SlideShare ist ein Scribd-Unternehmen logo

P Hundamental Security Coding Secure With Php Lamp

phptechtalk
phptechtalk

phptechtalk 2010, MIMOS PHP COE

Technologie
1 von 21
Downloaden Sie, um offline zu lesen
www.nyphp.com / www.nyphp.org PHundamental Security Ecosystem Review, Coding Secure with PHP, and Best Practices OWASP NYC AppSec 2008 MIMOS Enterprise PHP Techtalk 2010, Malaysia September 24th, 2008 January 28th, 2010 PHP Barcelona New York PHP Community October 31th, 2009 Hans Zaunere, Managing Member November 25th, 2008 02/02/2010 1
www.nyphp.com / www.nyphp.org Overview • Introduction • The Security Ecosystem • Security Pressure Points in PHP • Best Practices • “It‟s the System, Stupid!” • Conclusions 02/02/2010 2
www.nyphp.com / www.nyphp.org Introduction PHP is the PHP: Hypertext Preprocessor • www.nyphp.org – www.nyphp.org/phundamentals/ • This is not YASIXSKOTDT – Yet-Another-SQL-Injection-XSS-Script-Kid-Of-The-Day-Talk • There are other resources for that: – http://www.suspekt.org/2008/09/18/slides-from-my-lesser- known-security-problems-in-php-applications-talk-at-zendcon/ – Numerous other excellent cut-paste resources for these ubiquitous attacks – Ubiquitous means they can happen in any language 02/02/2010 3
www.nyphp.com / www.nyphp.org The Security Ecosystem • Security fundamentals are common across the board • Different environments have different requirements – Desktop applications are different from web/internet applications • Web/Internet apps have a huge number of touch points – PHP isn‟t responsible for all of them – in fact, not most – The Developer/Enterprise is - in ALL cases • Different languages handle in different ways – .NET, Java, Python, PHP all have their idiosyncrasies • PHP is no different... except... “More internet applications speak PHP than any other” 02/02/2010 4
www.nyphp.com / www.nyphp.org Look Familiar? HTTP – The Great Equalizer 02/02/2010 5
www.nyphp.com / www.nyphp.org The PHP Ecosystem • PHP gets a bad rap – Low point of entry and great flexibility “Greatest strength and biggest weakness” • And there‟ve been some mistakes – Weak default configuration – Variable ease of use and scope – The infamous magic_* of PHP – PHP Group [rightfully] argues: “What‟s a security flaw?” “It's easy to shoot yourself in the foot with C. In C++ it's harder to shoot yourself in the foot, but when you do, you blow off your whole leg.” Bjarne Stroustrup, Inventor of C++ 02/02/2010 6
www.nyphp.com / www.nyphp.org Security Points-of-Entry Three Zones of Responsibility • PHP is effectively a wrapper around libraries and data sources – Many external dependencies and touch points • There are many zones of responsibility – A language is not responsible for them – a developer/enterprise is – A language should not go out of its way to save the developer • Frameworks/foundations can be used for this 02/02/2010 7
www.nyphp.com / www.nyphp.org Security Points-of-Entry Three Zones of Responsibility 1. Developer – Poorly written code by amateurs – Primary cause for the security ecosystem around PHP – Easy to pick up for those with no programming background – Laziness - letting PHP do its magic_* – Doing things quick-n-dirty – Too forgiving • Resolutions: – Consider using code audit tools and professional services – Implement processes and proper project management “Program Smart” 02/02/2010 8
www.nyphp.com / www.nyphp.org Security Points-of-Entry Three Zones of Responsibility 2. Extensions and external libraries • PHP‟s greatest asset • Sometimes library binding is faulty – There could be better extension certification, and it‟s getting better • Sometimes the external library has faults, or behaves in an unforeseen way when in a web environment – possible in any environment • Know what extensions you‟re using, use the minimal number of extensions, and be aware of the environment they were originally designed for. “Know Thy Extensions” 02/02/2010 9
www.nyphp.com / www.nyphp.org Security Points-of-Entry Three Zones of Responsibility 3. PHP Core – “PHP” • This is PHP • Secunia: PHP: ~20 advisories between „03-‟09 Java: 48+ between „03-‟09 Ruby: 12+ between „03-‟09 “The List Goes On – PHP is Not Alone” • Often safe_* and magic_* related – Functions designed to protect developers from ignoring best practices. – Or deal with shared environment where incorrect security expectations are prevalent. “More internet applications speak PHP than any other” 02/02/2010 10
www.nyphp.com / www.nyphp.org Best Practices or, How not to blow off your whole leg • Best practices are common to any well run enterprise environment – Yes, PHP has grown/is growing into this environment very quickly • Web security is largely about your data and less about exploits in the underlying platform – Buffer overflows aren‟t so much the hot topic – ... and those who know, don‟t talk 02/02/2010 11
www.nyphp.com / www.nyphp.org PHP Best Practices or, How not to blow off your whole leg with PHP • Installation – Avoid prepackaged installs, including RPMs, .deb, etc. – If you use them, review their default deployment – Installation touch points also typically include Apache/MySQL • Configuration – Use php.ini-recommended or php.ini-production – Better yet, take the time to know what you‟re doing and tune configuration files yourself, for your specific needs and remembering how your system is most vulnerable • Implement consistent deployment (virtualization, cloud) • Consider certified stacks 02/02/2010 12
