PHP Security Project - SbanWart

PHP Security Project

Wednesday, July 12, 2006

PHP Security by Example

Almost an entire month has passed since my last blog entry, and a lot has happened. I'll try to catch up over the next week or two.

About a week ago, the Flash version of PHP Security by Example was Dugg.

I'm always disappointed to see trolls (Digg seems to have a bigger problem with this than Slashdot), but a few of the comments raise some valid questions. I'll try to summarize and answer those here.

It's true that slides are never a substitute for a talk, and this is especially true for this one, because it's a hands-on workshop. It's something Marco calls a BYOL (bring your own laptop), and it involves a lot of one-on-one attention and hand-holding.

The reason it's in Flash is because the person submitting the story linked to the Flash version. :-) To be fair, the only other format available for this talk is PDF. I've been wanting to create a nice web application for viewing Keynote slides. I think the best approach might be to export the slides as images, and create a simple slide navigator. I can always continue to also offer PDF, Quicktime, and Flash formats.

OWASP, the Open Web Application Security Project

OWASP, the Open Web Application Security Project, is famous for its Top Ten list of security vulnerabilities. David ported the list to PHP (PHP and the OWASP Top Ten), and now OWASP has released its own PHP-specific list, the PHP Top 5:
The PHP Top 5 is based upon attack frequency in 2005 as reported to Bugtraq. This information is a valuable insight into the most devastating attacks against the world's most popular web application framework.In 2005, OWASP collaborated with SANS to research and write a completely new PHP section to their successful Top 20 2005. The OWASP PHP Top 5 is the full unabridged text, updated to reflect recent XSS attacks and SQL injection vectors.

Home User's Security Checklist

SecurityFocus has a nice checkbox system to let you score your own PC security level. Each checkbox item has a link to get more information. Using this sytem, you can check the boxes you know are 'ok' and follow-up by reading more information about the items which you are unsure.

About me and PHP

Hello World

My name is Sco Sban Wart :) It is my blog :) I will write about php security and put some interesting information from the net.

PHP is a very popular language. Every PHP developer and hoster should understand the primary attack vectors being used by attackers against PHP applications.

This article is the underlying research behind the SANS Top 20 2005's PHP section. The methodology used in the preparation of this article is to review all Bugtraq postings containing the word "PHP" and categorize each unique flaw. The author analyzed the most popular flaws / attacks, and researched prevention techniques, resulting in this article.