SlideShare una empresa de Scribd logo

OWASP, PHP, life and universe

Sebastien Gioria
Sebastien Gioria

Présentation pour l'AFUP de l'OWASP et de projets concrets pour sécuriser une application PHP

InternetTecnología
1 de 56
Descargar para leer sin conexión
AFUP/MOZILLA/OWASP     Mee/ng  @Mozilla  Paris   5th  June  2014Sébas&en  Gioria   Sebas/en.Gioria@owasp.org   Chapter  Leader  &  Evangelist  OWASP  France OWASP,  the   Life,the  Universe   and  the   ElePHPhants  
2
http://www.google.fr/#q=sebastien gioria ‣OWASP France Leader & Founder & Evangelist ‣Innovation and Technology @Advens && Application Security Expert Twitter :@SPoint/@OWASP_France ‣Application Security group leader for the CLUSIF ‣Proud father of youngs kids trying to hack my digital life.
Agenda • Applica/on  Security  :   – where  we  are  (no  bullshit)   – where  we  are  (hopefully)  going  ?   • Open  Web  Applica/on  Security  Project  ?   • Major  projects  you  can  use 4
Why  Applica/on  Security  ? 5 4
Why  Applica/on  Security  ? 5 4 Your Application has been Hacked
Why  Applica/on  Security  ? 5 4 Your Application has been Hacked YES
Why  Applica/on  Security  ? 5 4 Your Application has been Hacked NO YES
Why  Applica/on  Security  ? 5 4 Your Application will be Hacked ;) Your Application has been Hacked NO YES
Why  Applica/on  Security  ? 5 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO YES
Why  Applica/on  Security  ? 5 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES
Why  Applica/on  Security  ? 5 ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES
Why  Applica/on  Security  ? 5 My Application will be hacked ! ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES
Why  Applica/on  Security  ? 5 My Application will be hacked ! ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES Next Step
First  form  in  PHP 6
First  form  in  PHP 6
First  form  in  PHP 6 <?php      $email  =  $_REQUEST['email']  ;      $message  =  $_REQUEST['message']  ;   !    mail(  "yourname@example.com",  "Feedback  Form  Results",          $message,  "From:  $email"  );      header(  "Loca/on:  hgp://www.example.com/thankyou.html"  );   ?>
7
7
7
How  to  create  a  login  page  in  PHP   and  Mysql 8
9
9 <?php ! define('DB_HOST', 'localhost'); ! define('DB_NAME', 'practice');! define('DB_USER','root'); ! define('DB_PASSWORD','');! ! $con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Failed to connect to MySQL: " . mysql_error()); ! $db=mysql_select_db(DB_NAME,$con) or die("Failed to connect to MySQL: " . mysql_error()); ! /* $ID = $_POST['user']; $Password = $_POST['pass']; */! ! function SignIn() {! ! session_start(); //starting the session for user profile page! ! if(!empty($_POST['user'])) //checking the 'user' name which is from Sign-In.html, is it empty or have some text ! ! { ! ! $query = mysql_query("SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(mysql_error());! ! $row = mysql_fetch_array($query) or die(mysql_error());! ! ! ! ! if(!empty($row['userName']) AND !empty($row['pass'])) ! ! ! {! ! ! $_SESSION['userName'] = $row['pass']; ! ! ! ! echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE...";! ! ! } else { ! ! ! echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...";! ! ! } ! ! } ! } ! ! if(isset($_POST['submit'])) ! {! SignIn(); ! } ?>!
10
10
10
Game  Over.... • Did  you  have  VoIP  Phone  ?     ! • Did  you  have  IP  Router  /  Broadband  box    ?     ! • Did  you  have  smartphone  ?   ! • Did  you  have  customers  /  partners  over   Internet  ? 11
Anything  else  ?   12