www.nyphp.com / www.nyphp.org PHP Best Practices Be Fashionable – Style and Design • Don‟t make PHP guess what you mean – Be explicit with variables and types – Don‟t abuse scope – know where your variables come from – Avoid magic_* and implicitness – BE EXPLICIT • Keep code small, organized and maintainable – Keep code/logic chunks small – Use OOP techniques to enforce code execution paths – Use includes to keep things organized • Don‟t use super-globals directly – wrap for protection “Be aggressive – B.E. aggressive” 02/02/2010 13
www.nyphp.com / www.nyphp.org PHP Best Practices Know Your Data – Love Your Data • It‟s always about data • One of PHP‟s greatest strengths – loosely typed – ... and you guessed it – biggest weaknesses – Don‟t make PHP guess what you mean • Cast variables, know their types and the data you expect – Let PHP do its magic only when you want it to – not by chance – Majority “PHP security flaws” could be avoided by casting to int 02/02/2010 14
www.nyphp.com / www.nyphp.org PHP Best Practices It‟s 10pm – Do You Know Where Your Data Is? • Keep tabs on your data‟s path, lifecycle and type – Know where it‟s come from, what it‟s doing, and where it‟s going – Filter/escape/cast and throw exceptions every step of the way • Input validation, output validation, CASTING • Don‟t be lazy – be explicit – use OOP “Casting isn’t just for movie producers” 02/02/2010 15
www.nyphp.com / www.nyphp.org “It‟s the System, Stupid” Networks, Systems, and Databases, Oh My • No system has a single security weakness • Put PHP in the same well managed enterprise environment as other technologies • Don‟t take the easy way out just because you can • PHP/AMP respond very well to TLC 02/02/2010 16
www.nyphp.com / www.nyphp.org Conclusions Goal: PHP is Just One of the Boys • PHP is just part of the ecosystem • ... and there is awareness and experience on the PHP side • The yin/yang of PHP‟s history overshadows reality • Stand by PHP and it‟ll stand by you • Program it - don‟t hack it “With great power comes great responsibility.” Spiderman’s Uncle • Web/Internet applications are deep and complex – Users, interoperability, data, architecture, support, compliance – PHising, hijacking, spam, social engineering – BROWSERS! “PHP is the least of your worries” 02/02/2010 © 2008 New York PHP, LLC 17
www.nyphp.com / www.nyphp.org Thank You hans.zaunere@nyphp.com For renowned worldwide online support, New York PHP Mailing Lists are free and available to anyone: http://www.nyphp.org/Mailing-Lists 02/02/2010 © 2008 New York PHP, LLC 18
www.nyphp.com / www.nyphp.org The Top 5 Best Practices In No Particular Order 1. PHP is loosely typed and automatically converts between types (known as type casting). However, always consider variables typed, and allow type casting to happen only explicitly. In fact, explicitly type casting variables can add a significant level of data validation and security. http://www.php.net/manual/en/language.types.type-juggling.php 2. Remember that PHP is a dynamic scripting language, allowing execution to jump between files during runtime. However, don‟t lazily abuse including other files – keep all include/require statements in a centralized place and always know what files you‟re including. http://www.php.net/manual/en/function.require.php http://www.php.net/manual/en/function.include.php 02/02/2010 © 2008 New York PHP, LLC 19
www.nyphp.com / www.nyphp.org Top 5 Best Practices In No Particular Order 3. A typical PHP application will deal with a lot of external data, usually from unknown sources – especially someone‟s web browser, or worse, someone hand-crafting HTTP requests. PHP is on the front line of security. Always be aware of where your data is coming from, what you‟ll be doing with it, and where it‟s going. http://www.php.net/manual/en/security.php 4. PHP is very forgiving with its syntax, style and application structure. People on the web are not forgiving. Write clean, organized, and structured code, using the right tools for the job. Do not take shortcuts, depend on PHP‟s “magic” or convenience functionality, or force PHP into guessing what you want to do. You‟re the programmer – be specific. http://www.php.net/manual/en/tutorial.php 02/02/2010 © 2008 New York PHP, LLC 20
www.nyphp.com / www.nyphp.org The Top 5 Best Practices And the #1 Fifth Best Practice! 5. PHP‟s greatest strength and weakness is its ease, power and flexibility. As a result, there is a lot of bad PHP code on the Internet, which is the source of PHP‟s bad reputation. A programming language is only as good as the programmer. Look at most other publicly available PHP code and if it appears sloppy, do what you know is right. If you have experience in another programming language, use it. If not, take the time to properly learn some programming theory, involve yourself with experienced programmers in the community, learn about the other components of web development, and then apply it all to the PHP syntax. Your applications will be more secure, more maintainable, and PHP literally becomes a joy to code in. Everyone is encouraged - worldwide - to join the New York PHP mailing lists at http://www.nyphp.org/Mailing-Lists to ask questions and seek advice. 02/02/2010 © 2008 New York PHP, LLC 21

