PHP & The secure development lifecycle

PHP & The Secure Application Development Life-cycle “The art of building secure PHPyramids”
Robert van der Linde
Santa Clara, 16 september 2008

Who’s that dude?
Robert van der Linde
5 years of PHP experience
Team lead PaSS-PHP
Sogeti’s PHP training coordinator
Zend Certified Engineer

Secure PHPyramids

What is a secure application?
An application is secure if does exactly what is expected at all times
Design Implementation

So what do we do?
Applications are information
Threats are everywhere
Creating secure applications need a standardized approach
There is tooling available to help you

Application === Information Integrity Availability Confidentiality Information security

Where do you implement security?

Where do threats come from?
Conciously

Where do threats come from?
Unconsciously

Approach

Requirements

Test plans
Training
Awareness
Outside-the-box thinking
Codified security test plans
Tools
OWASP WebScarab
Ratproxy
NTO Spider

Test results
Review with programmers
Reporting and analysis
End goal: clean bill of health

Code
Owasp PHP top 5
Remote code execution
Cross site scripting
SQL Injection
PHP Configuration
File system attacks
Best practices
Whitelisting vs. blacklisting
Filter input, escape output
Keep errors to yourself

Feedback
Consciously handle found issues
Praise, not prey
Handle proactively

The key to all this
Awareness

Implementation at Sogeti
PaSS (Pro-active Security Strategy)
Workgroup per expertise
PHP
Design
Testing
Etc.
Added value

Tooling example Finally.... some code!

Setting it up

The result

Working with the result

What’s next?
Logging attacks
File
MySQL
Email
Reporting and analysis

Thank you for watching
Referenties:
www.php.net
www.owasp.com
www.php-ids.org
www.sogeti.nl
www.zend.com
Contact:
E: [email_address] IM: [email_address] Skype: linderob Blog: http://php.linde002.nl/

http://mysandbox.tvetph.net	17
http://www.slideshare.net	5
http://php.linde002.nl	1
http://joaosantacruz.com	1
http://www.joaosantacruz.com	1

PHP & The secure development lifecycle

by guestaaf017 on Sep 16, 2008

Accessibility

Categories

Tags

Upload Details

Usage Rights

5 Embeds 25

Statistics

PHP & The secure development lifecycle — Presentation Transcript