SlideShare a Scribd company logo

Security fundamentals

Download as PPTX, PDF
ABDEL RAHMAN KARIM
ABDEL RAHMAN KARIM

This presentation was given to some fresh graduate developers to help them understand how to protect their web apps against some famous attacks like XSS . the presentation was a part of a bigger course that was designed to asset them

Software
1 of 17
OOP =Must Design and Architecture  Must Security  Must (Top important) ----------------------------------- Unit testing driven TDD = Must (Gnedy ?) Framework = Should SOA = May be Real life experience with PHP in real situations New Topics
The 5 Most Common attacks and how to prevent them ?
SELECT * FROM users WHERE username='john' AND password='123456' SELECT * FROM users WHERE username='john' OR 1=1; -- ' AND The snippet would possibly allow the user to bypass the login screen without having proper credentials.
 Never trust User input  Sanatize by mysqli_real_escape_string  Casting  Parameter query  Limited permission , never use sa  Test using http://sqlmap.org/ tool  Encrypt sensitive data  Don’t store sensitive data if you don’t need it
 Mandate strong passwords  Secure reset password mechanism  Use Recaptcha or captcha  Use security Question  Notify by email at any profile changes!  Avoid “admin” user name  Single token request , also protecte against CSRF attacks .  Encrypt password with strong algorism + salt
 Use Session_Regenerate_id to regenerate session ID with each request  Delete cookie from client once log out  Limit session idle time  Enable https or make it easy to be enabled, how ?  Protected your cookies not to be accessed by Java Script at all !
 Validate , sanitize each input  Escape Each Output  Regester Globals OFF  Check the security class of codegniter  File system permission.
 Prevent error reporting at run time  Prevent descriptive responses  URL re-writing for SEO and for protection  Make sure you got the latest version of any 3rd prty tool you are using .
 You use request token to prevent which attack ?  A) CSRF  B) Password Brutal attack  C) Sql injection  D) XSS  E) A and B  F) C and D  G) All the above
 You should configure your cookies to be accessed only via  A) Java script  B) Cookie  C) Http  D) all the above .
 A)The cookie can not be accessed by JavaScript  B)The cookie will not be sent cross-domain  C)Client will send the cookie only over an HTTPS connection
 A client logs in  A short idle period (ie. 30 seconds)  Any privilege level change  Each request

Recommended

Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
LogeekNightUkraine
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
Barry Dorrans
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
Mohammed A. Imran
 
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Dakiry
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net FrameworkRamakanta Behera
 
Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 
Bit flipping attack on aes cbc - ashutosh ahelleya
Bit flipping attack on aes cbc - ashutosh ahelleyaBit flipping attack on aes cbc - ashutosh ahelleya
Bit flipping attack on aes cbc - ashutosh ahelleya
Cysinfo Cyber Security Community
 

Recommended

Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
LogeekNightUkraine
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
Barry Dorrans
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
Mohammed A. Imran
 
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Dakiry
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net FrameworkRamakanta Behera
 
Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 
Bit flipping attack on aes cbc - ashutosh ahelleya
Bit flipping attack on aes cbc - ashutosh ahelleyaBit flipping attack on aes cbc - ashutosh ahelleya
Bit flipping attack on aes cbc - ashutosh ahelleya
Cysinfo Cyber Security Community
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Security Bootcamp
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
Linuxmalaysia Malaysia
 
Black magic of web attacks Detection and Prevention
Black magic of web attacks Detection and PreventionBlack magic of web attacks Detection and Prevention
Black magic of web attacks Detection and Prevention
Nazar Tymoshyk, CEH, Ph.D.
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana)
Pratimesh Pathak
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
Shawn Gorrell
 
SOC training
SOC trainingSOC training
SOC training
Kirill Ermakov
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
OWASP
 
Security awareness for information security team
Security awareness for information security teamSecurity awareness for information security team
Security awareness for information security team
Kirill Ermakov
 
AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login form
Diana Pinchuk
 
"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali
HackIT Ukraine
 
Security Issues in Android Custom ROM
Security Issues in Android Custom ROMSecurity Issues in Android Custom ROM
Security Issues in Android Custom ROM
Anant Shrivastava
 
Brute Force Attack
Brute Force AttackBrute Force Attack
Brute Force Attack
Ahmad karawash
 
The art of android hacking
The art of android hackingThe art of android hacking
The art of android hacking
Abhinav Mishra
 
Csrf not all defenses are created equal
Csrf not all defenses are created equalCsrf not all defenses are created equal
Csrf not all defenses are created equal
Ari Elias-Bachrach
 
Database Firewall from Scratch
Database Firewall from ScratchDatabase Firewall from Scratch
Database Firewall from Scratch
Denis Kolegov
 
Php security common 2011
Php security common 2011Php security common 2011
Php security common 2011
10n Software, LLC
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)
securityxploded
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
Daniel Owens
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
Sean Jackson
 

More Related Content

What's hot

Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Security Bootcamp
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
Linuxmalaysia Malaysia
 
