PHP & The Secure Application Development Life-cycle “The art of building secure PHPyramids” <ul><li>Robert van der Linde <...
Who’s that dude? <ul><li>Robert van der Linde </li></ul><ul><li>5 years of PHP experience </li></ul><ul><li>Team lead PaSS...
Secure PHPyramids
What is a secure application? <ul><li>An application is secure if does exactly what is expected at all times </li></ul>Des...
So what do we do? <ul><li>Applications are information </li></ul><ul><li>Threats are everywhere </li></ul><ul><li>Creating...
Application === Information Integrity Availability Confidentiality Information security
Where do you implement security?
Where do threats come from? <ul><li>Conciously </li></ul>
Where do threats come from? <ul><li>Unconsciously </li></ul>
Approach
Requirements
Test plans <ul><li>Training </li></ul><ul><li>Awareness </li></ul><ul><li>Outside-the-box thinking </li></ul><ul><li>Codif...
Test results <ul><li>Review with programmers </li></ul><ul><li>Reporting and analysis </li></ul><ul><li>End goal: clean bi...
Code <ul><li>Owasp PHP top 5 </li></ul><ul><ul><li>Remote code execution </li></ul></ul><ul><ul><li>Cross site scripting <...
Feedback <ul><li>Consciously handle found issues </li></ul><ul><li>Praise, not prey </li></ul><ul><li>Handle proactively  ...
The key to all this <ul><li>Awareness </li></ul>
Implementation at Sogeti <ul><li>PaSS (Pro-active Security Strategy) </li></ul><ul><li>Workgroup per expertise </li></ul><...
Tooling example Finally.... some code!
Setting it up
The result
Working with the result
What’s next? <ul><li>Logging attacks </li></ul><ul><ul><li>File </li></ul></ul><ul><ul><li>MySQL </li></ul></ul><ul><ul><l...
Thank you for watching <ul><li>Referenties: </li></ul><ul><ul><li>www.php.net </li></ul></ul><ul><ul><li>www.owasp.com </l...
Upcoming SlideShare
Loading in …5
×

PHP & The secure development lifecycle

3,370 views

Published on

Slides from the zendcon'08 presentation "PHP & The secure development lifecycle" by Robert van der Linde

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,370
On SlideShare
0
From Embeds
0
Number of Embeds
31
Actions
Shares
0
Downloads
180
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide
  • PHP & The secure development lifecycle

    1. 1. PHP & The Secure Application Development Life-cycle “The art of building secure PHPyramids” <ul><li>Robert van der Linde </li></ul><ul><li>Santa Clara, 16 september 2008 </li></ul>
    2. 2. Who’s that dude? <ul><li>Robert van der Linde </li></ul><ul><li>5 years of PHP experience </li></ul><ul><li>Team lead PaSS-PHP </li></ul><ul><li>Sogeti’s PHP training coordinator </li></ul><ul><li>Zend Certified Engineer </li></ul>
    3. 3. Secure PHPyramids
    4. 4. What is a secure application? <ul><li>An application is secure if does exactly what is expected at all times </li></ul>Design Implementation
    5. 5. So what do we do? <ul><li>Applications are information </li></ul><ul><li>Threats are everywhere </li></ul><ul><li>Creating secure applications need a standardized approach </li></ul><ul><li>There is tooling available to help you </li></ul>
    6. 6. Application === Information Integrity Availability Confidentiality Information security
    7. 7. Where do you implement security?
    8. 8. Where do threats come from? <ul><li>Conciously </li></ul>
    9. 9. Where do threats come from? <ul><li>Unconsciously </li></ul>
    10. 10. Approach
    11. 11. Requirements
    12. 12. Test plans <ul><li>Training </li></ul><ul><li>Awareness </li></ul><ul><li>Outside-the-box thinking </li></ul><ul><li>Codified security test plans </li></ul><ul><li>Tools </li></ul><ul><ul><li>OWASP WebScarab </li></ul></ul><ul><ul><li>Ratproxy </li></ul></ul><ul><ul><li>NTO Spider </li></ul></ul>
    13. 13. Test results <ul><li>Review with programmers </li></ul><ul><li>Reporting and analysis </li></ul><ul><li>End goal: clean bill of health </li></ul>
    14. 14. Code <ul><li>Owasp PHP top 5 </li></ul><ul><ul><li>Remote code execution </li></ul></ul><ul><ul><li>Cross site scripting </li></ul></ul><ul><ul><li>SQL Injection </li></ul></ul><ul><ul><li>PHP Configuration </li></ul></ul><ul><ul><li>File system attacks </li></ul></ul><ul><li>Best practices </li></ul><ul><ul><li>Whitelisting vs. blacklisting </li></ul></ul><ul><ul><li>Filter input, escape output </li></ul></ul><ul><ul><li>Keep errors to yourself </li></ul></ul>
    15. 15. Feedback <ul><li>Consciously handle found issues </li></ul><ul><li>Praise, not prey </li></ul><ul><li>Handle proactively </li></ul>
    16. 16. The key to all this <ul><li>Awareness </li></ul>
    17. 17. Implementation at Sogeti <ul><li>PaSS (Pro-active Security Strategy) </li></ul><ul><li>Workgroup per expertise </li></ul><ul><ul><li>PHP </li></ul></ul><ul><ul><li>Design </li></ul></ul><ul><ul><li>Testing </li></ul></ul><ul><ul><li>Etc. </li></ul></ul><ul><li>Added value </li></ul>
    18. 18. Tooling example Finally.... some code!
    19. 19. Setting it up
    20. 20. The result
    21. 21. Working with the result
    22. 22. What’s next? <ul><li>Logging attacks </li></ul><ul><ul><li>File </li></ul></ul><ul><ul><li>MySQL </li></ul></ul><ul><ul><li>Email </li></ul></ul><ul><li>Reporting and analysis </li></ul>
    23. 23. Thank you for watching <ul><li>Referenties: </li></ul><ul><ul><li>www.php.net </li></ul></ul><ul><ul><li>www.owasp.com </li></ul></ul><ul><ul><li>www.php-ids.org </li></ul></ul><ul><ul><li>www.sogeti.nl </li></ul></ul><ul><ul><li>www.zend.com </li></ul></ul><ul><li>Contact: </li></ul><ul><li>E: [email_address] IM: [email_address] Skype: linderob Blog: http://php.linde002.nl/ </li></ul>

    ×