We  are  living  in  a  Digital  environment,  in  a  Connected  World v Most  of  websites  vulnerable  to  agacks   v Important  %  of  web-­‐based  Business  (Services,  Online  Store,  Self-­‐care,  Telcos,   SCADA,  ...) Why  Applica/on  Security  ?   Age  of  An/virus Age  of     Network  Security Age  of     Applica/on   Security 13
14 (c)  Verizon  2014
14 (c)  Verizon  2014
14 (c)  Verizon  2014
14 (c)  Verizon  2014
Who  win  ?   15 (c) WhiteHatSecurity 2013
Vulnerabili/es  ?   16 (c)  WhiteHatSecurity  2013
Mission  Driven Nonprofit  |  World  Wide  |  Unbiased   ! OWASP  does  not  endorse  or  recommend   commercial  products  or  services What  is  OWASP 17
Community  Driven 30,000  Mail  List  Par/cipants   200  Ac/ve  Chapters  in  70  countries     1600+  Members,  56  Corporate  Supporters     What  is  OWASP 18
200  Chapters,  1  600+  Members,  20  000+  Builders,  Breakers  and  Defenders Around  the  World 19
Quality  Resources 200+  Projects   15,000+  downloads  of  tools,  documenta/on   What  is  OWASP 20
Documenta&on ToolsCode 50% 10% 40% Quality  Resources 21
Security  Lifecycle 22
Security  Resources 23
 NEWS   A  BLOG   A  PODCAST   MEMBERSHIPS   MAILING  LISTS   A  NEWSLETTER   APPLE  APP  STORE   VIDEO  TUTORIALS   TRAINING  SESSIONS   SOCIAL  NETWORKING 24
OWASP  Projects 25
OWASP  Top10  2013 26 A1:  Injec&on A2:  Viola&on  de   Ges&on   d’authen&fica&on  et  de   session A3:  Cross  Site  Scrip&ng   (XSS) A4:Référence  directe   non  sécurisée  à  un   objet A5:  Mauvaise   configura&on  sécurité   A6  :  Exposi&on  de   données  sensibles A8:  Cross  Site  Request   Forgery  (CSRF)   A10:    Redirec&ons    et   transferts  non  validés A7:  Manque  de   contrôle  d’accès   fonc&onnel A9:  U&lisa&on  de   composants  avec  des   vulnérabilités  connues
OWASP  Top10  2013 26 A1:  Injec&on A2:  Viola&on  de   Ges&on   d’authen&fica&on  et  de   session A3:  Cross  Site  Scrip&ng   (XSS) A4:Référence  directe   non  sécurisée  à  un   objet A5:  Mauvaise   configura&on  sécurité   A6  :  Exposi&on  de   données  sensibles A8:  Cross  Site  Request   Forgery  (CSRF)   A10:    Redirec&ons    et   transferts  non  validés A7:  Manque  de   contrôle  d’accès   fonc&onnel A9:  U&lisa&on  de   composants  avec  des   vulnérabilités  connues ex-­‐A9(transport  non  sécurisé)  +   A7(Stockage  crypto)
OWASP  Top10  2013 26 A1:  Injec&on A2:  Viola&on  de   Ges&on   d’authen&fica&on  et  de   session A3:  Cross  Site  Scrip&ng   (XSS) A4:Référence  directe   non  sécurisée  à  un   objet A5:  Mauvaise   configura&on  sécurité   A6  :  Exposi&on  de   données  sensibles A8:  Cross  Site  Request   Forgery  (CSRF)   A10:    Redirec&ons    et   transferts  non  validés A7:  Manque  de   contrôle  d’accès   fonc&onnel A9:  U&lisa&on  de   composants  avec  des   vulnérabilités  connues ex-­‐A9(transport  non  sécurisé)  +   A7(Stockage  crypto)
Developer  Cheat  Sheets   § PHP  Security  Cheat  Sheet   § OWASP  Top  Ten  Cheat  Sheet   § Authen/ca/on  Cheat  Sheet   § Cross-­‐Site  Request  Forgery  (CSRF)  Preven&on  Cheat   Sheet   § Cryptographic  Storage  Cheat  Sheet   § Input  Valida/on  Cheat  Sheet   § XSS  (Cross  Site  Scrip&ng)  Preven&on  Cheat  Sheet   § DOM  based  XSS  Preven/on  Cheat  Sheet   § Forgot  Password  Cheat  Sheet   § Query  Parameteriza&on  Cheat  Sheet   § SQL  Injec&on  Preven&on  Cheat  Sheet   § Session  Management  Cheat  Sheet   § HTML5  Security  Cheat  Sheet   § Transport  Layer  Protec/on  Cheat  Sheet   § Web  Service  Security  Cheat  Sheet   § Logging  Cheat  Sheet   § JAAS  Cheat  Sheet Mobile  Cheat  Sheets   § IOS  Developer  Cheat  Sheet   § Mobile  Jailbreaking  Cheat  Sheet   Drax  Cheat  Sheets   § Access  Control  Cheat  Sheet   § REST  Security  Cheat  Sheet   § Abridged  XSS  Preven/on  Cheat  Sheet   § Password  Storage  Cheat  Sheet   § Secure  Coding  Cheat  Sheet   § Threat  Modeling  Cheat  Sheet   § Clickjacking  Cheat  Sheet   § Virtual  Patching  Cheat  Sheet   § Secure  SDLC  Cheat  Sheet   § Web  Applica/on  Security  Tes/ng  Cheat   Sheet   § Applica/on  Security  Architecture  Cheat   Sheet Cheat  Sheets 27