Empfohlen

LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security KeynoteLonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security KeynoteAlison Gianotto
 
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsAlison Gianotto
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchainjasonhaddix
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamMohammed Adam
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksGreg Foss
 

Empfohlen

LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security KeynoteLonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security KeynoteAlison Gianotto
 
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsAlison Gianotto
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchainjasonhaddix
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamMohammed Adam
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksGreg Foss
 
DEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersDEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersFelipe Prado
 
Hvordan stopper du CryptoLocker?
Hvordan stopper du CryptoLocker?Hvordan stopper du CryptoLocker?
Hvordan stopper du CryptoLocker?Steinar Aandal-Vanger
 
Bruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxBruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxidsecconf
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information securityAnant Shrivastava
 
Password Cracking
Password Cracking Password Cracking
Password Cracking Sina Manavi
 
Webinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website SecurityWebinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website SecurityStopTheHacker
 
Wfuzz for Penetration Testers
Wfuzz for Penetration TestersWfuzz for Penetration Testers
Wfuzz for Penetration TestersChristian Martorella
 
Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101Rafel Ivgi
 
Berkarir di Cyber Security
Berkarir di Cyber SecurityBerkarir di Cyber Security
Berkarir di Cyber SecuritySatria Ady Pradana
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsSecurity Innovation
 
Password management
Password managementPassword management
Password managementPortalGuard dba PistolStar, Inc.
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawConnectSafely
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key loggerPatel Mit
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 
Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Nicholas Batik
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Down The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalDown The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalSatria Ady Pradana
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidNikola Milosevic
 
IEF for Military and Government
IEF for Military and GovernmentIEF for Military and Government
IEF for Military and GovernmentJADsoftware
 
Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Muzzammil Wani
 

Weitere ähnliche Inhalte

Was ist angesagt?

DEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersDEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersFelipe Prado
 
Bruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxBruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxidsecconf
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information securityAnant Shrivastava
 
Password Cracking
Password Cracking Password Cracking
Password Cracking Sina Manavi
 
Webinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website SecurityWebinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website SecurityStopTheHacker
 
Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101Rafel Ivgi
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsSecurity Innovation
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawConnectSafely
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key loggerPatel Mit
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 
Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Nicholas Batik
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Down The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalDown The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalSatria Ady Pradana
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidNikola Milosevic
 

Was ist angesagt? (20)

DEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersDEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testers
 
Hvordan stopper du CryptoLocker?
Hvordan stopper du CryptoLocker?Hvordan stopper du CryptoLocker?
Hvordan stopper du CryptoLocker?
 
Bruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxBruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linx
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information security
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
 
Webinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website SecurityWebinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website Security
 
Wfuzz for Penetration Testers
Wfuzz for Penetration TestersWfuzz for Penetration Testers
Wfuzz for Penetration Testers
 
Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101
 
Berkarir di Cyber Security
Berkarir di Cyber SecurityBerkarir di Cyber Security
Berkarir di Cyber Security
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection Flaws
 
Password management
Password managementPassword management
Password management
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security Flaw
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key logger
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Down The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalDown The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security Professional
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
 

Andere mochten auch

IEF for Military and Government
IEF for Military and GovernmentIEF for Military and Government
IEF for Military and GovernmentJADsoftware
 
Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Muzzammil Wani
 
Logs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMALogs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMAAnton Chuvakin
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - NotesKranthi
 
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...Cellebrite
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformBasis Technology
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - NotesKranthi
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureOllie Whitehouse
 
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)Jared Atkinson
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsOldsun
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic InvestigatorAgape Inc
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - NotesKranthi
 
Computer Forensics: You can run but you can't hide
Computer Forensics: You can run but you can't hideComputer Forensics: You can run but you can't hide
Computer Forensics: You can run but you can't hideAntonio Sanz Alcober
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 

Andere mochten auch (20)

IEF for Military and Government
IEF for Military and GovernmentIEF for Military and Government
IEF for Military and Government
 
Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014
 
Logs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMALogs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMA
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes
 
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
 
Sued or Suing: Introduction to Digital Forensics
Sued or Suing: Introduction to Digital ForensicsSued or Suing: Introduction to Digital Forensics
Sued or Suing: Introduction to Digital Forensics
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes
 
File000120
File000120File000120
File000120
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
 
Euroforensics 2012
Euroforensics 2012Euroforensics 2012
Euroforensics 2012
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics Lecture
 
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - Notes
 
Computer Forensics: You can run but you can't hide
Computer Forensics: You can run but you can't hideComputer Forensics: You can run but you can't hide
Computer Forensics: You can run but you can't hide
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
 

Ähnlich wie P Hundamental Security Coding Secure With Php Lamp

Enabling The Enterprise With Php
Enabling The Enterprise With PhpEnabling The Enterprise With Php
Enabling The Enterprise With Phpphptechtalk
 
Learn PHP Lacture1
Learn PHP Lacture1Learn PHP Lacture1
Learn PHP Lacture1ADARSH BHATT
 
Week 5
Week 5Week 5
Week 5A VD
 
Week 5
Week 5Week 5
Week 5A VD
 
Identifying and managing the risks of open source software for PHP developers
Identifying and managing the risks of open source software for PHP developersIdentifying and managing the risks of open source software for PHP developers
Identifying and managing the risks of open source software for PHP developersRogue Wave Software
 
Best practices for using open source software in the enterprise
Best practices for using open source software in the enterpriseBest practices for using open source software in the enterprise
Best practices for using open source software in the enterpriseMarcel de Vries
 
Technical standards & the RDTF Vision: some considerations
Technical standards & the RDTF Vision: some considerationsTechnical standards & the RDTF Vision: some considerations
Technical standards & the RDTF Vision: some considerationsPaul Walk
 
Open Source Governance at HP
Open Source Governance at HPOpen Source Governance at HP
Open Source Governance at HPBruno Cornec
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...EC-Council
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Sucuri
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
Introduction to PHP - SDPHP
Introduction to PHP - SDPHPIntroduction to PHP - SDPHP
Introduction to PHP - SDPHPEric Johnson
 
2005 04 05 SRI ELN Architecture
2005 04 05 SRI ELN Architecture2005 04 05 SRI ELN Architecture
2005 04 05 SRI ELN ArchitectureSimon Coles
 
Debugging with Zend Studio for Eclipse
Debugging with Zend Studio for EclipseDebugging with Zend Studio for Eclipse
Debugging with Zend Studio for EclipseOSSCube
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
PHP vs Python Which is Best for Web Development.pdf
PHP vs Python Which is Best for Web Development.pdfPHP vs Python Which is Best for Web Development.pdf
PHP vs Python Which is Best for Web Development.pdfchristiemarie4
 

