Suche senden
Hochladen
PHP SA 2013 - The weak points in our PHP projects
•
Als PPT, PDF herunterladen
•
0 gefällt mir
•
947 views
X
xsist10
Folgen
The weak points in our PHP projects Are your dependencies getting you down
Weniger lesen
Mehr lesen
Technologie
Melden
Teilen
Melden
Teilen
1 von 18
Jetzt herunterladen
Empfohlen
A Slide!
A Slide!
webhostingguy
Wordpress podcamp2011
Wordpress podcamp2011
Findability Solutions
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
ryanduff
Installing WordPress The Right Way
Installing WordPress The Right Way
Chris Burgess
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
Meagan Hanes
Practical Blogs for Writers
Practical Blogs for Writers
Susan Stewart
Speed & Uptime with Wordpress
Speed & Uptime with Wordpress
toddhdow
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Chris Burgess
Empfohlen
A Slide!
A Slide!
webhostingguy
Wordpress podcamp2011
Wordpress podcamp2011
Findability Solutions
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
ryanduff
Installing WordPress The Right Way
Installing WordPress The Right Way
Chris Burgess
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
Meagan Hanes
Practical Blogs for Writers
Practical Blogs for Writers
Susan Stewart
Speed & Uptime with Wordpress
Speed & Uptime with Wordpress
toddhdow
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Chris Burgess
Word press security 101
Word press security 101
Kojac801
A Slide!
A Slide!
webhostingguy
Secure pl-sql-coding
Secure pl-sql-coding
Trần Bình Hậu
Open Source in the Enterprise
Open Source in the Enterprise
Social Media Performance Group
Using Information Technology
Using Information Technology
Universitas Teknokrat Indonesia
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
wordcampgc
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
distortdistort
wcm domino
wcm domino
dominion
Joomla Security
Joomla Security
ViryaTechnologies
Joomla Security
Joomla Security
Ruth Cheesley
Secure programming with php
Secure programming with php
Mohmad Feroz
Technologies for startup
Technologies for startup
Dzung Nguyen
Survey Presentation About Application Security
Survey Presentation About Application Security
Nicholas Davis
Wpd09 Sydney
Wpd09 Sydney
virginiachoy
Community dynamics
Community dynamics
Dave Neary
Lotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 Commandments
Bill Buchan
SharePoint Development and the Cloud
SharePoint Development and the Cloud
charelenetorres
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings
10n Software, LLC
Y4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should Learn
calenlegaspi
Security theatre (Scotland php)
Security theatre (Scotland php)
xsist10
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
xsist10
Weitere ähnliche Inhalte
Ähnlich wie PHP SA 2013 - The weak points in our PHP projects
Word press security 101
Word press security 101
Kojac801
A Slide!
A Slide!
webhostingguy
Secure pl-sql-coding
Secure pl-sql-coding
Trần Bình Hậu
Open Source in the Enterprise
Open Source in the Enterprise
Social Media Performance Group
Using Information Technology
Using Information Technology
Universitas Teknokrat Indonesia
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
wordcampgc
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
distortdistort
wcm domino
wcm domino
dominion
Joomla Security
Joomla Security
ViryaTechnologies
Joomla Security
Joomla Security
Ruth Cheesley
Secure programming with php
Secure programming with php
Mohmad Feroz
Technologies for startup
Technologies for startup
Dzung Nguyen
Survey Presentation About Application Security
Survey Presentation About Application Security
Nicholas Davis
Wpd09 Sydney
Wpd09 Sydney
virginiachoy
Community dynamics
Community dynamics
Dave Neary
Lotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 Commandments
Bill Buchan
SharePoint Development and the Cloud
SharePoint Development and the Cloud
charelenetorres
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings
10n Software, LLC
Y4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should Learn
calenlegaspi
Ähnlich wie PHP SA 2013 - The weak points in our PHP projects
(20)
Word press security 101
Word press security 101
A Slide!
A Slide!