Project  Leader:  Chris  Schmidt,  Chris.Schmidt@owasp.org   Purpose:  A  free,  open  source,  web  applica/on  security  control  library  that   makes  it  easier  for  programmers  to  write  lower-­‐risk  applica/ons   ! ! ! ! ! ! ! ! ! ! ! hgps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Enterprise  Security  API 28 PHP Version : https://code.google.com/p/ owasp-esapi-php/
Project Leader: Abbas Naderi, Abbas.Naderi@owasp.org Purpose:  OWASP  PHP  Security  Project  is  an  effort   by   a   group   of   PHP   developers   in   securing   PHP   web   applica/ons,   using   a   collec&on   of   decoupled  flexible  secure  PHP  libraries,  as  well   as  a  collec&on  of  PHP  tools.   OWASP  PHP  Security  Project 29 hgps://www.owasp.org/index.php/OWASP_PHP_Security_Project
Development   Guide:   comprehensive   manual   for   designing,   developing   and   deploying  secure  Web  Applica/ons  and  Web  Services   Code   Review   Guide:   mechanics   of   reviewing   code   for   certain   vulnerabili/es   &   valida/on  of  proper  security  controls   Tes/ng  Guide:  understand  the  what,  why,  when,  where,  and  how  of  tes/ng  web   applica/ons   ! ! hgps://www.owasp.org/index.php/Category:OWASP_Guide_Project   hgps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project   hgps://www.owasp.org/index.php/Category:OWASP_Tes/ng_Project Guides 30
Zed  Agack  Proxy Project  Leader:  Simon  Bennegs  (aka  Psiinon),  psiinon@gmail.com   Purpose:  The  Zed  Agack  Proxy  (ZAP)  provides  automated  scanners  as  well   as  a  set  of  tools  that  allow  you  to  find  security  vulnerabili/es  manually  in   web  applica/ons.   Last  Release:  ZAP  2.3.1  (21  May  2014)   ! ! ! ! ! ! ! ! ! ! hgps://www.owasp.org/index.php/OWASP_Zed_Agack_Proxy_Project 31
Intended   to   help   soxware   developers   and   their   clients   nego/ate   important   contractual  terms  and  condi/ons  related  to  the  security  of  the  soxware  to  be   developed  or  delivered.   CONTEXT:  Most  contracts  are  silent  on  these  issues,  and  the  par/es  frequently   have  drama/cally  different  views  on  what  has  actually  been  agreed  to.     OBJECTIVE:   Clearly   define   these   terms   is   the   best   way   to   ensure   that   both   par/es  can  make  informed  decisions  about  how  to  proceed.   hgps://www.owasp.org/index.php/OWASP_Secure_Soxware_Contract_Annex The  OWASP  Secure  Soxware     Contract  Annex 32
Dates • RSSIA  Bordeaux  :  20  Juin   – HeartBleed  revisited     • AppSec  Europe  2014  -­‐  Cambridge  :   ! ! ! ! ! • Java  User  Groupe  Lille  &  Paris     – Secure  Coding  for  Java    a  la  rentrée  2014   • Club  27001  /Paris  -­‐  25  Septembre  2014   –Présenta/on  de  la  norme  ISO  27034 33
Soutenir  l’OWASP • Différentes  solu/ons  :     – Membre  Individuel  :  50  $   – Membre  Entreprise  :  5000  $   – Dona/on  Libre   • Soutenir  uniquement    le  chapitre  France  :   – Single  Mee/ng  supporter     • Nous  offrir  une  salle  de  mee/ng  !     • Par/ciper  par  un  talk  ou  autre  !     • Dona/on  simple     – Local  Chapter  supporter  :     • 500  $  à  2000  $   34
License 35 @SPoint   ! sebas/en.gioria@owasp.org