Ähnlich wie P Hundamental Security Coding Secure With Php Lamp (20)

Enabling The Enterprise With Php
Enabling The Enterprise With PhpEnabling The Enterprise With Php
Enabling The Enterprise With Php
 
Learn PHP Lacture1
Learn PHP Lacture1Learn PHP Lacture1
Learn PHP Lacture1
 
Week 5
Week 5Week 5
Week 5
 
Week 5
Week 5Week 5
Week 5
 
Identifying and managing the risks of open source software for PHP developers
Identifying and managing the risks of open source software for PHP developersIdentifying and managing the risks of open source software for PHP developers
Identifying and managing the risks of open source software for PHP developers
 
Best practices for using open source software in the enterprise
Best practices for using open source software in the enterpriseBest practices for using open source software in the enterprise
Best practices for using open source software in the enterprise
 
Apache deep learning 101
Apache deep learning 101Apache deep learning 101
Apache deep learning 101
 
Technical standards & the RDTF Vision: some considerations
Technical standards & the RDTF Vision: some considerationsTechnical standards & the RDTF Vision: some considerations
Technical standards & the RDTF Vision: some considerations
 
Open Source Governance at HP
Open Source Governance at HPOpen Source Governance at HP
Open Source Governance at HP
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
 
php_mysql_tutorial
php_mysql_tutorialphp_mysql_tutorial
php_mysql_tutorial
 
php_mysql_tutorial
php_mysql_tutorialphp_mysql_tutorial
php_mysql_tutorial
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
Introduction to PHP - SDPHP
Introduction to PHP - SDPHPIntroduction to PHP - SDPHP
Introduction to PHP - SDPHP
 
2005 04 05 SRI ELN Architecture
2005 04 05 SRI ELN Architecture2005 04 05 SRI ELN Architecture
2005 04 05 SRI ELN Architecture
 
Debugging with Zend Studio for Eclipse
Debugging with Zend Studio for EclipseDebugging with Zend Studio for Eclipse
Debugging with Zend Studio for Eclipse
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
PHP vs Python Which is Best for Web Development.pdf
PHP vs Python Which is Best for Web Development.pdfPHP vs Python Which is Best for Web Development.pdf
PHP vs Python Which is Best for Web Development.pdf
 

Mehr von phptechtalk

Rise of the Planet of the Anonymous
Rise of the Planet of the AnonymousRise of the Planet of the Anonymous
Rise of the Planet of the Anonymousphptechtalk
 
Errazudin - REST in pieces (with frapi) - Malaysia Open Source Conference 2011
Errazudin - REST in pieces (with frapi) - Malaysia Open Source Conference 2011Errazudin - REST in pieces (with frapi) - Malaysia Open Source Conference 2011
Errazudin - REST in pieces (with frapi) - Malaysia Open Source Conference 2011phptechtalk
 
Making Joomla! site fly with nginx : Joomla! day Malaysia 2011
Making Joomla! site fly with nginx : Joomla! day Malaysia 2011Making Joomla! site fly with nginx : Joomla! day Malaysia 2011
Making Joomla! site fly with nginx : Joomla! day Malaysia 2011phptechtalk
 
Accelarating PHP Applications at INTAN Sabah Technology Updates 2011
Accelarating PHP Applications at INTAN Sabah Technology Updates 2011Accelarating PHP Applications at INTAN Sabah Technology Updates 2011
Accelarating PHP Applications at INTAN Sabah Technology Updates 2011phptechtalk
 
DA with Wa - Desktop Apps With Web Apps
DA with Wa - Desktop Apps With Web AppsDA with Wa - Desktop Apps With Web Apps
DA with Wa - Desktop Apps With Web Appsphptechtalk
 
Slipstream Rapid Application Design
Slipstream Rapid Application DesignSlipstream Rapid Application Design
Slipstream Rapid Application Designphptechtalk
 
Zend In The Cloud
Zend In The CloudZend In The Cloud
Zend In The Cloudphptechtalk
 
Php In The Enterprise 01 24 2010
Php In The Enterprise 01 24 2010Php In The Enterprise 01 24 2010
Php In The Enterprise 01 24 2010phptechtalk
 
