Soumettre la recherche
Mettre en ligne
PHP SA 2013 - The weak points in our PHP projects
•
Télécharger en tant que PPT, PDF
•
0 j'aime
•
947 vues
X
xsist10
Suivre
The weak points in our PHP projects Are your dependencies getting you down
Lire moins
Lire la suite
Technologie
Signaler
Partager
Signaler
Partager
1 sur 18
Télécharger maintenant
Recommandé
A Slide!
A Slide!
webhostingguy
Wordpress podcamp2011
Wordpress podcamp2011
Findability Solutions
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
ryanduff
Installing WordPress The Right Way
Installing WordPress The Right Way
Chris Burgess
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
Meagan Hanes
Practical Blogs for Writers
Practical Blogs for Writers
Susan Stewart
Speed & Uptime with Wordpress
Speed & Uptime with Wordpress
toddhdow
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Chris Burgess
Recommandé
A Slide!
A Slide!
webhostingguy
Wordpress podcamp2011
Wordpress podcamp2011
Findability Solutions
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
ryanduff
Installing WordPress The Right Way
Installing WordPress The Right Way
Chris Burgess
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
Meagan Hanes
Practical Blogs for Writers
Practical Blogs for Writers
Susan Stewart
Speed & Uptime with Wordpress
Speed & Uptime with Wordpress
toddhdow
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Chris Burgess
Word press security 101
Word press security 101
Kojac801
A Slide!
A Slide!
webhostingguy
Secure pl-sql-coding
Secure pl-sql-coding
Trần Bình Hậu
Open Source in the Enterprise
Open Source in the Enterprise
Social Media Performance Group
Using Information Technology
Using Information Technology
Universitas Teknokrat Indonesia
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
wordcampgc
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
distortdistort
wcm domino
wcm domino
dominion
Joomla Security
Joomla Security
ViryaTechnologies
Joomla Security
Joomla Security
Ruth Cheesley
Secure programming with php
Secure programming with php
Mohmad Feroz
Technologies for startup
Technologies for startup
Dzung Nguyen
Survey Presentation About Application Security
Survey Presentation About Application Security
Nicholas Davis
Wpd09 Sydney
Wpd09 Sydney
virginiachoy
Community dynamics
Community dynamics
Dave Neary
Lotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 Commandments
Bill Buchan
SharePoint Development and the Cloud
SharePoint Development and the Cloud
charelenetorres
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings
10n Software, LLC
Y4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should Learn
calenlegaspi
Security theatre (Scotland php)
Security theatre (Scotland php)
xsist10
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
xsist10
Contenu connexe
Similaire à PHP SA 2013 - The weak points in our PHP projects
Word press security 101
Word press security 101
Kojac801
A Slide!
A Slide!
webhostingguy
Secure pl-sql-coding
Secure pl-sql-coding
Trần Bình Hậu
Open Source in the Enterprise
Open Source in the Enterprise
Social Media Performance Group
Using Information Technology
Using Information Technology
Universitas Teknokrat Indonesia
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
wordcampgc
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
distortdistort
wcm domino
wcm domino
dominion
Joomla Security
Joomla Security
ViryaTechnologies
Joomla Security
Joomla Security
Ruth Cheesley
Secure programming with php
Secure programming with php
Mohmad Feroz
Technologies for startup
Technologies for startup
Dzung Nguyen
Survey Presentation About Application Security
Survey Presentation About Application Security
Nicholas Davis
Wpd09 Sydney
Wpd09 Sydney
virginiachoy
Community dynamics
Community dynamics
Dave Neary
Lotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 Commandments
Bill Buchan
SharePoint Development and the Cloud
SharePoint Development and the Cloud
charelenetorres
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings
10n Software, LLC
Y4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should Learn
calenlegaspi
Similaire à PHP SA 2013 - The weak points in our PHP projects
(20)
Word press security 101
Word press security 101
A Slide!
A Slide!