Recomendados

Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSebastien Gioria
 
42 minutes to secure your code....
42 minutes to secure your code....42 minutes to secure your code....
42 minutes to secure your code....Sebastien Gioria
 
CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014Sebastien Gioria
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pjSébastien GIORIA
 
OWASP, the life and the universe
OWASP, the life and the universeOWASP, the life and the universe
OWASP, the life and the universeSébastien GIORIA
 
A bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability ManagementA bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability ManagementBalázs Tatár
 
SOC training
SOC trainingSOC training
SOC trainingKirill Ermakov
 

Recomendados

Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSebastien Gioria
 
42 minutes to secure your code....
42 minutes to secure your code....42 minutes to secure your code....
42 minutes to secure your code....Sebastien Gioria
 
CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014Sebastien Gioria
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pjSébastien GIORIA
 
OWASP, the life and the universe
OWASP, the life and the universeOWASP, the life and the universe
OWASP, the life and the universeSébastien GIORIA
 
A bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability ManagementA bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability ManagementBalázs Tatár
 
SOC training
SOC trainingSOC training
SOC trainingKirill Ermakov
 
OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec PresentationCiNPA Security SIG
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTrivadis
 
Bug bounty
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsJoe McCray
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPJoe McCray
 
Building a low cost hack lab
Building a low cost hack labBuilding a low cost hack lab
Building a low cost hack labJoe McCray
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionJoe McCray
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatVladyslav Radetsky
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howJoe McCray
 
The Shift to Rugged DevOps - Security in the pipeline
The Shift to Rugged DevOps - Security in the pipelineThe Shift to Rugged DevOps - Security in the pipeline
The Shift to Rugged DevOps - Security in the pipelineRene Van Osnabrugge
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar PrustyEmerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar PrustyCysinfo Cyber Security Community
 
A day in the life of a pentester
A day in the life of a pentesterA day in the life of a pentester
A day in the life of a pentesterCláudio André
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsAmmar WK
 
Beating the 1:100 Odds with Team Design for Security @ Open Security Summit, ...
Beating the 1:100 Odds with Team Design for Security @ Open Security Summit, ...Beating the 1:100 Odds with Team Design for Security @ Open Security Summit, ...
Beating the 1:100 Odds with Team Design for Security @ Open Security Summit, ...Manuel Pais
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksCyren, Inc
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcKaty Anton
 
The answer to the ultimate question of life the universe and everything.........
The answer to the ultimate question of life the universe and everything.........The answer to the ultimate question of life the universe and everything.........
The answer to the ultimate question of life the universe and everything.........Rhea Myers
 
Planetary Atmospheres & Life
Planetary Atmospheres & LifePlanetary Atmospheres & Life
Planetary Atmospheres & LifePaul H. Carr
 
Living in space.ppt
Living in space.pptLiving in space.ppt
Living in space.pptmrmeredith
 

Más contenido relacionado

La actualidad más candente

TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTrivadis
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsJoe McCray
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPJoe McCray
 
Building a low cost hack lab
Building a low cost hack labBuilding a low cost hack lab
Building a low cost hack labJoe McCray
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionJoe McCray
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatVladyslav Radetsky
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howJoe McCray
 
The Shift to Rugged DevOps - Security in the pipeline
The Shift to Rugged DevOps - Security in the pipelineThe Shift to Rugged DevOps - Security in the pipeline
The Shift to Rugged DevOps - Security in the pipelineRene Van Osnabrugge
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
A day in the life of a pentester
A day in the life of a pentesterA day in the life of a pentester
A day in the life of a pentesterCláudio André
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsAmmar WK
 
Beating the 1:100 Odds with Team Design for Security @ Open Security Summit, ...
Beating the 1:100 Odds with Team Design for Security @ Open Security Summit, ...Beating the 1:100 Odds with Team Design for Security @ Open Security Summit, ...
Beating the 1:100 Odds with Team Design for Security @ Open Security Summit, ...Manuel Pais
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksCyren, Inc
 

La actualidad más candente (18)

OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec Presentation
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security Environments
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEP
 
Building a low cost hack lab
Building a low cost hack labBuilding a low cost hack lab
Building a low cost hack lab
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking Competition
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you how
 
The Shift to Rugged DevOps - Security in the pipeline
The Shift to Rugged DevOps - Security in the pipelineThe Shift to Rugged DevOps - Security in the pipeline
The Shift to Rugged DevOps - Security in the pipeline
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
 
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar PrustyEmerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
 
A day in the life of a pentester
A day in the life of a pentesterA day in the life of a pentester
A day in the life of a pentester
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web Applications
 
Beating the 1:100 Odds with Team Design for Security @ Open Security Summit, ...
Beating the 1:100 Odds with Team Design for Security @ Open Security Summit, ...Beating the 1:100 Odds with Team Design for Security @ Open Security Summit, ...
Beating the 1:100 Odds with Team Design for Security @ Open Security Summit, ...
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array works
 

Destacado

Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcKaty Anton
 
The answer to the ultimate question of life the universe and everything.........
The answer to the ultimate question of life the universe and everything.........The answer to the ultimate question of life the universe and everything.........
The answer to the ultimate question of life the universe and everything.........Rhea Myers
 
Planetary Atmospheres & Life
Planetary Atmospheres & LifePlanetary Atmospheres & Life
Planetary Atmospheres & LifePaul H. Carr
 
Living in space.ppt
Living in space.pptLiving in space.ppt
Living in space.pptmrmeredith
 
3 hard facts shaping higher education thinking and behavior
3 hard facts shaping higher education thinking and behavior3 hard facts shaping higher education thinking and behavior
3 hard facts shaping higher education thinking and behaviorGrant Thornton LLP
 
Can We Assess Creativity?
Can We Assess Creativity?Can We Assess Creativity?
Can We Assess Creativity?John Spencer
 

Destacado (6)

Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwc
 
The answer to the ultimate question of life the universe and everything.........
The answer to the ultimate question of life the universe and everything.........The answer to the ultimate question of life the universe and everything.........
The answer to the ultimate question of life the universe and everything.........
 