Zend Solutions For Operational Maturity 01 21 2010
Zend Solutions For Operational Maturity 01 21 2010Zend Solutions For Operational Maturity 01 21 2010
Zend Solutions For Operational Maturity 01 21 2010phptechtalk
 

Mehr von phptechtalk (9)

Rise of the Planet of the Anonymous
Rise of the Planet of the AnonymousRise of the Planet of the Anonymous
Rise of the Planet of the Anonymous
 
Errazudin - REST in pieces (with frapi) - Malaysia Open Source Conference 2011
Errazudin - REST in pieces (with frapi) - Malaysia Open Source Conference 2011Errazudin - REST in pieces (with frapi) - Malaysia Open Source Conference 2011
Errazudin - REST in pieces (with frapi) - Malaysia Open Source Conference 2011
 
Making Joomla! site fly with nginx : Joomla! day Malaysia 2011
Making Joomla! site fly with nginx : Joomla! day Malaysia 2011Making Joomla! site fly with nginx : Joomla! day Malaysia 2011
Making Joomla! site fly with nginx : Joomla! day Malaysia 2011
 
Accelarating PHP Applications at INTAN Sabah Technology Updates 2011
Accelarating PHP Applications at INTAN Sabah Technology Updates 2011Accelarating PHP Applications at INTAN Sabah Technology Updates 2011
Accelarating PHP Applications at INTAN Sabah Technology Updates 2011
 
DA with Wa - Desktop Apps With Web Apps
DA with Wa - Desktop Apps With Web AppsDA with Wa - Desktop Apps With Web Apps
DA with Wa - Desktop Apps With Web Apps
 
Slipstream Rapid Application Design
Slipstream Rapid Application DesignSlipstream Rapid Application Design
Slipstream Rapid Application Design
 
Zend In The Cloud
Zend In The CloudZend In The Cloud
Zend In The Cloud
 
Php In The Enterprise 01 24 2010
Php In The Enterprise 01 24 2010Php In The Enterprise 01 24 2010
Php In The Enterprise 01 24 2010
 
Zend Solutions For Operational Maturity 01 21 2010
Zend Solutions For Operational Maturity 01 21 2010Zend Solutions For Operational Maturity 01 21 2010
Zend Solutions For Operational Maturity 01 21 2010
 

Kürzlich hochgeladen

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Kürzlich hochgeladen (20)

