rise of the planet of the anonymous

34
www.mimos.my © 2009 MIMOS Berhad. All Rights Reserved. Errazudin Ishak Rise of the Planet of the Anonymous OWASP Day Kuala Lumpur 2011

Upload: phptechtalk

Post on 19-Jun-2015

695 views

Category:

Technology


1 download

DESCRIPTION

Rise of the Planet of the Anonymous(and what you should do as a PHP developer). Knowledge sharing session at OWASP Day Kuala Lumpur, Malaysia 2011

TRANSCRIPT

Page 1: Rise of the Planet of the Anonymous

www.mimos.my © 2009 MIMOS Berhad. All Rights Reserved.

Errazudin Ishak

Rise of the Planet of the Anonymous

OWASP Day Kuala Lumpur

2011

Page 2: Rise of the Planet of the Anonymous

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

Rise of the Planet of the Anonymous

(and what you should do as a PHP developer)

Page 3: Rise of the Planet of the Anonymous

Agenda

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

• You

• Me

• Anonymous

• Why PHP

• PHP Security

• Resources

Page 4: Rise of the Planet of the Anonymous

About You

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

Name : Designation : Day job : Night job :

Page 5: Rise of the Planet of the Anonymous

• Errazudin Ishak

• @errazudin

• Senior engineer @ Mimos Bhd Malaysia

• Focuses on web application development, deployment, performance and stability.

• 2009 : foss.my , MyGOSSCON

• 2010 : Entp. PHP Techtalk, BarcampKL, PHP Meetup, MOSC2010, PHP Northwest UK, MyGOSSCON

• 2011 : INTAN Tech Update, Wordpress Conf. Asia, Joomla! Day, MOSC

About Me

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

Page 6: Rise of the Planet of the Anonymous

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

Page 7: Rise of the Planet of the Anonymous

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

Page 8: Rise of the Planet of the Anonymous

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

ANONYMOUS

Page 9: Rise of the Planet of the Anonymous

Why so serious? – Joker

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

Page 10: Rise of the Planet of the Anonymous

News

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

http://goo.gl/oVjqz

91

76 ATTACKED

RECOVERED

Page 11: Rise of the Planet of the Anonymous

Internet

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

“…anonymous, uncontrolled, always on, and instantly accessible

from anywhere”

Page 12: Rise of the Planet of the Anonymous

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

Evolution…

Page 13: Rise of the Planet of the Anonymous

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

http://evolutionofweb.appspot.com/

..becomes revolution

Page 14: Rise of the Planet of the Anonymous

Does it apply here? (web security)

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

"Good programmers write code, great programmers reuse"

Defcon19

Page 15: Rise of the Planet of the Anonymous

Web security

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

Completely secure system is virtually impossible

Page 16: Rise of the Planet of the Anonymous

Why?

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

RISK USABILITY

Page 17: Rise of the Planet of the Anonymous

Agenda

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

• You

• Me

• Anonymous

• Why PHP

• PHP Security

• Resources

Page 18: Rise of the Planet of the Anonymous

Why PHP?

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

“More internet applications speak PHP

than any other”

Page 19: Rise of the Planet of the Anonymous

Why PHP?

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

Source : http://w3techs.com

77%

22%

4% 1% 1% 1% 0%

Usage of server-side programming languages for websites

PHP

ASP.NET

Java

ColdFusion

Perl

Ruby

Python

Page 20: Rise of the Planet of the Anonymous

Why PHP?

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

Source : http://w3techs.com

77%

22%

4% 1% 1% 1% 0%

Usage of server-side programming languages for websites

PHP

ASP.NET

Java

ColdFusion

Perl

Ruby

Python

Page 21: Rise of the Planet of the Anonymous

PHP Secure?

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

Developer

PHP

Enterprise

User

Page 22: Rise of the Planet of the Anonymous

PHP Secure?

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

PHP is not the culprit, we (developer,sys

admin,architect) are.

Page 23: Rise of the Planet of the Anonymous

Why PHP?

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

“People have to understand their

systems well to know where security issues are likely to appear”

Rasmus Lerdorf

Page 24: Rise of the Planet of the Anonymous

Agenda

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

• You

• Me

• Anonymous

• Why PHP

• PHP Security

• Resources

Page 25: Rise of the Planet of the Anonymous

PHP Security

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

Secure Ecosystem

Page 26: Rise of the Planet of the Anonymous

PHP Security

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

Secure Ecosystem, Maintain it!

Dev/prod environment

Up to date

Secured network

Access (Permissions)

Page 27: Rise of the Planet of the Anonymous

PHP Security

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

Secure Operations

Page 28: Rise of the Planet of the Anonymous

PHP Security

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

Secure Operations, also practice

it!

Human only

User identitification

Role based actions

Track/Audit trail

Page 29: Rise of the Planet of the Anonymous

PHP Security

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

Secure Programming

Page 30: Rise of the Planet of the Anonymous

PHP Security

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

Secure Programming,

practice it!

Input validation

DB

XSS/CSRF/Session

Access (Permissions)

Page 31: Rise of the Planet of the Anonymous

PHP Security

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

“Security take an ongoing effort and a lot of little things instead of

one big one” Cal Evans

Page 32: Rise of the Planet of the Anonymous

Security. (Remember Risk – Usability)

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

Page 33: Rise of the Planet of the Anonymous

Resources

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

• php|architect’s Guide to PHP Security http://goo.gl/cUxuB

• Pro PHP Security http://goo.gl/HGIkI

• Defcon 19 http://goo.gl/S8Qw4

• Artur Ejsmont’s blog http://goo.gl/HGUkg

• Php.net

• Zend.com

• Phpcoe.mimos.my

Page 34: Rise of the Planet of the Anonymous

THANK YOU

www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.

[email protected]

* All images, logos and data are the copyright of their respective owners

[email protected]

@errazudin