Planetary Atmospheres & Life
Planetary Atmospheres & LifePlanetary Atmospheres & Life
Planetary Atmospheres & Life
 
Living in space.ppt
Living in space.pptLiving in space.ppt
Living in space.ppt
 
3 hard facts shaping higher education thinking and behavior
3 hard facts shaping higher education thinking and behavior3 hard facts shaping higher education thinking and behavior
3 hard facts shaping higher education thinking and behavior
 
Can We Assess Creativity?
Can We Assess Creativity?Can We Assess Creativity?
Can We Assess Creativity?
 

Similar a OWASP, PHP, life and universe

OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security SeminarCalibrate
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Nitroxis Sprl
 
Web API Security
Web API SecurityWeb API Security
Web API SecurityStefaan
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC IdentityMarc Littlemore
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...POSSCON
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
The Principles of Secure Development - David Rook
The Principles of Secure Development - David RookThe Principles of Secure Development - David Rook
The Principles of Secure Development - David RookSecurity B-Sides
 
OWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de NoelOWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de NoelHubert Gregoire
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Recent Trends in Cyber Security
Recent Trends in Cyber SecurityRecent Trends in Cyber Security
Recent Trends in Cyber SecurityAyoma Wijethunga
 
How To Break Odoo's Security [Odoo Experience 2018]
How To Break Odoo's Security [Odoo Experience 2018]How To Break Odoo's Security [Odoo Experience 2018]
How To Break Odoo's Security [Odoo Experience 2018]Olivier Dony
 
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)ElínAnna Jónasdóttir
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Imola Informatica
 

Similar a OWASP, PHP, life and universe (20)

OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and Manico
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security Seminar
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
 
Web API Security
Web API SecurityWeb API Security
Web API Security
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC Identity
 
PHP Security
PHP SecurityPHP Security
PHP Security
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
The Principles of Secure Development - David Rook
The Principles of Secure Development - David RookThe Principles of Secure Development - David Rook
The Principles of Secure Development - David Rook
 
OWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de NoelOWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de Noel
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Recent Trends in Cyber Security
Recent Trends in Cyber SecurityRecent Trends in Cyber Security
Recent Trends in Cyber Security
 
How To Break Odoo's Security [Odoo Experience 2018]
How To Break Odoo's Security [Odoo Experience 2018]How To Break Odoo's Security [Odoo Experience 2018]
How To Break Odoo's Security [Odoo Experience 2018]
 
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018
 

Más de Sebastien Gioria

2015 09-18-jug summer camp
2015 09-18-jug summer camp2015 09-18-jug summer camp
2015 09-18-jug summer campSebastien Gioria
 
Securing your API and mobile application - API Connection FR
Securing your API and mobile application - API Connection FRSecuring your API and mobile application - API Connection FR
Securing your API and mobile application - API Connection FRSebastien Gioria
 
La Quete du code source fiable et sécurisé - GSDAYS 2015
La Quete du code source fiable et sécurisé - GSDAYS 2015La Quete du code source fiable et sécurisé - GSDAYS 2015
La Quete du code source fiable et sécurisé - GSDAYS 2015Sebastien Gioria
 
Sécurité des applications mobiles
Sécurité des applications mobilesSécurité des applications mobiles
Sécurité des applications mobilesSebastien Gioria
 
Securite des Applications dans le Cloud
Securite des Applications dans le CloudSecurite des Applications dans le Cloud
Securite des Applications dans le CloudSebastien Gioria
 
Secure Coding for Java - An introduction
Secure Coding for Java - An introductionSecure Coding for Java - An introduction
Secure Coding for Java - An introductionSebastien Gioria
 

Más de Sebastien Gioria (8)

La Sécurité des CMS ?
La Sécurité des CMS ? La Sécurité des CMS ?
La Sécurité des CMS ?
 
