Enviar búsqueda
Cargar
PHP SA 2013 - The weak points in our PHP projects
•
Descargar como PPT, PDF
•
0 recomendaciones
•
947 vistas
X
xsist10
Seguir
The weak points in our PHP projects Are your dependencies getting you down
Leer menos
Leer más
Tecnología
Denunciar
Compartir
Denunciar
Compartir
1 de 18
Descargar ahora
Recomendados
A Slide!
A Slide!
webhostingguy
Wordpress podcamp2011
Wordpress podcamp2011
Findability Solutions
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
ryanduff
Installing WordPress The Right Way
Installing WordPress The Right Way
Chris Burgess
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
Meagan Hanes
Practical Blogs for Writers
Practical Blogs for Writers
Susan Stewart
Speed & Uptime with Wordpress
Speed & Uptime with Wordpress
toddhdow
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Chris Burgess
Recomendados
A Slide!
A Slide!
webhostingguy
Wordpress podcamp2011
Wordpress podcamp2011
Findability Solutions
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
Why Switching To WordPress 3.0 Is The Best Thing You Can Do For Your Clients
ryanduff
Installing WordPress The Right Way
Installing WordPress The Right Way
Chris Burgess
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
Meagan Hanes
Practical Blogs for Writers
Practical Blogs for Writers
Susan Stewart
Speed & Uptime with Wordpress
Speed & Uptime with Wordpress
toddhdow
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Chris Burgess
Word press security 101
Word press security 101
Kojac801
A Slide!
A Slide!
webhostingguy
Secure pl-sql-coding
Secure pl-sql-coding
Trần Bình Hậu
Open Source in the Enterprise
Open Source in the Enterprise
Social Media Performance Group
Using Information Technology
Using Information Technology
Universitas Teknokrat Indonesia
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
wordcampgc
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
distortdistort
wcm domino
wcm domino
dominion
Joomla Security
Joomla Security
ViryaTechnologies
Joomla Security
Joomla Security
Ruth Cheesley
Secure programming with php
Secure programming with php
Mohmad Feroz
Technologies for startup
Technologies for startup
Dzung Nguyen
Survey Presentation About Application Security
Survey Presentation About Application Security
Nicholas Davis
Wpd09 Sydney
Wpd09 Sydney
virginiachoy
Community dynamics
Community dynamics
Dave Neary
Lotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 Commandments
Bill Buchan
SharePoint Development and the Cloud
SharePoint Development and the Cloud
charelenetorres
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings
10n Software, LLC
Y4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should Learn
calenlegaspi
Security theatre (Scotland php)
Security theatre (Scotland php)
xsist10
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
xsist10
Más contenido relacionado
Similar a PHP SA 2013 - The weak points in our PHP projects
Word press security 101
Word press security 101
Kojac801
A Slide!
A Slide!
webhostingguy
Secure pl-sql-coding
Secure pl-sql-coding
Trần Bình Hậu
Open Source in the Enterprise
Open Source in the Enterprise
Social Media Performance Group
Using Information Technology
Using Information Technology
Universitas Teknokrat Indonesia
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
wordcampgc
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
distortdistort
wcm domino
wcm domino
dominion
Joomla Security
Joomla Security
ViryaTechnologies
Joomla Security
Joomla Security
Ruth Cheesley
Secure programming with php
Secure programming with php
Mohmad Feroz
Technologies for startup
Technologies for startup
Dzung Nguyen
Survey Presentation About Application Security
Survey Presentation About Application Security
Nicholas Davis
Wpd09 Sydney
Wpd09 Sydney
virginiachoy
Community dynamics
Community dynamics
Dave Neary
Lotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 Commandments
Bill Buchan
SharePoint Development and the Cloud
SharePoint Development and the Cloud
charelenetorres
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings
10n Software, LLC
Y4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should Learn
calenlegaspi
Similar a PHP SA 2013 - The weak points in our PHP projects
(20)
Word press security 101
Word press security 101
A Slide!
A Slide!
