This document summarizes a presentation on PHP security given to the NWO-PUG group. The presentation covers the most common web application attacks like injection, cross-site scripting, insecure authentication, and how to prevent them following secure coding principles. It discusses the OWASP Top 10 security risks and how to avoid each one through input validation, output encoding, authorization checking, secure session handling and encryption. The presentation emphasizes defense in depth and that attackers may combine different vulnerabilities.
PHP is the most commonly used server-side programming and deployed more than 80% in web server all over the world. However, PHP is a 'grown' language rather than deliberately engineered, making writing insecure PHP applications far too easy and common. If you want to use PHP securely, then you should be aware of all its pitfalls.
Talk about how to design code that helps one to avoid some of the issues identified on OWASP top 10. Domain Driven Security is one of the main tools to achieve this.
This talk walks through the basics of web security without focussing too much on the particular tools that you choose. The concepts are universal, although most examples will be in Perl. We'll also look at various attack vectors (SQL Injection, XSS, CSRF, and more) and see how you can avoid them. Whether you're an experienced web developer (we all need reminding) or just starting out, this talk can help avoid being the next easy harvest of The Bad Guys.
PHP is the most commonly used server-side programming and deployed more than 80% in web server all over the world. However, PHP is a 'grown' language rather than deliberately engineered, making writing insecure PHP applications far too easy and common. If you want to use PHP securely, then you should be aware of all its pitfalls.
Talk about how to design code that helps one to avoid some of the issues identified on OWASP top 10. Domain Driven Security is one of the main tools to achieve this.
This talk walks through the basics of web security without focussing too much on the particular tools that you choose. The concepts are universal, although most examples will be in Perl. We'll also look at various attack vectors (SQL Injection, XSS, CSRF, and more) and see how you can avoid them. Whether you're an experienced web developer (we all need reminding) or just starting out, this talk can help avoid being the next easy harvest of The Bad Guys.
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
The OWASP team recently released the 2017 revised version of the ten most critical web application security risks. This presentation brief the OWASP Top 10 - 2017 for you to learn more about these important security issues.
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
What is it?
How to prevent?
How to test my application web?
what say OWASP about it
All about SQL injection and Cross Site Scripting XSS
Tools to test our application web
Rules to prevent attacks from Hackers on our web
XSS and Sql Injection are Top 2 injection attacks currently causing threat to web application.
Cross-site scripting (XSS) is a code injection attack that allows an malicious user to execute malicious JavaScript in another user's browser. A successful XSS attack compromises the security of both the web application and its users.
SQL injection is a technique where malicious user can inject SQL commands into an SQL statement, via web page input.Injected SQL commands can alter SQL statement and compromise the security of a web application.
Web application security is the process of securing confidential data stored online from unauthorized access and modification. This is accomplished by enforcing stringent policy measures.
A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web.
Pentesting RESTful webservices talks about problems penetration testers face while testing RESTful Webservices and REST based web applications. The presentation also talks about tools and techniques to do pentesting of RESTful webservices.
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
The OWASP team recently released the 2017 revised version of the ten most critical web application security risks. This presentation brief the OWASP Top 10 - 2017 for you to learn more about these important security issues.
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
What is it?
How to prevent?
How to test my application web?
what say OWASP about it
All about SQL injection and Cross Site Scripting XSS
Tools to test our application web
Rules to prevent attacks from Hackers on our web
XSS and Sql Injection are Top 2 injection attacks currently causing threat to web application.
Cross-site scripting (XSS) is a code injection attack that allows an malicious user to execute malicious JavaScript in another user's browser. A successful XSS attack compromises the security of both the web application and its users.
SQL injection is a technique where malicious user can inject SQL commands into an SQL statement, via web page input.Injected SQL commands can alter SQL statement and compromise the security of a web application.
Web application security is the process of securing confidential data stored online from unauthorized access and modification. This is accomplished by enforcing stringent policy measures.
A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web.
Pentesting RESTful webservices talks about problems penetration testers face while testing RESTful Webservices and REST based web applications. The presentation also talks about tools and techniques to do pentesting of RESTful webservices.