2015 09-18-jug summer camp
2015 09-18-jug summer camp2015 09-18-jug summer camp
2015 09-18-jug summer camp
 
Securing your API and mobile application - API Connection FR
Securing your API and mobile application - API Connection FRSecuring your API and mobile application - API Connection FR
Securing your API and mobile application - API Connection FR
 
La Quete du code source fiable et sécurisé - GSDAYS 2015
La Quete du code source fiable et sécurisé - GSDAYS 2015La Quete du code source fiable et sécurisé - GSDAYS 2015
La Quete du code source fiable et sécurisé - GSDAYS 2015
 
2014 06-05-mozilla-afup
2014 06-05-mozilla-afup2014 06-05-mozilla-afup
2014 06-05-mozilla-afup
 
Sécurité des applications mobiles
Sécurité des applications mobilesSécurité des applications mobiles
Sécurité des applications mobiles
 
Securite des Applications dans le Cloud
Securite des Applications dans le CloudSecurite des Applications dans le Cloud
Securite des Applications dans le Cloud
 
Secure Coding for Java - An introduction
Secure Coding for Java - An introductionSecure Coding for Java - An introduction
Secure Coding for Java - An introduction
 

Último

Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleanscorenetworkseo
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxBipin Adhikari
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 

Último (20)

Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleans
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptx
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 