Black magic of web attacks Detection and Prevention
Black magic of web attacks Detection and PreventionBlack magic of web attacks Detection and Prevention
Black magic of web attacks Detection and Prevention
Nazar Tymoshyk, CEH, Ph.D.
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana)
Pratimesh Pathak
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
Shawn Gorrell
 
SOC training
SOC trainingSOC training
SOC training
Kirill Ermakov
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
OWASP
 
Security awareness for information security team
Security awareness for information security teamSecurity awareness for information security team
Security awareness for information security team
Kirill Ermakov
 
AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login form
Diana Pinchuk
 
"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali
HackIT Ukraine
 
Security Issues in Android Custom ROM
Security Issues in Android Custom ROMSecurity Issues in Android Custom ROM
Security Issues in Android Custom ROM
Anant Shrivastava
 
Brute Force Attack
Brute Force AttackBrute Force Attack
Brute Force Attack
Ahmad karawash
 
The art of android hacking
The art of android hackingThe art of android hacking
The art of android hacking
Abhinav Mishra
 
Csrf not all defenses are created equal
Csrf not all defenses are created equalCsrf not all defenses are created equal
Csrf not all defenses are created equal
Ari Elias-Bachrach
 
Database Firewall from Scratch
Database Firewall from ScratchDatabase Firewall from Scratch
Database Firewall from Scratch
Denis Kolegov
 
Php security common 2011
Php security common 2011Php security common 2011
Php security common 2011
10n Software, LLC
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)
securityxploded
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 

What's hot (20)

Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Black magic of web attacks Detection and Prevention
Black magic of web attacks Detection and PreventionBlack magic of web attacks Detection and Prevention
Black magic of web attacks Detection and Prevention
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana)
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
 
SOC training
SOC trainingSOC training
SOC training
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
 
Security awareness for information security team
Security awareness for information security teamSecurity awareness for information security team
Security awareness for information security team
 
AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login form
 
"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali
 
Security Issues in Android Custom ROM
Security Issues in Android Custom ROMSecurity Issues in Android Custom ROM
Security Issues in Android Custom ROM
 
Brute Force Attack
Brute Force AttackBrute Force Attack
Brute Force Attack
 
The art of android hacking
The art of android hackingThe art of android hacking
The art of android hacking
 
Csrf not all defenses are created equal
Csrf not all defenses are created equalCsrf not all defenses are created equal
Csrf not all defenses are created equal
 
Database Firewall from Scratch
Database Firewall from ScratchDatabase Firewall from Scratch
Database Firewall from Scratch
 
Php security common 2011
Php security common 2011Php security common 2011
Php security common 2011
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 

Similar to Security fundamentals

Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
Daniel Owens
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
Sean Jackson
 
Shields up - improving web application security
Shields up - improving web application securityShields up - improving web application security
Shields up - improving web application security
Konstantin Mirin
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
FernandoVizer
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure code
Miva
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
amiable_indian
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014Haitham Raik
 
S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managment
zakieh alizadeh
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
Mohmad Feroz
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
Kevin Kline
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
Robert MacLean
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
Aditya Mooley
 
rsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczrsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewicz
Paula Januszkiewicz
 

Similar to Security fundamentals (20)

Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
Shields up - improving web application security
Shields up - improving web application securityShields up - improving web application security
Shields up - improving web application security
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure code
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014
 
S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managment
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
 
Application Security
Application SecurityApplication Security
Application Security
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
 
Rails Security
Rails SecurityRails Security
Rails Security
 
rsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczrsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewicz
 

More from ABDEL RAHMAN KARIM

Date Analysis .pdf
Date Analysis .pdfDate Analysis .pdf
Date Analysis .pdf
ABDEL RAHMAN KARIM
 
Agile Course
Agile CourseAgile Course
Agile Course
ABDEL RAHMAN KARIM
 
Agile course Part 1
Agile course Part 1Agile course Part 1
Agile course Part 1
ABDEL RAHMAN KARIM
 
Software as a service
Software as a serviceSoftware as a service
Software as a service
ABDEL RAHMAN KARIM
 
Day03 api
Day03 apiDay03 api
Day03 api
ABDEL RAHMAN KARIM
 
Day02 a pi.
Day02 a pi.Day02 a pi.
Day02 a pi.
ABDEL RAHMAN KARIM
 
Day01 api
Day01 apiDay01 api
Day01 api
ABDEL RAHMAN KARIM
 
Search engine optimization
Search engine optimization Search engine optimization
Search engine optimization
ABDEL RAHMAN KARIM
 
Seo lec 3
Seo lec 3Seo lec 3
Seo lec 3
ABDEL RAHMAN KARIM
 
Seo lec 2
Seo lec 2Seo lec 2
Seo lec 2
ABDEL RAHMAN KARIM
 
Tdd for php
Tdd for phpTdd for php
Tdd for php
ABDEL RAHMAN KARIM
 
OverView to PMP
OverView to PMPOverView to PMP
OverView to PMP
ABDEL RAHMAN KARIM
 