Tag You’re it! Creating Cross Curricular Teams from Scratchccpc
Laurie Hayes
Biomedicine Science Teacher
Center for Advanced Research and Technology (CART)
Clovis, CA
Josh Olson
Biomedicine Science Teacher
Center for Advanced Research and Technology (CART)
Clovis, CA
Courtney Somers
Law Government Teacher
Center for Advanced Research and Technology (CART)
Clovis, CA
You have been chosen to be a part of a cross curricular team. Now what! This presentation gives participants the tools they can use to begin creating their cross curricular teams. Discover new ways of using technology that make cross curricular planning easier and more effective.
Highlights of Bulletine : Uniqlo to Partner Arvind Brands & Retail to Set Shop in India , National Stock Exchange (NSE) and Japan Exchange Group (JPX) Plan Nifty Futures on Osaka Stock Exchange (OSE), MicroAd of Japan Sets up India Office, Isuzu Motors Finalises India Plant Location, Mahindra Satyam and Techmatrix Join Hands to Explore Opportunities in Healthcare Market
Is your code secure? Do you know what are the practices in secure code review? In this talk you will see the important aspects of the various controls to build a reference when conducting secure code reviews in PHP.
View on-demand: https://wso2.com/library/webinars/api-security-best-practices-and-guidelines/
Modern enterprises are increasingly adopting APIs, exceeding all predictions. With more businesses investing in microservices and the increased consumption of cloud APIs, you need to secure beyond just a handful of well-known APIs. You will need to secure a higher number of internal and external endpoints.
At the same time, security itself is a broad area and vendors implement a number of seemingly similar standards and patterns, making it very difficult for consumers to settle on the best option for securing APIs. The sheer number of options can be very confusing.
There is much to learn about API security, regardless of whether you are a novice or expert and it’s extremely important that you do because security is an integral part of any development project, including API ecosystems.
This webinar will deep-dive into the importance of API security, API security patterns, and how identity and access management (IAM) fit in the ecosystem.
DURING THE WEBINAR, WE WILL COVER:
Managed APIs
OAuth 2.0 and API security patterns
Introduction to WSO2 Identity Server
How we align with OWASP API security guidelines
Phishing Seminar By M Nadeem Qazi(MnQazi) pptxM Nadeem Qazi
This is the presentation of phishing seminar.pptx. created and published by m nadeem qazi(mnqazi). This is perfect for those student who wants to help in creating their presentation on the topic of Phishing or hacking.
As companies move towards offering SaaS products in the cloud, it becomes increasingly important to ensure these products are secured by default. This is because customers are no longer in control of their data, but data now resides on a third-party cloud provider.
Security is everyone's responsibility. It is now imperative that these cloud products be built with security in mind from the beginning.
In this session, Anshuman Bhartiya will discuss ways to build secure applications in the cloud.
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
APIs are everywhere. Any business with a mobile app, modern web apps (SPAs), using the cloud, doing a digital transformation, integrating with business partners, running microservices or using kubernetes has APIs. There's a good foundation of AppSec knowledge out there - thanks in part to OWASP but API Security isn't exactly the same as AppSec. Additional complexity is part of the landscape with multiple competing API technologies like REST, gRPC and GraphQL plus stakeholders spread across multiple parts of the business. How to do you make sense of API Security landscape? This talk will cover the three fundamental areas to consider, the various chess pieces and the many ways those pieces can be put on your API chessboard. The goal is for you to leave knowing how to map out your API Security landscape and reach a state of solid API Security.
Web application vulnerabilities involve a system flaw or weakness in a web-based application. They have been around for years, largely due to not validating or sanitizing form inputs, misconfigured web servers, and application design flaws, and they can be exploited to compromise the application's security.
SQL Injection is a vulnerability that is often missed by web application security scanners, and it\'s a vulnerability that is often rated as NOT exploitable
by security testers when it actually can be exploited.
Advanced SQL Injection is a presentation geared toward showing security professionals advanced exploitation techniques for situations when you must prove to the customer the extent of compromise that is possible.
The key areas are:
* IDS Evasion
* Privilege Escalation
* Re-Enabling stored procedures
* Obtaining an interactive command-shell
* Data Exfiltration via DNS
Webhooks are extensions of APIs. The data comes in a web request to your application. Webhooks may be the result of an earlier API call, this type of webhook is also called a “callback”, such as an ‘asynchronous’ request to the Number Insight API. Even webhooks are used to notify your application of events such as an incoming call or message.
