Upgrade to Pro — share decks privately, control downloads, hide ads and more …

90K reasons security is a must - PHPBenelux Edition

DragonBe
September 17, 2014

90K reasons security is a must - PHPBenelux Edition

We all have focussed on best practices and code quality over the past years, but we seemed to forgot the most important aspect of the web: security.
This talk gives a good overview on your first-line of defence in your code, how to ensure that new exploits and hacking techniques are covered with tests and how you build solid web applications that secured enough to keep script kiddies and wanna-be hackers away. I will also give some tips what to do when you're company becomes victim of cyber crimes.

DragonBe

September 17, 2014
Tweet

More Decks by DragonBe

Other Decks in Technology

Transcript

  1. 2
    90K  reasons
    why  security  is  a  must

    View full-size slide

  2. About  a  year  ago
    2

    View full-size slide

  3. A  year  later
    3

    View full-size slide

  4. 4
    https://www.flickr.com/photos/andymag/9349743409

    View full-size slide

  5. Neverending  awareness
    5
    https://www.flickr.com/photos/yonolatengo/8338597558

    View full-size slide

  6. Why  bother?
    6
    https://www.flickr.com/photos/emagic/56206868

    View full-size slide

  7. 7
    In  the  news…
    https://www.flickr.com/photos/39908901@N06/6923408938

    View full-size slide

  8. Yes,  you’re  a  target!
    8
    https://www.flickr.com/photos/jeepersmedia/14546059371

    View full-size slide

  9. Email  addresses  are  valuable!
    9
    https://www.flickr.com/photos/horiavarlan/4514164700

    View full-size slide

  10. One  password,  many  sites!
    10

    View full-size slide

  11. Who’s  aDer  my  data?
    11
    https://www.flickr.com/photos/teegardin/6093810333

    View full-size slide

  12. Script  kiddies
    12

    View full-size slide

  13. Amateur  hacker
    13
    https://www.flickr.com/photos/hackny/6203305706

    View full-size slide

  14. Professional  hacker
    14
    https://www.flickr.com/photos/equinoxefr/6857174987

    View full-size slide

  15. Business  CompeLLon
    15
    https://www.flickr.com/photos/haggismac/5090028513

    View full-size slide

  16. Governments
    16
    https://www.flickr.com/photos/defenceimages/7985695591

    View full-size slide

  17. What  to  do  against  it?
    17
    https://www.flickr.com/photos/drachmann/327122302

    View full-size slide

  18. Cultural  differences
    18
    https://www.flickr.com/photos/robdeman/2390666040

    View full-size slide

  19. Legal  regulaLons
    19
    https://www.flickr.com/photos/puisney/1674586821

    View full-size slide

  20. Architectural  consideraLons
    20
    https://www.flickr.com/photos/niftyniall/12768922813

    View full-size slide

  21. Restrict  physical  access
    21
    https://www.flickr.com/photos/zapthedingbat/487133720

    View full-size slide

  22. Secure  your  network
    22
    https://www.flickr.com/photos/99279135@N05/14618342277

    View full-size slide

  23. Extra  care  for  privacy  data
    23
    https://www.flickr.com/photos/hyku/368912557

    View full-size slide

  24. Use  encrypLon
    24
    https://www.flickr.com/photos/ideonexus/5175383269

    View full-size slide

  25. Lock  down  your  applicaLon
    25
    https://www.flickr.com/photos/simon_cocks/4534589059

    View full-size slide

  26. Create  security  checkpoints
    26
    https://www.flickr.com/photos/paulk/2212992458

    View full-size slide

  27. Track  movements
    27
    https://www.flickr.com/photos/timsamoff/362730755

    View full-size slide

  28. Code  consideraLons
    28
    https://www.flickr.com/photos/nyuhuhuu/4443886636

    View full-size slide

  29. Security  is  not  an  aDerthought!
    29
    https://www.flickr.com/photos/webb-zahn/10971215425

    View full-size slide

  30. SaniLse  data,  always
       
    $id  =  $_GET['id'];  
       
    //  sanitise  tainted  data  
    $clean_id  =  filter_var($id,  FILTER_SANITIZE_NUMBER_INT);  
    $clean_id  =  filter_var($clean_id,  FILTER_VALIDATE_INT);  
    if  (0  <  $clean_id)  {  
           $stmt  =  $pdo-­‐>prepare(  
                   'SELECT  *  FROM  TABLE  WHERE  `id`  =  ?'  
           );  
           $stmt-­‐>bindParam(1,  $clean_id,  PDO::PARAM_INT);  
           $stmt-­‐>execute();  
    }
    30

    View full-size slide

  31. Use  the  right  tool  for  the  job
    31
    https://www.flickr.com/photos/florianric/7263382550

    View full-size slide

  32. Layered  security
    34
    https://www.flickr.com/photos/feesta/2700575201

    View full-size slide

  33. You  know  all  this,  right!
    35
    https://www.flickr.com/photos/sarahreido/3120877348

    View full-size slide

  34. VicLm  of  an  aVack?
    36
    https://www.flickr.com/photos/marittoledo/8512244945

    View full-size slide

  35. Know  you’ve  been  hacked!
    37

    View full-size slide

  36. Inform  everyone  ASAP!
    38
    https://www.flickr.com/photos/bluerobot/5490728061

    View full-size slide

  37. Get  security  advise!
    39

    View full-size slide

  38. Inform  the  world
    40

    View full-size slide

  39. Your  turn
    41
    https://www.flickr.com/photos/tmab2003/4277896845

    View full-size slide

  40. Spread  the  word
    42
    https://www.flickr.com/photos/suneko/373310729

    View full-size slide

  41. Comment  on  “bad”  pracLces
    43
    https://www.flickr.com/photos/sebastian_bergmann/3991539605

    View full-size slide

  42. Learn  about  the  risks
    44

    View full-size slide

  43. Learn  the  basics  of  hacking
    45
    hack.me

    View full-size slide

  44. Use  hack  cheat  sheets
    46
    ha.ckers.org

    View full-size slide

  45. ConLnuously  unit  test!
    47

    View full-size slide

  46. Other  resources…
    48

    View full-size slide

  47. EssenLal  PHP  Security
    49

    View full-size slide

  48. Security  Checklist
    50
    snipe.ly/risk_matrix

    View full-size slide

  49. May  the  force  be  with  you
    51

    View full-size slide

  50. QuesLons
    52
    https://www.flickr.com/photos/colinkinner/2200500024

    View full-size slide

  51. 53
    https://www.flickr.com/photos/psd/2086641

    View full-size slide

  52. 54
    joind.in/11926
    If you like it, thanks.
    If you don’t, please tell me how to improve

    View full-size slide

  53. Contact  us
    55
    Consulting - Training - Audits - Graphics
    www.in2it.be - [email protected]

    View full-size slide