Secure pl-sql-coding
Secure pl-sql-coding
Open Source in the Enterprise
Open Source in the Enterprise
Using Information Technology
Using Information Technology
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
wcm domino
wcm domino
Joomla Security
Joomla Security
Joomla Security
Joomla Security
Secure programming with php
Secure programming with php
Technologies for startup
Technologies for startup
Survey Presentation About Application Security
Survey Presentation About Application Security
Wpd09 Sydney
Wpd09 Sydney
Community dynamics
Community dynamics
Lotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 Commandments
SharePoint Development and the Cloud
SharePoint Development and the Cloud
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings
Y4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should Learn
Plus de xsist10
Security theatre (Scotland php)
Security theatre (Scotland php)
xsist10
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
xsist10
Security Theatre - Confoo
Security Theatre - Confoo
xsist10
I put on my mink and wizard behat - Confoo Canada
I put on my mink and wizard behat - Confoo Canada
xsist10
Security Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
xsist10
Security Theatre - Benelux
Security Theatre - Benelux
xsist10
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHP
xsist10
I put on my mink and wizard behat (talk)
I put on my mink and wizard behat (talk)
xsist10
I put on my mink and wizard behat (tutorial)
I put on my mink and wizard behat (tutorial)
xsist10
I put on my mink and wizard behat
I put on my mink and wizard behat
xsist10
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Project
xsist10
Plus de xsist10
(11)
Security theatre (Scotland php)
Security theatre (Scotland php)
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
Security Theatre - Confoo
Security Theatre - Confoo
I put on my mink and wizard behat - Confoo Canada
I put on my mink and wizard behat - Confoo Canada
Security Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
Security Theatre - Benelux
Security Theatre - Benelux
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHP
I put on my mink and wizard behat (talk)
I put on my mink and wizard behat (talk)
I put on my mink and wizard behat (tutorial)
I put on my mink and wizard behat (tutorial)
I put on my mink and wizard behat
I put on my mink and wizard behat
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Project
Dernier
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
Antenna Manufacturer Coco
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
Dernier
(20)
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
PHP SA 2013 - The weak points in our PHP projects
1.
The weak points
in our systems Are your dependencies getting you down? Thomas Shone – Senior PHP Developer PHP South Africa - Oct 2013
2.
Copyright © 2012
Clickatell. All rights reserved. About me Senior developer for Clickatell Work remotely from Grahamstown in the Eastern Cape I like to break things
3.
Copyright © 2012
Clickatell. All rights reserved. The bare minimum we SHOULD be doing Preventing SQL injection and sanitizing user input Email and cellphone verification – Mitigate social engineering against support team Salting and using strong hashing for passwords – As of PHP 5.5, www.php.net/password will make this trivial Forgotten password resets done by email link Use OAuth or OpenID Two factor authentication – High risk data – Premium support verification – Off-site staff authentication method
4.
Copyright © 2012
Clickatell. All rights reserved. What the blogs haven't warned us about No coder is an island We all rely on: – 3rd party libraries – Frameworks • Symfony • Zend – CMS packages • Joomla! • Wordpress – E-Commerce software • osCommerce • Magento – CRM software • SugarCRM
5.
Copyright © 2012
Clickatell. All rights reserved. So... time to come clean... I've done it too Perception – Using a version of Smarty without vulnerabilities (3.1.12) Reality – 4 versions of Smarty. – Version 2.6.26 with 11 Vulnerabilities (7 critical) – Version 2.6.28 with 12 Vulnerabilities (7 critical) – Version 2.6.11 with 12 Vulnerabilities (7 critical) The other three were dependencies of another front end system Developers had not updated Smarty since 2009 (the version they are using was released in Dec 2005)
6.
Copyright © 2012
Clickatell. All rights reserved. Lets get some real world data 43 popular open source web applications, libraries and frameworks. 3,421 versions 5.6 million files
7.
Worst offender
8.
Copyright © 2012
Clickatell. All rights reserved. Some graph explanation Mean / Average Median The Doom Line
9.
Insert the title
of your long presentation names here Enter your subtitle here Some actual numbers please
10.
What are SMBs
using?
11.
Copyright © 2012
Clickatell. All rights reserved. Where does the blame lie? Wordpress and Joomla! – Highly popular = Highly targeted. – Fix released before the vulnerability disclosed Libraries not so well behaved – Most of the libraries found where vulnerable – OpenX had a backdoor in their code base Frameworks came off well – No vulnerabilities for the versions found Reference: http://blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.htm
12.
Insert the title
of your long presentation names here Enter your subtitle here Lets get a little ageist here
13.
Insert the title
of your long presentation names here Enter your subtitle here What's the sell by date
14.
Insert the title
of your long presentation names here Enter your subtitle here Lets just put those together
15.
Copyright © 2012
Clickatell. All rights reserved. Some good news at least We were looking at the worst of the worst – SMB with little technical knowledge – Freelancer CMS deploy People will fix what they know is broken – Growing awareness – Emergence of auto update tools – Software houses and freelances, up-sell those maintenance contracts
16.
Insert the title
of your long presentation names here Enter your subtitle here How much has the situation improved
17.
Copyright © 2012
Clickatell. All rights reserved. And for the developers Means of distributing 3rd party code is improving – Composer • Don't commit dependencies... specify • Major release locking • Simple update mechanism
18.
@thomas_shone www.shone.co.za Questions?
Télécharger maintenant