The curious case of mobile app security.pptxAnkit Giri
A talk on the essence of Mobile app and mobile security. The agenda was as follows:
Why we need to secure the mobile apps!
What do you check when installing an app ?
Mobile app security assessment
Some interesting cases of vulnerabilities
Let’s takeover your account
My Research and reported vulnerabilities
Powerpoint from CodepaLOUsa 2011.
Learn the various techniques bad guys can use to extract information from your .NET or Java applications or at least how you can recover the source code that your predecessor deleted before he quit. A demo filled session on how easy it is to extract information from virtually any .NET or Java application (yes, including Silverlight).
Make sure you’re defending against the most common web security issues and attacks with this useful overview of software development best-practices. We'll go over the most common attacks against web applications and present real world advice for defending yourself against these types of attacks.
Web Application Penetration Tests - Vulnerability Identification and Details ...Netsparker
These slides explain what the Vulnerability Identification stage consists of during a web application security assessment.
These slides are part of the course Introduction to Web Application Security and Penetration Testing with Netsparker, which can be found here: https://www.netsparker.com/blog/web-security/introduction-web-application-penetration-testing/
Since Docker burst onto the scene, programmers have seen a radical shift in almost every ecosystem. From setting up environments to tooling to deployment, containers now influence many applications. The good news is that the idea of containers has taken hold, and we are no longer beholden to a technological monopoly. Let's look at the container ecosystem outside Docker and what a genuinely open, containerized future holds.
Most people understand the basics of git. Creating a repository, branching, merging... those are all pretty simple tasks. Part of the power of git resides in its ability to actually manipulate the history of a repository and clean things up, remove things that should not have been there, and do detective work. Let's spin up our time machine and mess around with the past.
Using PHP Functions! (Not those functions, Google Cloud Functions)Chris Tankersley
Serverless computing has taken web development by storm, and Google has recently updated their Google Cloud Functions to support PHP 7.4! We'll walk through setting up a function and how it all works.
We live in a world that is powered by APIs. OpenAPI is a specification and set of related tooling that can make it easy to design, describe, and help build an API in many different languages. See how easy it is to hit the ground running using OpenAPI, Spotlight, and OpenAPI Generator to drop in an API into any project.
Docker is not just about deploying containers to hundreds of servers. Developers need tools that help with day-to-day tasks and to do their job more effectively. Docker is a great addition to most workflows, from starting projects to writing utilities to make development less repetitive. Docker can help take care of many problems developers face during development such as “it works on my machine” as well as keeping tooling consistent between all of the people working on a project. See how easy it is to take an existing development setup and application and move it over to Docker, no matter your operating system.
Web applications are becoming the norm for users, and being able to handle thousands of requests per second is happening more and more. Developers spend an enormous amount of time making sure that their applications are as fast as possible, but tuning your web server can only go so far. Async Programming is being used by many languages as a quick and easy way to serve web applications, and PHP is no exception. Libraries like ReactPHP and Amp, alongside extensions like Swoole, give developers broad choices for how to build their applications using async principles. See how these tools and async programming can help your application stay quick and agile.
Docker is quickly becoming an invaluable development and deployment tool for many organizations. Come and spend the day learning about what Docker is, how to use it, how to integrate it into your workflow, and build an environment that works for you and the rest of your team. This hands-on tutorial will give you the kick-start needed to start using Docker effectively.
Thanks to tools like Vagrant, Puppet/Chef, and Platform as a Service services like Heroku, developers are extremely used to being able to spin up a development environment that is the same every time. What if we could go a step further and make sure our development environment is not only using the same software, but 100% configured and set up like production. Docker will let us do that, and so much more.
Docker is fast becoming an important part of many developers toolkits. Not only are more developers using it day-to-day, but it is also becoming an important tool for deployments. We'll look at what Docker is, why you should consider using it, and all of the features developers can take advantage of.
Humanity has seen an explosion of technology over the span of almost no time. We have gone from computers being mechanical devices for crunching trajectories to computers making decisions on whether or not we are dressing fashionably. We have also seen an explosion of services that resolve around massive amounts of data about ourselves. At the same time we see developers working on Tor, ad blockers, privacy tools, and ways to keep your data yours. Programmers just like us are building these systems. What are our moral obligations to the technology that we are building? Strap on your tinfoil hat and [REDACTED]
The Command Line should be a developer's best friend, but many times it sits there, sad and lonely as we use to call other programs. Behind that unassuming little blinking cursor is an entire world of productivity, just waiting to be strung together. There is even an entire scripting language hidden underneath that is just waiting for you to use it! Let's investigate BASH, the shell that's syntax is universal across almost all systems (and find out why your Linux scripts do not always work on OSX).