Secure pl-sql-coding
Secure pl-sql-coding
Open Source in the Enterprise
Open Source in the Enterprise
Using Information Technology
Using Information Technology
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
wcm domino
wcm domino
Joomla Security
Joomla Security
Joomla Security
Joomla Security
Secure programming with php
Secure programming with php
Technologies for startup
Technologies for startup
Survey Presentation About Application Security
Survey Presentation About Application Security
Wpd09 Sydney
Wpd09 Sydney
Community dynamics
Community dynamics
Lotusphere 2009 The 11 Commandments
Lotusphere 2009 The 11 Commandments
SharePoint Development and the Cloud
SharePoint Development and the Cloud
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings
Y4IT - Technology Trends And The Skills You Should Learn
Y4IT - Technology Trends And The Skills You Should Learn
Más de xsist10
Security theatre (Scotland php)
Security theatre (Scotland php)
xsist10
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
xsist10
Security Theatre - Confoo
Security Theatre - Confoo
xsist10
I put on my mink and wizard behat - Confoo Canada
I put on my mink and wizard behat - Confoo Canada
xsist10
Security Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
xsist10
Security Theatre - Benelux
Security Theatre - Benelux
xsist10
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHP
xsist10
I put on my mink and wizard behat (talk)
I put on my mink and wizard behat (talk)
xsist10
I put on my mink and wizard behat (tutorial)
I put on my mink and wizard behat (tutorial)
xsist10
I put on my mink and wizard behat
I put on my mink and wizard behat
xsist10
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Project
xsist10
Más de xsist10
(11)
Security theatre (Scotland php)
Security theatre (Scotland php)
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
Security Theatre - Confoo
Security Theatre - Confoo
I put on my mink and wizard behat - Confoo Canada
I put on my mink and wizard behat - Confoo Canada
Security Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
Security Theatre - Benelux
Security Theatre - Benelux
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHP
I put on my mink and wizard behat (talk)
I put on my mink and wizard behat (talk)
I put on my mink and wizard behat (tutorial)
I put on my mink and wizard behat (tutorial)
I put on my mink and wizard behat
I put on my mink and wizard behat
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Project
Último
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
Antenna Manufacturer Coco
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Maria Levchenko
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
Último
(20)
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
PHP SA 2013 - The weak points in our PHP projects
1.
The weak points
in our systems Are your dependencies getting you down? Thomas Shone – Senior PHP Developer PHP South Africa - Oct 2013
2.
Copyright © 2012
Clickatell. All rights reserved. About me Senior developer for Clickatell Work remotely from Grahamstown in the Eastern Cape I like to break things
3.
Copyright © 2012
Clickatell. All rights reserved. The bare minimum we SHOULD be doing Preventing SQL injection and sanitizing user input Email and cellphone verification – Mitigate social engineering against support team Salting and using strong hashing for passwords – As of PHP 5.5, www.php.net/password will make this trivial Forgotten password resets done by email link Use OAuth or OpenID Two factor authentication – High risk data – Premium support verification – Off-site staff authentication method
4.
Copyright © 2012
Clickatell. All rights reserved. What the blogs haven't warned us about No coder is an island We all rely on: – 3rd party libraries – Frameworks • Symfony • Zend – CMS packages • Joomla! • Wordpress – E-Commerce software • osCommerce • Magento – CRM software • SugarCRM
5.
Copyright © 2012
Clickatell. All rights reserved. So... time to come clean... I've done it too Perception – Using a version of Smarty without vulnerabilities (3.1.12) Reality – 4 versions of Smarty. – Version 2.6.26 with 11 Vulnerabilities (7 critical) – Version 2.6.28 with 12 Vulnerabilities (7 critical) – Version 2.6.11 with 12 Vulnerabilities (7 critical) The other three were dependencies of another front end system Developers had not updated Smarty since 2009 (the version they are using was released in Dec 2005)
6.
Copyright © 2012
Clickatell. All rights reserved. Lets get some real world data 43 popular open source web applications, libraries and frameworks. 3,421 versions 5.6 million files
7.
Worst offender
8.
Copyright © 2012
Clickatell. All rights reserved. Some graph explanation Mean / Average Median The Doom Line
9.
Insert the title
of your long presentation names here Enter your subtitle here Some actual numbers please
10.
What are SMBs
using?
11.
Copyright © 2012
Clickatell. All rights reserved. Where does the blame lie? Wordpress and Joomla! – Highly popular = Highly targeted. – Fix released before the vulnerability disclosed Libraries not so well behaved – Most of the libraries found where vulnerable – OpenX had a backdoor in their code base Frameworks came off well – No vulnerabilities for the versions found Reference: http://blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.htm
12.
Insert the title
of your long presentation names here Enter your subtitle here Lets get a little ageist here
13.
Insert the title
of your long presentation names here Enter your subtitle here What's the sell by date
14.
Insert the title
of your long presentation names here Enter your subtitle here Lets just put those together
15.
Copyright © 2012
Clickatell. All rights reserved. Some good news at least We were looking at the worst of the worst – SMB with little technical knowledge – Freelancer CMS deploy People will fix what they know is broken – Growing awareness – Emergence of auto update tools – Software houses and freelances, up-sell those maintenance contracts
16.
Insert the title
of your long presentation names here Enter your subtitle here How much has the situation improved
17.
Copyright © 2012
Clickatell. All rights reserved. And for the developers Means of distributing 3rd party code is improving – Composer • Don't commit dependencies... specify • Major release locking • Simple update mechanism
18.
@thomas_shone www.shone.co.za Questions?
Descargar ahora