• Like
  • Save
PHP & The secure development lifecycle
Upcoming SlideShare
Loading in...5
×
 

PHP & The secure development lifecycle

on

  • 4,526 views

Slides from the zendcon'08 presentation "PHP & The secure development lifecycle" by Robert van der Linde

Slides from the zendcon'08 presentation "PHP & The secure development lifecycle" by Robert van der Linde

Statistics

Views

Total Views
4,526
Views on SlideShare
4,501
Embed Views
25

Actions

Likes
4
Downloads
173
Comments
0

5 Embeds 25

http://mysandbox.tvetph.net 17
http://www.slideshare.net 5
http://php.linde002.nl 1
http://joaosantacruz.com 1
http://www.joaosantacruz.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

PHP & The secure development lifecycle PHP & The secure development lifecycle Presentation Transcript

  • PHP & The Secure Application Development Life-cycle “The art of building secure PHPyramids”
    • Robert van der Linde
    • Santa Clara, 16 september 2008
  • Who’s that dude?
    • Robert van der Linde
    • 5 years of PHP experience
    • Team lead PaSS-PHP
    • Sogeti’s PHP training coordinator
    • Zend Certified Engineer
  • Secure PHPyramids
  • What is a secure application?
    • An application is secure if does exactly what is expected at all times
    Design Implementation
  • So what do we do?
    • Applications are information
    • Threats are everywhere
    • Creating secure applications need a standardized approach
    • There is tooling available to help you
  • Application === Information Integrity Availability Confidentiality Information security
  • Where do you implement security?
  • Where do threats come from?
    • Conciously
  • Where do threats come from?
    • Unconsciously
  • Approach
  • Requirements
  • Test plans
    • Training
    • Awareness
    • Outside-the-box thinking
    • Codified security test plans
    • Tools
      • OWASP WebScarab
      • Ratproxy
      • NTO Spider
  • Test results
    • Review with programmers
    • Reporting and analysis
    • End goal: clean bill of health
  • Code
    • Owasp PHP top 5
      • Remote code execution
      • Cross site scripting
      • SQL Injection
      • PHP Configuration
      • File system attacks
    • Best practices
      • Whitelisting vs. blacklisting
      • Filter input, escape output
      • Keep errors to yourself
  • Feedback
    • Consciously handle found issues
    • Praise, not prey
    • Handle proactively
  • The key to all this
    • Awareness
  • Implementation at Sogeti
    • PaSS (Pro-active Security Strategy)
    • Workgroup per expertise
      • PHP
      • Design
      • Testing
      • Etc.
    • Added value
  • Tooling example Finally.... some code!
  • Setting it up
  • The result
  • Working with the result
  • What’s next?
    • Logging attacks
      • File
      • MySQL
      • Email
    • Reporting and analysis
  • Thank you for watching
    • Referenties:
      • www.php.net
      • www.owasp.com
      • www.php-ids.org
      • www.sogeti.nl
      • www.zend.com
    • Contact:
    • E: [email_address] IM: [email_address] Skype: linderob Blog: http://php.linde002.nl/