Many know of the famous quote, "Premature optimization is the root of all evil," but most people do not know the full quote or understand the context in which optimization is considered evil. As with anything in programming optimization is evil, maybe. Stop using excuses for slow code, and start to think about the places and tools that you can use to optimize. Thankfully there are are many different tools like xhprof, Valgrind, and others to help us out and properly optimize our code for those times when we need to dig deep into our code.
Docker is quickly becoming an invaluable development and deployment tool for many organizations. Come and spend the day learning about what Docker is and how to use it. Discover how to integrate it into your workflow and build an environment that works for you and your team. This hands-on training will give you the kick-start needed to begin using Docker effectively.
Docker is quickly becoming an invaluable development and deployment tool for many organizations. Come and spend the day learning about what Docker is, how to use it, how to integrate it into your workflow, and build an environment that works for you and the rest of your team. This hands-on tutorial will give you the kick-start needed to start using Docker effectively.
ocker is quickly becoming an invaluable development and deployment tool for many organizations. Come and spend the day learning about what Docker is and how to use it. Discover how to integrate it into your workflow and build an environment that works for you and your team. This hands-on training will give you the kick-start needed to begin using Docker effectively.
As developers, we are blessed with a huge variety of tools to help us in our daily jobs. One of the most popular ones that has shown up over the last few years is Docker. How does one go about getting started with Docker? Why should you invest your time in this new technology? What can you do with Docker? Let's find out!
OOP Is More Then Cars and Dogs - Midwest PHP 2017Chris Tankersley
When developers are introduced to Object Oriented Programming, one of the first things that happens is that they are taught that nouns turn into objects, verbs into methods, and Dog is a subclass of Animal. OOP is more than just turning things into classes and objects and showing that both Boats and Cars have motors, and that Dogs and Cats both speak(). Let's look at OOP in real world settings and go beyond cars and dogs, and see how to use Object Oriented Programming properly in PHP. Traits, Composition, Inheritance, none of it is off limits!
Congrats! You and your coworkers love Docker. Docker has become an increasingly helpful tool when it comes to devops. We can now build smaller, more robust local development setups with the promise of mirroring production. One thing that still plagues many situations is how to get those containers into production and update them over time. We will explore different tools for setting up, configuring, and maintaining containers as they go live.
Thanks to tools like vagrant, puppet/chef, and Platform as a Service services like Heroku, developers are extremely used to being able to spin up a development environment that is the same every time. What if we could go a step further and make sure our development environment is not only using the same software, but 100% configured and set up like production. Docker will let us do that, and so much more. We'll look at what Docker is, why you should look into using it, and all of the features that developers can take advantage of.
Coming to Terms with OOP In Drupal - php[world] 2016Chris Tankersley
Drupal 8 has not only brought to the table a much improved admin experience, but has now moved on from its procedural roots into the realm of Object Oriented Programming. While this is a great thing for developers, many Drupal developers have never been introduced to OOP. This talk will explore a very high-level overview of objects, inheritance, composition, and how to architect your code as it relates to Drupal 8.