Software Design principales
Software Design principalesSoftware Design principales
Software Design principales
ABDEL RAHMAN KARIM
 
Over view of software artitecture
Over view of software artitectureOver view of software artitecture
Over view of software artitecture
ABDEL RAHMAN KARIM
 
تلخيص مختصر لكتاب التوحيد و التوكل للامام الغزالى من سلسلة احياء علوم الدين
تلخيص مختصر لكتاب التوحيد و التوكل للامام الغزالى من سلسلة احياء علوم الدينتلخيص مختصر لكتاب التوحيد و التوكل للامام الغزالى من سلسلة احياء علوم الدين
تلخيص مختصر لكتاب التوحيد و التوكل للامام الغزالى من سلسلة احياء علوم الدين
ABDEL RAHMAN KARIM
 

More from ABDEL RAHMAN KARIM (15)

Date Analysis .pdf
Date Analysis .pdfDate Analysis .pdf
Date Analysis .pdf
 
Agile Course
Agile CourseAgile Course
Agile Course
 
Agile course Part 1
Agile course Part 1Agile course Part 1
Agile course Part 1
 
Software as a service
Software as a serviceSoftware as a service
Software as a service
 
Day03 api
Day03 apiDay03 api
Day03 api
 
Day02 a pi.
Day02 a pi.Day02 a pi.
Day02 a pi.
 
Day01 api
Day01 apiDay01 api
Day01 api
 
Search engine optimization
Search engine optimization Search engine optimization
Search engine optimization
 
Seo lec 3
Seo lec 3Seo lec 3
Seo lec 3
 
Seo lec 2
Seo lec 2Seo lec 2
Seo lec 2
 
Tdd for php
Tdd for phpTdd for php
Tdd for php
 
OverView to PMP
OverView to PMPOverView to PMP
OverView to PMP
 
Software Design principales
Software Design principalesSoftware Design principales
Software Design principales
 
Over view of software artitecture
Over view of software artitectureOver view of software artitecture
Over view of software artitecture
 
تلخيص مختصر لكتاب التوحيد و التوكل للامام الغزالى من سلسلة احياء علوم الدين
تلخيص مختصر لكتاب التوحيد و التوكل للامام الغزالى من سلسلة احياء علوم الدينتلخيص مختصر لكتاب التوحيد و التوكل للامام الغزالى من سلسلة احياء علوم الدين
تلخيص مختصر لكتاب التوحيد و التوكل للامام الغزالى من سلسلة احياء علوم الدين
 

Recently uploaded

Launch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in MinutesLaunch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in Minutes
Roshan Dwivedi
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Globus
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
Enterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptxEnterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptx
QuickwayInfoSystems3
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Cyanic lab
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
Boni García
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 

Recently uploaded (20)

Launch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in MinutesLaunch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in Minutes
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
Enterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptxEnterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptx
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 

Security fundamentals

  • 1. OOP =Must Design and Architecture  Must Security  Must (Top important) ----------------------------------- Unit testing driven TDD = Must (Gnedy ?) Framework = Should SOA = May be Real life experience with PHP in real situations New Topics
  • 2. The 5 Most Common attacks and how to prevent them ?
  • 3.
  • 4. SELECT * FROM users WHERE username='john' AND password='123456' SELECT * FROM users WHERE username='john' OR 1=1; -- ' AND The snippet would possibly allow the user to bypass the login screen without having proper credentials.
  • 5.  Never trust User input  Sanatize by mysqli_real_escape_string  Casting  Parameter query  Limited permission , never use sa  Test using http://sqlmap.org/ tool  Encrypt sensitive data  Don’t store sensitive data if you don’t need it
  • 6.
  • 7.  Mandate strong passwords  Secure reset password mechanism  Use Recaptcha or captcha  Use security Question  Notify by email at any profile changes!  Avoid “admin” user name  Single token request , also protecte against CSRF attacks .  Encrypt password with strong algorism + salt
  • 8.
  • 9.  Use Session_Regenerate_id to regenerate session ID with each request  Delete cookie from client once log out  Limit session idle time  Enable https or make it easy to be enabled, how ?  Protected your cookies not to be accessed by Java Script at all !
  • 10.
  • 11.  Validate , sanitize each input  Escape Each Output  Regester Globals OFF  Check the security class of codegniter  File system permission.
  • 12.
  • 13.  Prevent error reporting at run time  Prevent descriptive responses  URL re-writing for SEO and for protection  Make sure you got the latest version of any 3rd prty tool you are using .
  • 14.  You use request token to prevent which attack ?  A) CSRF  B) Password Brutal attack  C) Sql injection  D) XSS  E) A and B  F) C and D  G) All the above
  • 15.  You should configure your cookies to be accessed only via  A) Java script  B) Cookie  C) Http  D) all the above .
  • 16.  A)The cookie can not be accessed by JavaScript  B)The cookie will not be sent cross-domain  C)Client will send the cookie only over an HTTPS connection
  • 17.  A client logs in  A short idle period (ie. 30 seconds)  Any privilege level change  Each request