Tietoturva web-kehityksessä & Zend Frameworkissä
Upcoming SlideShare
Loading in...5
×
 

Tietoturva web-kehityksessä & Zend Frameworkissä

on

  • 1,643 views

Presentation from PHP User Group Finland 24.11.2011 (in Finnish)

Presentation from PHP User Group Finland 24.11.2011 (in Finnish)

Statistics

Views

Total Views
1,643
Views on SlideShare
599
Embed Views
1,044

Actions

Likes
0
Downloads
1
Comments
0

2 Embeds 1,044

http://cvuorinen.net 1043
http://cloud.feedly.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Tietoturva web-kehityksessä & Zend Frameworkissä Tietoturva web-kehityksessä & Zend Frameworkissä Presentation Transcript

    • PHP User Group Finland 24.11.2011
    • • Carl (Kalle) Vuorinen • Matti Suominen – :ssa – :ssa vuodesta 2005 vuodesta 2007 • PHP kehittäjä • Tietoturvahörhö • Tiiminvetäjä • Osakas • Osakas
    • • Tietoturva • Zend Framework – OWASP Top Ten – MVC framework – 10 kriittisintä web – Komponentti kirjasto sovellusten tietoturvariskiä Extending the art & spirit of PHP, Zend Framework is based on simplicity, – Injektio, XSS, CSRF, object-oriented best practices, salasanojen suojaus corporate friendly licensing, and ahttps://www.owasp.org/index.php/Top_10_2010 rigorously tested agile codebase. http://framework.zend.com/about/overview
    • • Erikoismerkkien muuntaminen – Escaping• Syötteiden tarkistukset – Filtteröinti & validointi• SQL lauseiden esikäsittely – Prepared statements
    • • Zend_Db_Adapter & Zend_Db_Statement $sql = SELECT * FROM bugs WHERE bug_id = ?; $result = $db->fetchAll($sql, $bugId);• Zend_Db_Select $select = $db->select() ->from(products, array(product_id, product_name, price)) ->where(price > ?, $minimumPrice);• Zend_Db_Table $table = new Bugs(); $rows = $table->find($bugId);
    • • Tulosteiden siistiminen – Escape output• Syötteiden tarkistukset – Filtteröinti & validointi• PHP session konfigurointi – httpOnly cookie
    • • Zend_View escape() metodi <?php foreach ($this->books as $key => $val): ?> <tr> <td><?php echo $this->escape($val[author]) ?></td> <td><?php echo $this->escape($val[title]) ?></td> </tr> <?php endforeach; ?>
    • • Zend_Form ja Zend_Filter & Zend_Validate $this->addElement( text, username, array( required => true, label => Username:, filters => array(StringTrim, StringToLower), validators => array( Alnum, array(Regex, false, array(/^[a-z][a-z0-9]{2,}$/)) ) ));• Zend_Filter_Input
    • • HTMLPurifier – HTML Purifier defeats XSS with an audited whitelist http://htmlpurifier.org/ – class My_Filter_HtmlPurifier implements Zend_Filter_Interface
    • • Piilotettu uniikki tunniste – Hidden unique token
    • • Zend_Form_Hash $form->addElement(hash, no_csrf_foo, array(salt => unique));• Automaattinen CSRF suojaus – Extend Zend_Form• Linkkien suojaus – Javascript POST
    • • Hashing – MD5 ei riitä – bcrypt – Hitaampi on parempi
    • • PHPASS – Portable PHP password hashing framework http://www.openwall.com/phpass/ – class My_Auth_Adapter_DbTableHash extends Zend_Auth_Adapter_DbTable
    • • http://framework.zend.com/• https://www.owasp.org/• http://static.zend.com/topics/Webinar-Zend-Secure-Application-Development-with- the-Zend-Framework.pdf• http://htmlpurifier.org/• http://blog.astrumfutura.com/2008/05/example-zend-framework-blog-application- tutorial-part-8-creating-and-editing-blog-entries-with-a-dash-of-htmlpurifier/• https://www.owasp.org/index.php/Cross- Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet• http://www.openwall.com/phpass/• http://www.openwall.com/articles/PHP-Users-Passwords• http://codahale.com/how-to-safely-store-a-password/