Open Source is one of the core tenets of the PHP language and the community. PHP would not be here if it was not for some of the ideals around software development that occurred in the 50's, 60's, and 70's. How did the open source movement start, and why is PHP one of the few languages that still hold true to those early days of programming? Let's talk about where open source started, and find out how we got here.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
2. Who are you and why are you in my house? Chris Tankersley Doing PHP for 8 Years Lots of projects no one uses, and a few that some do TL;DR https://github.com/dragonmantank NWO-PUG 2 September 20, 2011
3. The Parts of Security It’s more than just a username/password NWO-PUG 3 September 20, 2011
4. What is Secure Programming? Minimizing Attack Surface Establishing Secure Defaults Principle of Least Privilege Defense in Depth Fail Securely Don’t Trust Services or Users Separation of Duties Avoid Security through Obscurity Keep Security Simple Fix Security Issues Correctly September 20, 2011 NWO-PUG 4 https://www.owasp.org/index.php/Secure_Coding_Principles
12. A Bit More Real Life NWO-PUG 12 September 20, 2011
13. Protecting against SQL Injection Use PDO and prepared statements NWO-PUG 13 September 20, 2011
14. Command Injection When your script calls an external program, users can run code NWO-PUG 14 September 20, 2011
15. Protecting against Command Injection If allowing the user to specify commands, use escapeshellcmd() If allowing the user to specify arguments, use escapeshellarg() NWO-PUG 15 September 20, 2011
16. HTML/Script Injection HTML Injection: When user input is used to create new markup that the application did not expect Script Injection: When user input is used to add new scripting to a page NWO-PUG 16 September 20, 2011
18. Protecting against HTML/Script Injection Decide if you really need to take HTML input If you do: Use an HTML cleaner like Tidy or htmLawed Create a whitelist of allowed tags If you don’t: Use htmlentities()/htmlspecialchars() NWO-PUG 18 September 20, 2011
23. What is it? Insecure storing of credentials Session IDs exposed via URL Session fixation attacks September 20, 2011 NWO-PUG 23
24. Storing Credentials Hash with a salt using the hash() command Do not use md5 or sha1, use at least sha256 md5 and sha1 are broken and not recommended for secure hashing If you have to use the raw data, encrypt using mcrypt() Use AES256 (RIJNDAEL 256) NWO-PUG 24 September 20, 2011
25. Session IDs in URL Commonly used when cookies can’t be enabled Make sure the following is set in your php.ini: session.use_trans_id = 0 session.use_only_cookies = 1 NWO-PUG 25 September 20, 2011
26. Session Fixation What happens if your users don’t log out? Use sessions to detect login status NWO-PUG 26 September 20, 2011
28. What is it? Making sure that what the user is accessing they have access to. Should be handled by checking authorization when accessed, or mapping This is not an injection attack, but a logic attack September 20, 2011 NWO-PUG 28
30. How to Avoid Always check to make sure the user has authorization to access the resource Map variables/whitelist to make it harder NWO-PUG 30 September 20, 2011
31. Cross Site Request Forgery Or CSRF Attacks NWO-PUG 31 September 20, 2011
32. What is it? When unauthorized commands are sent to and from a trusted website In days gone by, this would be done with Referral checking, but don’t trust referrer information September 20, 2011 NWO-PUG 32
33. An example – Bank Transfer A bank transfer is done via $_GET variables User is authenticated but not logged out NWO-PUG 33 September 20, 2011
34. How to avoid this Include a hidden element in the form with a one-time value NWO-PUG 34 September 20, 2011
36. Beyond the scope of programming Check for server hardening guidelines for your OS Password rotation practices Understanding your settings Keep your stack up to date! September 20, 2011 NWO-PUG 36
38. More of a logic problem Encrypting data in the database, but leaving it unencrypted during output Using unsalted hashes September 20, 2011 NWO-PUG 38
39. How to avoid this Like when storing credentials, use a salt whenever hashing information Only decrypt data when it is needed NWO-PUG 39 September 20, 2011
41. What is it? When users can gain access to parts of the application just through URL manipulation When the app doesn’t check authorization properly September 20, 2011 NWO-PUG 41
42. Security through Obscurity Don’t trust that just because a user doesn’t know a URL, they can’t get to it Fuzzers can find all kinds of things, especially if the app is common NWO-PUG 42 September 20, 2011
43. How to avoid this ALWAYS check authorization. The extra CPU cycles are worth it. NWO-PUG 43 September 20, 2011
45. Not using SSL when you should If your data is sensitive, use SSL Are your logins behind SSL? There isn’t really an excuse. You can get an SSL cert for $9/year. September 20, 2011 NWO-PUG 45
49. Attacking from Multiple Fronts Attackers will employ many different vectors in an attack HTML injection can take advantage of a Broken Auth system and use XSS or URL restrictions to force users to do unintended actions Script injection can lead to Session hijacking September 20, 2011 NWO-PUG 49
50. Remember… Minimizing Attack Surface Establishing Secure Defaults Principle of Least Privilege Defense in Depth Fail Securely Don’t Trust Services or Users Separation of Duties Avoid Security through Obscurity Keep Security Simple Fix Security Issues Correctly September 20, 2011 NWO-PUG 50 https://www.owasp.org/index.php/Secure_Coding_Principles