OWASP, PHP, life and universe

  • 1. AFUP/MOZILLA/OWASP     Mee/ng  @Mozilla  Paris   5th  June  2014Sébas&en  Gioria   Sebas/en.Gioria@owasp.org   Chapter  Leader  &  Evangelist  OWASP  France OWASP,  the   Life,the  Universe   and  the   ElePHPhants  
  • 2. 2
  • 3. http://www.google.fr/#q=sebastien gioria ‣OWASP France Leader & Founder & Evangelist ‣Innovation and Technology @Advens && Application Security Expert Twitter :@SPoint/@OWASP_France ‣Application Security group leader for the CLUSIF ‣Proud father of youngs kids trying to hack my digital life.
  • 4. Agenda • Applica/on  Security  :   – where  we  are  (no  bullshit)   – where  we  are  (hopefully)  going  ?   • Open  Web  Applica/on  Security  Project  ?   • Major  projects  you  can  use 4
  • 6. Why  Applica/on  Security  ? 5 4 Your Application has been Hacked
  • 7. Why  Applica/on  Security  ? 5 4 Your Application has been Hacked YES
  • 8. Why  Applica/on  Security  ? 5 4 Your Application has been Hacked NO YES
  • 9. Why  Applica/on  Security  ? 5 4 Your Application will be Hacked ;) Your Application has been Hacked NO YES
  • 10. Why  Applica/on  Security  ? 5 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO YES
  • 11. Why  Applica/on  Security  ? 5 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES
  • 12. Why  Applica/on  Security  ? 5 ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES
  • 13. Why  Applica/on  Security  ? 5 My Application will be hacked ! ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES
  • 14. Why  Applica/on  Security  ? 5 My Application will be hacked ! ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES Next Step
  • 15. First  form  in  PHP 6
  • 16. First  form  in  PHP 6
  • 17. First  form  in  PHP 6 <?php      $email  =  $_REQUEST['email']  ;      $message  =  $_REQUEST['message']  ;   !    mail(  "yourname@example.com",  "Feedback  Form  Results",          $message,  "From:  $email"  );      header(  "Loca/on:  hgp://www.example.com/thankyou.html"  );   ?>
  • 18. 7
  • 19. 7
  • 20. 7
  • 21. How  to  create  a  login  page  in  PHP   and  Mysql 8
  • 22. 9
  • 23. 9 <?php ! define('DB_HOST', 'localhost'); ! define('DB_NAME', 'practice');! define('DB_USER','root'); ! define('DB_PASSWORD','');! ! $con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Failed to connect to MySQL: " . mysql_error()); ! $db=mysql_select_db(DB_NAME,$con) or die("Failed to connect to MySQL: " . mysql_error()); ! /* $ID = $_POST['user']; $Password = $_POST['pass']; */! ! function SignIn() {! ! session_start(); //starting the session for user profile page! ! if(!empty($_POST['user'])) //checking the 'user' name which is from Sign-In.html, is it empty or have some text ! ! { ! ! $query = mysql_query("SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(mysql_error());! ! $row = mysql_fetch_array($query) or die(mysql_error());! ! ! ! ! if(!empty($row['userName']) AND !empty($row['pass'])) ! ! ! {! ! ! $_SESSION['userName'] = $row['pass']; ! ! ! ! echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE...";! ! ! } else { ! ! ! echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...";! ! ! } ! ! } ! } ! ! if(isset($_POST['submit'])) ! {! SignIn(); ! } ?>!
  • 24. 10
  • 25. 10
  • 26. 10
  • 27. Game  Over.... • Did  you  have  VoIP  Phone  ?     ! • Did  you  have  IP  Router  /  Broadband  box    ?     ! • Did  you  have  smartphone  ?   ! • Did  you  have  customers  /  partners  over   Internet  ? 11
  • 29. We  are  living  in  a  Digital  environment,  in  a  Connected  World v Most  of  websites  vulnerable  to  agacks   v Important  %  of  web-­‐based  Business  (Services,  Online  Store,  Self-­‐care,  Telcos,   SCADA,  ...) Why  Applica/on  Security  ?   Age  of  An/virus Age  of     Network  Security Age  of     Applica/on   Security 13
  • 34. Who  win  ?   15 (c) WhiteHatSecurity 2013
  • 35. Vulnerabili/es  ?   16 (c)  WhiteHatSecurity  2013
  • 36. Mission  Driven Nonprofit  |  World  Wide  |  Unbiased   ! OWASP  does  not  endorse  or  recommend   commercial  products  or  services What  is  OWASP 17
  • 37. Community  Driven 30,000  Mail  List  Par/cipants   200  Ac/ve  Chapters  in  70  countries     1600+  Members,  56  Corporate  Supporters     What  is  OWASP 18
  • 38. 200  Chapters,  1  600+  Members,  20  000+  Builders,  Breakers  and  Defenders Around  the  World 19
  • 39. Quality  Resources 200+  Projects   15,000+  downloads  of  tools,  documenta/on   What  is  OWASP 20
  • 43.  NEWS   A  BLOG   A  PODCAST   MEMBERSHIPS   MAILING  LISTS   A  NEWSLETTER   APPLE  APP  STORE   VIDEO  TUTORIALS   TRAINING  SESSIONS   SOCIAL  NETWORKING 24
  • 45. OWASP  Top10  2013 26 A1:  Injec&on A2:  Viola&on  de   Ges&on   d’authen&fica&on  et  de   session A3:  Cross  Site  Scrip&ng   (XSS) A4:Référence  directe   non  sécurisée  à  un   objet A5:  Mauvaise   configura&on  sécurité   A6  :  Exposi&on  de   données  sensibles A8:  Cross  Site  Request   Forgery  (CSRF)   A10:    Redirec&ons    et   transferts  non  validés A7:  Manque  de   contrôle  d’accès   fonc&onnel A9:  U&lisa&on  de   composants  avec  des   vulnérabilités  connues