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

P Hundamental Security Coding Secure With Php Lamp

  • 1. www.nyphp.com / www.nyphp.org PHundamental Security Ecosystem Review, Coding Secure with PHP, and Best Practices OWASP NYC AppSec 2008 MIMOS Enterprise PHP Techtalk 2010, Malaysia September 24th, 2008 January 28th, 2010 PHP Barcelona New York PHP Community October 31th, 2009 Hans Zaunere, Managing Member November 25th, 2008 02/02/2010 1
  • 2. www.nyphp.com / www.nyphp.org Overview • Introduction • The Security Ecosystem • Security Pressure Points in PHP • Best Practices • “It‟s the System, Stupid!” • Conclusions 02/02/2010 2
  • 3. www.nyphp.com / www.nyphp.org Introduction PHP is the PHP: Hypertext Preprocessor • www.nyphp.org – www.nyphp.org/phundamentals/ • This is not YASIXSKOTDT – Yet-Another-SQL-Injection-XSS-Script-Kid-Of-The-Day-Talk • There are other resources for that: – http://www.suspekt.org/2008/09/18/slides-from-my-lesser- known-security-problems-in-php-applications-talk-at-zendcon/ – Numerous other excellent cut-paste resources for these ubiquitous attacks – Ubiquitous means they can happen in any language 02/02/2010 3
  • 4. www.nyphp.com / www.nyphp.org The Security Ecosystem • Security fundamentals are common across the board • Different environments have different requirements – Desktop applications are different from web/internet applications • Web/Internet apps have a huge number of touch points – PHP isn‟t responsible for all of them – in fact, not most – The Developer/Enterprise is - in ALL cases • Different languages handle in different ways – .NET, Java, Python, PHP all have their idiosyncrasies • PHP is no different... except... “More internet applications speak PHP than any other” 02/02/2010 4
  • 5. www.nyphp.com / www.nyphp.org Look Familiar? HTTP – The Great Equalizer 02/02/2010 5
  • 6. www.nyphp.com / www.nyphp.org The PHP Ecosystem • PHP gets a bad rap – Low point of entry and great flexibility “Greatest strength and biggest weakness” • And there‟ve been some mistakes – Weak default configuration – Variable ease of use and scope – The infamous magic_* of PHP – PHP Group [rightfully] argues: “What‟s a security flaw?” “It's easy to shoot yourself in the foot with C. In C++ it's harder to shoot yourself in the foot, but when you do, you blow off your whole leg.” Bjarne Stroustrup, Inventor of C++ 02/02/2010 6
  • 7. www.nyphp.com / www.nyphp.org Security Points-of-Entry Three Zones of Responsibility • PHP is effectively a wrapper around libraries and data sources – Many external dependencies and touch points • There are many zones of responsibility – A language is not responsible for them – a developer/enterprise is – A language should not go out of its way to save the developer • Frameworks/foundations can be used for this 02/02/2010 7
  • 8. www.nyphp.com / www.nyphp.org Security Points-of-Entry Three Zones of Responsibility 1. Developer – Poorly written code by amateurs – Primary cause for the security ecosystem around PHP – Easy to pick up for those with no programming background – Laziness - letting PHP do its magic_* – Doing things quick-n-dirty – Too forgiving • Resolutions: – Consider using code audit tools and professional services – Implement processes and proper project management “Program Smart” 02/02/2010 8
  • 9. www.nyphp.com / www.nyphp.org Security Points-of-Entry Three Zones of Responsibility 2. Extensions and external libraries • PHP‟s greatest asset • Sometimes library binding is faulty – There could be better extension certification, and it‟s getting better • Sometimes the external library has faults, or behaves in an unforeseen way when in a web environment – possible in any environment • Know what extensions you‟re using, use the minimal number of extensions, and be aware of the environment they were originally designed for. “Know Thy Extensions” 02/02/2010 9
  • 10. www.nyphp.com / www.nyphp.org Security Points-of-Entry Three Zones of Responsibility 3. PHP Core – “PHP” • This is PHP • Secunia: PHP: ~20 advisories between „03-‟09 Java: 48+ between „03-‟09 Ruby: 12+ between „03-‟09 “The List Goes On – PHP is Not Alone” • Often safe_* and magic_* related – Functions designed to protect developers from ignoring best practices. – Or deal with shared environment where incorrect security expectations are prevalent. “More internet applications speak PHP than any other” 02/02/2010 10
  • 11. www.nyphp.com / www.nyphp.org Best Practices or, How not to blow off your whole leg • Best practices are common to any well run enterprise environment – Yes, PHP has grown/is growing into this environment very quickly • Web security is largely about your data and less about exploits in the underlying platform – Buffer overflows aren‟t so much the hot topic – ... and those who know, don‟t talk 02/02/2010 11
  • 12. www.nyphp.com / www.nyphp.org PHP Best Practices or, How not to blow off your whole leg with PHP • Installation – Avoid prepackaged installs, including RPMs, .deb, etc. – If you use them, review their default deployment – Installation touch points also typically include Apache/MySQL • Configuration – Use php.ini-recommended or php.ini-production – Better yet, take the time to know what you‟re doing and tune configuration files yourself, for your specific needs and remembering how your system is most vulnerable • Implement consistent deployment (virtualization, cloud) • Consider certified stacks 02/02/2010 12
