Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PHP & The secure development lifecycle

3,489 views

Published on

Slides from the zendcon'08 presentation "PHP & The secure development lifecycle" by Robert van der Linde

Published in: Technology
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

PHP & The secure development lifecycle

  1. 1. PHP & The Secure Application Development Life-cycle “The art of building secure PHPyramids” <ul><li>Robert van der Linde </li></ul><ul><li>Santa Clara, 16 september 2008 </li></ul>
  2. 2. Who’s that dude? <ul><li>Robert van der Linde </li></ul><ul><li>5 years of PHP experience </li></ul><ul><li>Team lead PaSS-PHP </li></ul><ul><li>Sogeti’s PHP training coordinator </li></ul><ul><li>Zend Certified Engineer </li></ul>
  3. 3. Secure PHPyramids
  4. 4. What is a secure application? <ul><li>An application is secure if does exactly what is expected at all times </li></ul>Design Implementation
  5. 5. So what do we do? <ul><li>Applications are information </li></ul><ul><li>Threats are everywhere </li></ul><ul><li>Creating secure applications need a standardized approach </li></ul><ul><li>There is tooling available to help you </li></ul>
  6. 6. Application === Information Integrity Availability Confidentiality Information security
  7. 7. Where do you implement security?
  8. 8. Where do threats come from? <ul><li>Conciously </li></ul>
  9. 9. Where do threats come from? <ul><li>Unconsciously </li></ul>
  10. 10. Approach
  11. 11. Requirements
  12. 12. Test plans <ul><li>Training </li></ul><ul><li>Awareness </li></ul><ul><li>Outside-the-box thinking </li></ul><ul><li>Codified security test plans </li></ul><ul><li>Tools </li></ul><ul><ul><li>OWASP WebScarab </li></ul></ul><ul><ul><li>Ratproxy </li></ul></ul><ul><ul><li>NTO Spider </li></ul></ul>
  13. 13. Test results <ul><li>Review with programmers </li></ul><ul><li>Reporting and analysis </li></ul><ul><li>End goal: clean bill of health </li></ul>
  14. 14. Code <ul><li>Owasp PHP top 5 </li></ul><ul><ul><li>Remote code execution </li></ul></ul><ul><ul><li>Cross site scripting </li></ul></ul><ul><ul><li>SQL Injection </li></ul></ul><ul><ul><li>PHP Configuration </li></ul></ul><ul><ul><li>File system attacks </li></ul></ul><ul><li>Best practices </li></ul><ul><ul><li>Whitelisting vs. blacklisting </li></ul></ul><ul><ul><li>Filter input, escape output </li></ul></ul><ul><ul><li>Keep errors to yourself </li></ul></ul>
  15. 15. Feedback <ul><li>Consciously handle found issues </li></ul><ul><li>Praise, not prey </li></ul><ul><li>Handle proactively </li></ul>
  16. 16. The key to all this <ul><li>Awareness </li></ul>
  17. 17. Implementation at Sogeti <ul><li>PaSS (Pro-active Security Strategy) </li></ul><ul><li>Workgroup per expertise </li></ul><ul><ul><li>PHP </li></ul></ul><ul><ul><li>Design </li></ul></ul><ul><ul><li>Testing </li></ul></ul><ul><ul><li>Etc. </li></ul></ul><ul><li>Added value </li></ul>
  18. 18. Tooling example Finally.... some code!
  19. 19. Setting it up
  20. 20. The result
  21. 21. Working with the result
  22. 22. What’s next? <ul><li>Logging attacks </li></ul><ul><ul><li>File </li></ul></ul><ul><ul><li>MySQL </li></ul></ul><ul><ul><li>Email </li></ul></ul><ul><li>Reporting and analysis </li></ul>
  23. 23. Thank you for watching <ul><li>Referenties: </li></ul><ul><ul><li>www.php.net </li></ul></ul><ul><ul><li>www.owasp.com </li></ul></ul><ul><ul><li>www.php-ids.org </li></ul></ul><ul><ul><li>www.sogeti.nl </li></ul></ul><ul><ul><li>www.zend.com </li></ul></ul><ul><li>Contact: </li></ul><ul><li>E: [email_address] IM: [email_address] Skype: linderob Blog: http://php.linde002.nl/ </li></ul>

×