Secure input and
How not to suck at data
validation and output
Anna Völkl / @rescueAnn
Hi, I'm Anna. http://anna.voelkl.at
I'm a Magento Certified Developer.
5 years Magento, Java/PHP since 2004
I love IT & Telecommunication and IT- & Information-
I work at . Web Agency in Vienna/AT
What is Magento?
Initial release 2008
Varien eBay Permira private equity fund
– Community Edition (CE, Open Source)
– Enterprise Edition (EE)
What is Magento?
Why is Magento cool?
Medium-large enterprises, Small-Business Team
Very active developer community
(magento.stackexchange.com, Twitter, Slack, IRC,
official Forum, Reddit,...)
Magento 2 ;-)
Teamwork also involves being a good teammate, which is why we are very proud
FC Barcelona and was presenting partner of the Fan Zone event prior to the gamehqn
Лечебные грязи Сакского озера
Trying to find for a approach to raise male power and endurance.
New year2013 best now41
Импотенция вы поглядите !
how to write an essay explaining why you deserve a scholarship
A Wise Choice
how to write up divorce paper
write your name really cool
shady lady free download
driver samsung hd160jj p
Security-Technology, Department of Defense Computer
Security Initiative, 1980
OWASP Top 10
2)Broken Authentication and
3)Cross Site Scripting (XSS)
4)Insecure Direct Object
6)Sensitive Data Exposure
7)Missing Function Level
8)Cross-Site Request Forgery
9)Using Components with
10)Unvalidated Redirects and
Stop „Last Minute Security“
Do the coding, spend last X hours on „making it
Secure coding doesn't really take longer
Data quality software quality security
Always keep security in mind
Every feature adds a risk.
Every input/output adds a risk.
Frontend input validation
Stop unwanted input when it occurs
Do not bother your server with crazy input
Only store, what you expect
Don't fill up your database with garbage.
Weird customers and customer data was removed
Frontend validation added
Dropdown (whitelist) would have been an option too
Server side validation added
Think, act and design your software responsibly:
1) UTF-8 all the way
2) Client side validation, filter input
3) Server side validation
4) Data storage (database column size,...)
5) Escape output
6) Run tests