Yampolskiy
 
Secure information aggregation in sensor networks
Secure information aggregation in sensor networksSecure information aggregation in sensor networks
Secure information aggregation in sensor networksAleksandr Yampolskiy
 
A verifiable random function with short proofs and keys
A verifiable random function with short proofs and keysA verifiable random function with short proofs and keys
A verifiable random function with short proofs and keysAleksandr Yampolskiy
 
Towards a theory of data entangelement
Towards a theory of data entangelementTowards a theory of data entangelement
Towards a theory of data entangelementAleksandr Yampolskiy
 
Price of anarchy is independent of network topology
Price of anarchy is independent of network topologyPrice of anarchy is independent of network topology
Price of anarchy is independent of network topologyAleksandr Yampolskiy
 

Mais de Aleksandr Yampolskiy (20)

New York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome SessionNew York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome Session
 
"Managing software development" by Peter Bell
"Managing software development" by Peter Bell"Managing software development" by Peter Bell
"Managing software development" by Peter Bell
 
Recruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy StepsRecruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy Steps
 
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing ItYou Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
 
Malware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingMalware Goes to the Movies - Briefing
Malware Goes to the Movies - Briefing
 
Privacy and E-Commerce
Privacy and E-CommercePrivacy and E-Commerce
Privacy and E-Commerce
 
Social media security challenges
Social media security challengesSocial media security challenges
Social media security challenges
 
Social Engineering and What to do About it
Social Engineering and What to do About itSocial Engineering and What to do About it
Social Engineering and What to do About it
 
OWASP Much ado about randomness
OWASP Much ado about randomnessOWASP Much ado about randomness
OWASP Much ado about randomness
 
Malware goes to the movies
Malware goes to the moviesMalware goes to the movies
Malware goes to the movies
 
Inoculation strategies for victims of viruses
Inoculation strategies for victims of virusesInoculation strategies for victims of viruses
Inoculation strategies for victims of viruses
 
Number theory lecture (part 1)
Number theory lecture (part 1)Number theory lecture (part 1)
Number theory lecture (part 1)
 
Number theory lecture (part 2)
Number theory lecture (part 2)Number theory lecture (part 2)
Number theory lecture (part 2)
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?
 
Threshold and Proactive Pseudo-Random Permutations
Threshold and Proactive Pseudo-Random PermutationsThreshold and Proactive Pseudo-Random Permutations
Threshold and Proactive Pseudo-Random Permutations
 
Secure information aggregation in sensor networks
Secure information aggregation in sensor networksSecure information aggregation in sensor networks
Secure information aggregation in sensor networks
 
A verifiable random function with short proofs and keys
A verifiable random function with short proofs and keysA verifiable random function with short proofs and keys
A verifiable random function with short proofs and keys
 
Towards a theory of data entangelement
Towards a theory of data entangelementTowards a theory of data entangelement
Towards a theory of data entangelement
 
Price of anarchy is independent of network topology
Price of anarchy is independent of network topologyPrice of anarchy is independent of network topology
Price of anarchy is independent of network topology
 
Business Case Studies
Business Case Studies Business Case Studies
Business Case Studies
 

Último

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Último (20)

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Eight simple rules to writing secure PHP programs

  • 1. Eight Simple Rules… for Writing Secure PHP Programs Aleksandr Yampolskiy
  • 2. Security: Bird’s Eye View ... Hash Key Management Signature Encryption Security Toolbox DL(g x ) Fact(p*q) Hard problems Prob[ Attack ] ≤ ɛ Proof of security
  • 3. Building Secure Systems … Looks safe to me
  • 4.
  • 5.
  • 6.
  • 7.
  • 9.
  • 10.
  • 11.
  • 12. What is (Pseudo)-Random? PRG random seed pseudorandom string random string look indistinguishable to any efficient observer Definition [Blum-Micali-Yao]: PRG is a polytime function whose output is indistinguishable from random by any efficient observer 01010111001… 11010011010… 1001
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45. Often the easiest way to break security is to circumvent it rather than defeat it. Parting Thought