Title: Defensive Programming for PHP
Trainer: Mike Doyle
When: October 22nd, 2013
Where: LASCON 2013, Austin, TX (held at Norris Conference Center)
Cost: $245, includes meals
This full-day course helps PHP developers understand the features and specifics of the platform that can potentially introduce risks. The course builds upon this knowledge and teaches a set of defensive programming techniques that can be followed to create secure PHP applications.
PHP is a powerful and versatile web development platform that is widely used throughout the industry. PHP applications are generally affected by most of the same risks that affect web applications written in other languages. Although it has a lot in common with other web platforms, there are specific aspects of PHP that set it apart from the other technologies. This is also true from a risk perspective. Some PHP risks are unique or amplified by the platform.
The features and specifics covered by this course include (but not limited to) unsafe PHP configuration, null-byte issues, dangerous APIs, cryptography, and dynamic file inclusion issues. Defensive techniques covered by this course include the areas of file system access, session management, authentication, input validation/output encoding, cross-site request forgery prevention, transport security, and techniques for the prevention of injection attacks.
This course is structured into modules that cover the areas of concentration for defensive programming for the PHP platform and includes code analysis and remediation exercises. The high-level topics for this course are:
Labs and Demonstrations
Two labs guide the student through secure configuration and remediation of an insecure PHP application. These labs are provided as an Oracle VirtualBox VM running a typical LAMP stack with configuration management provided by Puppet. A variety of supplemental open source development and security tools are provided on the VMs. Students who wish to participate are encouraged to bring their own laptops with Oracle VirtualBox. Students may wish to collaborate in pairs or small groups.
There are also two interactive demonstrations during which the PHP application is exploited to show directory traversal, information leakage, and SQL injection. Cost is $245.