  • 13. www.nyphp.com / www.nyphp.org PHP Best Practices Be Fashionable – Style and Design • Don‟t make PHP guess what you mean – Be explicit with variables and types – Don‟t abuse scope – know where your variables come from – Avoid magic_* and implicitness – BE EXPLICIT • Keep code small, organized and maintainable – Keep code/logic chunks small – Use OOP techniques to enforce code execution paths – Use includes to keep things organized • Don‟t use super-globals directly – wrap for protection “Be aggressive – B.E. aggressive” 02/02/2010 13
  • 14. www.nyphp.com / www.nyphp.org PHP Best Practices Know Your Data – Love Your Data • It‟s always about data • One of PHP‟s greatest strengths – loosely typed – ... and you guessed it – biggest weaknesses – Don‟t make PHP guess what you mean • Cast variables, know their types and the data you expect – Let PHP do its magic only when you want it to – not by chance – Majority “PHP security flaws” could be avoided by casting to int 02/02/2010 14
  • 15. www.nyphp.com / www.nyphp.org PHP Best Practices It‟s 10pm – Do You Know Where Your Data Is? • Keep tabs on your data‟s path, lifecycle and type – Know where it‟s come from, what it‟s doing, and where it‟s going – Filter/escape/cast and throw exceptions every step of the way • Input validation, output validation, CASTING • Don‟t be lazy – be explicit – use OOP “Casting isn’t just for movie producers” 02/02/2010 15
  • 16. www.nyphp.com / www.nyphp.org “It‟s the System, Stupid” Networks, Systems, and Databases, Oh My • No system has a single security weakness • Put PHP in the same well managed enterprise environment as other technologies • Don‟t take the easy way out just because you can • PHP/AMP respond very well to TLC 02/02/2010 16
  • 17. www.nyphp.com / www.nyphp.org Conclusions Goal: PHP is Just One of the Boys • PHP is just part of the ecosystem • ... and there is awareness and experience on the PHP side • The yin/yang of PHP‟s history overshadows reality • Stand by PHP and it‟ll stand by you • Program it - don‟t hack it “With great power comes great responsibility.” Spiderman’s Uncle • Web/Internet applications are deep and complex – Users, interoperability, data, architecture, support, compliance – PHising, hijacking, spam, social engineering – BROWSERS! “PHP is the least of your worries” 02/02/2010 © 2008 New York PHP, LLC 17
  • 18. www.nyphp.com / www.nyphp.org Thank You hans.zaunere@nyphp.com For renowned worldwide online support, New York PHP Mailing Lists are free and available to anyone: http://www.nyphp.org/Mailing-Lists 02/02/2010 © 2008 New York PHP, LLC 18
  • 19. www.nyphp.com / www.nyphp.org The Top 5 Best Practices In No Particular Order 1. PHP is loosely typed and automatically converts between types (known as type casting). However, always consider variables typed, and allow type casting to happen only explicitly. In fact, explicitly type casting variables can add a significant level of data validation and security. http://www.php.net/manual/en/language.types.type-juggling.php 2. Remember that PHP is a dynamic scripting language, allowing execution to jump between files during runtime. However, don‟t lazily abuse including other files – keep all include/require statements in a centralized place and always know what files you‟re including. http://www.php.net/manual/en/function.require.php http://www.php.net/manual/en/function.include.php 02/02/2010 © 2008 New York PHP, LLC 19
  • 20. www.nyphp.com / www.nyphp.org Top 5 Best Practices In No Particular Order 3. A typical PHP application will deal with a lot of external data, usually from unknown sources – especially someone‟s web browser, or worse, someone hand-crafting HTTP requests. PHP is on the front line of security. Always be aware of where your data is coming from, what you‟ll be doing with it, and where it‟s going. http://www.php.net/manual/en/security.php 4. PHP is very forgiving with its syntax, style and application structure. People on the web are not forgiving. Write clean, organized, and structured code, using the right tools for the job. Do not take shortcuts, depend on PHP‟s “magic” or convenience functionality, or force PHP into guessing what you want to do. You‟re the programmer – be specific. http://www.php.net/manual/en/tutorial.php 02/02/2010 © 2008 New York PHP, LLC 20
  • 21. www.nyphp.com / www.nyphp.org The Top 5 Best Practices And the #1 Fifth Best Practice! 5. PHP‟s greatest strength and weakness is its ease, power and flexibility. As a result, there is a lot of bad PHP code on the Internet, which is the source of PHP‟s bad reputation. A programming language is only as good as the programmer. Look at most other publicly available PHP code and if it appears sloppy, do what you know is right. If you have experience in another programming language, use it. If not, take the time to properly learn some programming theory, involve yourself with experienced programmers in the community, learn about the other components of web development, and then apply it all to the PHP syntax. Your applications will be more secure, more maintainable, and PHP literally becomes a joy to code in. Everyone is encouraged - worldwide - to join the New York PHP mailing lists at http://www.nyphp.org/Mailing-Lists to ask questions and seek advice. 02/02/2010 © 2008 New York PHP, LLC 21