php & the secure development lifecycle
Post on 17-Dec-2014
2.788 Views
Preview:
DESCRIPTION
TRANSCRIPT
PHP & The Secure Application Development
Life-cycle“The art of building secure PHPyramids”
Robert van der LindeSanta Clara, 16 september 2008
Who’s that dude?
• Robert van der Linde• 5 years of PHP
experience• Team lead PaSS-PHP• Sogeti’s PHP training
coordinator• Zend Certified
Engineer
Secure PHPyramids
• An application is secure if does exactly what is expected at all times
What is a secure application?
Design Implementation
So what do we do?
• Applications are information• Threats are everywhere• Creating secure applications need
a standardized approach• There is tooling available to help
you
Application === Information
IntegrityAvailability Confidentiality
Information security
Where do you implement security?
Where do threats come from?
• Conciously
Where do threats come from?
• Unconsciously
Approach
Requirements
Test plans
• Training• Awareness• Outside-the-box thinking• Codified security test plans• Tools
>OWASP WebScarab>Ratproxy>NTO Spider
Test results
• Review with programmers• Reporting and analysis• End goal: clean bill of health
Code
• Owasp PHP top 5>Remote code execution>Cross site scripting>SQL Injection>PHP Configuration>File system attacks
• Best practices>Whitelisting vs. blacklisting>Filter input, escape output>Keep errors to yourself
Feedback
• Consciously handle found issues• Praise, not prey• Handle proactively
The key to all this
• Awareness
Implementation at Sogeti
• PaSS (Pro-active Security Strategy)• Workgroup per expertise
>PHP>Design>Testing>Etc.
• Added value
Tooling example
Finally.... some code!
Setting it up
The result
Working with the result
What’s next?
• Logging attacks>File>MySQL>Email
• Reporting and analysis
Thank you for watching
• Referenties:> www.php.net> www.owasp.com> www.php-ids.org> www.sogeti.nl> www.zend.com
• Contact:E: robert.vander.linde@sogeti.nlIM: linde002@hotmail.comSkype: linderobBlog: http://php.linde002.nl/
top related