Secure pl-sql-coding
Secure pl-sql-coding
Open Source in the Enterprise
Open Source in the Enterprise
Using Information Technology
Using Information Technology
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
wcm domino
wcm domino
Joomla Security
Joomla Security
Joomla Security
Joomla Security
Secure programming with php
Secure programming with php
Technologies for startup
Technologies for startup
Survey Presentation About Application Security
Survey Presentation About Application Security
Wpd09 Sydney
Wpd09 Sydney
Community dynamics
Community dynamics
Lotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 Commandments
SharePoint Development and the Cloud
SharePoint Development and the Cloud
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings
Y4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should Learn
Mehr von xsist10
Security theatre (Scotland php)
Security theatre (Scotland php)
xsist10
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
xsist10
Security Theatre - Confoo
Security Theatre - Confoo
xsist10
I put on my mink and wizard behat - Confoo Canada
I put on my mink and wizard behat - Confoo Canada
xsist10
Security Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
xsist10
Security Theatre - Benelux
Security Theatre - Benelux
xsist10
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHP
xsist10
I put on my mink and wizard behat (talk)
I put on my mink and wizard behat (talk)
xsist10
I put on my mink and wizard behat (tutorial)
I put on my mink and wizard behat (tutorial)
xsist10
I put on my mink and wizard behat
I put on my mink and wizard behat
xsist10
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Project
xsist10
Mehr von xsist10
(11)
Security theatre (Scotland php)
Security theatre (Scotland php)
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
Security Theatre - Confoo
Security Theatre - Confoo
I put on my mink and wizard behat - Confoo Canada
I put on my mink and wizard behat - Confoo Canada
Security Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
Security Theatre - Benelux
Security Theatre - Benelux
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHP
I put on my mink and wizard behat (talk)
I put on my mink and wizard behat (talk)
I put on my mink and wizard behat (tutorial)
I put on my mink and wizard behat (tutorial)
I put on my mink and wizard behat
I put on my mink and wizard behat
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Project
Kürzlich hochgeladen
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Remote DBA Services
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
hans926745
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
The Digital Insurer
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
Kürzlich hochgeladen
(20)
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
PHP SA 2013 - The weak points in our PHP projects
1.
The weak points
in our systems Are your dependencies getting you down? Thomas Shone – Senior PHP Developer PHP South Africa - Oct 2013
2.
Copyright © 2012
Clickatell. All rights reserved. About me Senior developer for Clickatell Work remotely from Grahamstown in the Eastern Cape I like to break things
3.
Copyright © 2012
Clickatell. All rights reserved. The bare minimum we SHOULD be doing Preventing SQL injection and sanitizing user input Email and cellphone verification – Mitigate social engineering against support team Salting and using strong hashing for passwords – As of PHP 5.5, www.php.net/password will make this trivial Forgotten password resets done by email link Use OAuth or OpenID Two factor authentication – High risk data – Premium support verification – Off-site staff authentication method
4.
Copyright © 2012
Clickatell. All rights reserved. What the blogs haven't warned us about No coder is an island We all rely on: – 3rd party libraries – Frameworks • Symfony • Zend – CMS packages • Joomla! • Wordpress – E-Commerce software • osCommerce • Magento – CRM software • SugarCRM
5.
Copyright © 2012
Clickatell. All rights reserved. So... time to come clean... I've done it too Perception – Using a version of Smarty without vulnerabilities (3.1.12) Reality – 4 versions of Smarty. – Version 2.6.26 with 11 Vulnerabilities (7 critical) – Version 2.6.28 with 12 Vulnerabilities (7 critical) – Version 2.6.11 with 12 Vulnerabilities (7 critical) The other three were dependencies of another front end system Developers had not updated Smarty since 2009 (the version they are using was released in Dec 2005)
6.
Copyright © 2012
Clickatell. All rights reserved. Lets get some real world data 43 popular open source web applications, libraries and frameworks. 3,421 versions 5.6 million files
7.
Worst offender
8.
Copyright © 2012
Clickatell. All rights reserved. Some graph explanation Mean / Average Median The Doom Line
9.
Insert the title
of your long presentation names here Enter your subtitle here Some actual numbers please
10.
What are SMBs
using?
11.
Copyright © 2012
Clickatell. All rights reserved. Where does the blame lie? Wordpress and Joomla! – Highly popular = Highly targeted. – Fix released before the vulnerability disclosed Libraries not so well behaved – Most of the libraries found where vulnerable – OpenX had a backdoor in their code base Frameworks came off well – No vulnerabilities for the versions found Reference: http://blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.htm
12.
Insert the title
of your long presentation names here Enter your subtitle here Lets get a little ageist here
13.
Insert the title
of your long presentation names here Enter your subtitle here What's the sell by date
14.
Insert the title
of your long presentation names here Enter your subtitle here Lets just put those together
15.
Copyright © 2012
Clickatell. All rights reserved. Some good news at least We were looking at the worst of the worst – SMB with little technical knowledge – Freelancer CMS deploy People will fix what they know is broken – Growing awareness – Emergence of auto update tools – Software houses and freelances, up-sell those maintenance contracts
16.
Insert the title
of your long presentation names here Enter your subtitle here How much has the situation improved
17.
Copyright © 2012
Clickatell. All rights reserved. And for the developers Means of distributing 3rd party code is improving – Composer • Don't commit dependencies... specify • Major release locking • Simple update mechanism
18.
@thomas_shone www.shone.co.za Questions?
Jetzt herunterladen