  • 46. OWASP  Top10  2013 26 A1:  Injec&on A2:  Viola&on  de   Ges&on   d’authen&fica&on  et  de   session A3:  Cross  Site  Scrip&ng   (XSS) A4:Référence  directe   non  sécurisée  à  un   objet A5:  Mauvaise   configura&on  sécurité   A6  :  Exposi&on  de   données  sensibles A8:  Cross  Site  Request   Forgery  (CSRF)   A10:    Redirec&ons    et   transferts  non  validés A7:  Manque  de   contrôle  d’accès   fonc&onnel A9:  U&lisa&on  de   composants  avec  des   vulnérabilités  connues ex-­‐A9(transport  non  sécurisé)  +   A7(Stockage  crypto)
  • 47. OWASP  Top10  2013 26 A1:  Injec&on A2:  Viola&on  de   Ges&on   d’authen&fica&on  et  de   session A3:  Cross  Site  Scrip&ng   (XSS) A4:Référence  directe   non  sécurisée  à  un   objet A5:  Mauvaise   configura&on  sécurité   A6  :  Exposi&on  de   données  sensibles A8:  Cross  Site  Request   Forgery  (CSRF)   A10:    Redirec&ons    et   transferts  non  validés A7:  Manque  de   contrôle  d’accès   fonc&onnel A9:  U&lisa&on  de   composants  avec  des   vulnérabilités  connues ex-­‐A9(transport  non  sécurisé)  +   A7(Stockage  crypto)
  • 48. Developer  Cheat  Sheets   § PHP  Security  Cheat  Sheet   § OWASP  Top  Ten  Cheat  Sheet   § Authen/ca/on  Cheat  Sheet   § Cross-­‐Site  Request  Forgery  (CSRF)  Preven&on  Cheat   Sheet   § Cryptographic  Storage  Cheat  Sheet   § Input  Valida/on  Cheat  Sheet   § XSS  (Cross  Site  Scrip&ng)  Preven&on  Cheat  Sheet   § DOM  based  XSS  Preven/on  Cheat  Sheet   § Forgot  Password  Cheat  Sheet   § Query  Parameteriza&on  Cheat  Sheet   § SQL  Injec&on  Preven&on  Cheat  Sheet   § Session  Management  Cheat  Sheet   § HTML5  Security  Cheat  Sheet   § Transport  Layer  Protec/on  Cheat  Sheet   § Web  Service  Security  Cheat  Sheet   § Logging  Cheat  Sheet   § JAAS  Cheat  Sheet Mobile  Cheat  Sheets   § IOS  Developer  Cheat  Sheet   § Mobile  Jailbreaking  Cheat  Sheet   Drax  Cheat  Sheets   § Access  Control  Cheat  Sheet   § REST  Security  Cheat  Sheet   § Abridged  XSS  Preven/on  Cheat  Sheet   § Password  Storage  Cheat  Sheet   § Secure  Coding  Cheat  Sheet   § Threat  Modeling  Cheat  Sheet   § Clickjacking  Cheat  Sheet   § Virtual  Patching  Cheat  Sheet   § Secure  SDLC  Cheat  Sheet   § Web  Applica/on  Security  Tes/ng  Cheat   Sheet   § Applica/on  Security  Architecture  Cheat   Sheet Cheat  Sheets 27
  • 49. Project  Leader:  Chris  Schmidt,  Chris.Schmidt@owasp.org   Purpose:  A  free,  open  source,  web  applica/on  security  control  library  that   makes  it  easier  for  programmers  to  write  lower-­‐risk  applica/ons   ! ! ! ! ! ! ! ! ! ! ! hgps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Enterprise  Security  API 28 PHP Version : https://code.google.com/p/ owasp-esapi-php/
  • 50. Project Leader: Abbas Naderi, Abbas.Naderi@owasp.org Purpose:  OWASP  PHP  Security  Project  is  an  effort   by   a   group   of   PHP   developers   in   securing   PHP   web   applica/ons,   using   a   collec&on   of   decoupled  flexible  secure  PHP  libraries,  as  well   as  a  collec&on  of  PHP  tools.   OWASP  PHP  Security  Project 29 hgps://www.owasp.org/index.php/OWASP_PHP_Security_Project
  • 51. Development   Guide:   comprehensive   manual   for   designing,   developing   and   deploying  secure  Web  Applica/ons  and  Web  Services   Code   Review   Guide:   mechanics   of   reviewing   code   for   certain   vulnerabili/es   &   valida/on  of  proper  security  controls   Tes/ng  Guide:  understand  the  what,  why,  when,  where,  and  how  of  tes/ng  web   applica/ons   ! ! hgps://www.owasp.org/index.php/Category:OWASP_Guide_Project   hgps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project   hgps://www.owasp.org/index.php/Category:OWASP_Tes/ng_Project Guides 30
  • 52. Zed  Agack  Proxy Project  Leader:  Simon  Bennegs  (aka  Psiinon),  psiinon@gmail.com   Purpose:  The  Zed  Agack  Proxy  (ZAP)  provides  automated  scanners  as  well   as  a  set  of  tools  that  allow  you  to  find  security  vulnerabili/es  manually  in   web  applica/ons.   Last  Release:  ZAP  2.3.1  (21  May  2014)   ! ! ! ! ! ! ! ! ! ! hgps://www.owasp.org/index.php/OWASP_Zed_Agack_Proxy_Project 31
  • 53. Intended   to   help   soxware   developers   and   their   clients   nego/ate   important   contractual  terms  and  condi/ons  related  to  the  security  of  the  soxware  to  be   developed  or  delivered.   CONTEXT:  Most  contracts  are  silent  on  these  issues,  and  the  par/es  frequently   have  drama/cally  different  views  on  what  has  actually  been  agreed  to.     OBJECTIVE:   Clearly   define   these   terms   is   the   best   way   to   ensure   that   both   par/es  can  make  informed  decisions  about  how  to  proceed.   hgps://www.owasp.org/index.php/OWASP_Secure_Soxware_Contract_Annex The  OWASP  Secure  Soxware     Contract  Annex 32
  • 54. Dates • RSSIA  Bordeaux  :  20  Juin   – HeartBleed  revisited     • AppSec  Europe  2014  -­‐  Cambridge  :   ! ! ! ! ! • Java  User  Groupe  Lille  &  Paris     – Secure  Coding  for  Java    a  la  rentrée  2014   • Club  27001  /Paris  -­‐  25  Septembre  2014   –Présenta/on  de  la  norme  ISO  27034 33
  • 55. Soutenir  l’OWASP • Différentes  solu/ons  :     – Membre  Individuel  :  50  $   – Membre  Entreprise  :  5000  $   – Dona/on  Libre   • Soutenir  uniquement    le  chapitre  France  :   – Single  Mee/ng  supporter     • Nous  offrir  une  salle  de  mee/ng  !     • Par/ciper  par  un  talk  ou  autre  !     • Dona/on  simple     – Local  Chapter  supporter  :     • 500  $  à  2000  $   34