rise of the planet of the anonymous
DESCRIPTION
Rise of the Planet of the Anonymous(and what you should do as a PHP developer). Knowledge sharing session at OWASP Day Kuala Lumpur, Malaysia 2011TRANSCRIPT
![Page 1: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/1.jpg)
www.mimos.my © 2009 MIMOS Berhad. All Rights Reserved.
Errazudin Ishak
Rise of the Planet of the Anonymous
OWASP Day Kuala Lumpur
2011
![Page 2: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/2.jpg)
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
Rise of the Planet of the Anonymous
(and what you should do as a PHP developer)
![Page 3: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/3.jpg)
Agenda
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
• You
• Me
• Anonymous
• Why PHP
• PHP Security
• Resources
![Page 4: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/4.jpg)
About You
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
Name : Designation : Day job : Night job :
![Page 5: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/5.jpg)
• Errazudin Ishak
• @errazudin
• Senior engineer @ Mimos Bhd Malaysia
• Focuses on web application development, deployment, performance and stability.
• 2009 : foss.my , MyGOSSCON
• 2010 : Entp. PHP Techtalk, BarcampKL, PHP Meetup, MOSC2010, PHP Northwest UK, MyGOSSCON
• 2011 : INTAN Tech Update, Wordpress Conf. Asia, Joomla! Day, MOSC
About Me
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
![Page 6: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/6.jpg)
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
![Page 7: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/7.jpg)
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
![Page 8: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/8.jpg)
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
ANONYMOUS
![Page 9: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/9.jpg)
Why so serious? – Joker
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
![Page 10: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/10.jpg)
News
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
http://goo.gl/oVjqz
91
76 ATTACKED
RECOVERED
![Page 11: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/11.jpg)
Internet
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
“…anonymous, uncontrolled, always on, and instantly accessible
from anywhere”
![Page 12: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/12.jpg)
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
Evolution…
![Page 13: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/13.jpg)
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
http://evolutionofweb.appspot.com/
..becomes revolution
![Page 14: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/14.jpg)
Does it apply here? (web security)
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
"Good programmers write code, great programmers reuse"
Defcon19
![Page 15: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/15.jpg)
Web security
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
Completely secure system is virtually impossible
![Page 16: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/16.jpg)
Why?
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
RISK USABILITY
![Page 17: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/17.jpg)
Agenda
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
• You
• Me
• Anonymous
• Why PHP
• PHP Security
• Resources
![Page 18: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/18.jpg)
Why PHP?
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
“More internet applications speak PHP
than any other”
![Page 19: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/19.jpg)
Why PHP?
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
Source : http://w3techs.com
77%
22%
4% 1% 1% 1% 0%
Usage of server-side programming languages for websites
PHP
ASP.NET
Java
ColdFusion
Perl
Ruby
Python
![Page 20: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/20.jpg)
Why PHP?
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
Source : http://w3techs.com
77%
22%
4% 1% 1% 1% 0%
Usage of server-side programming languages for websites
PHP
ASP.NET
Java
ColdFusion
Perl
Ruby
Python
![Page 21: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/21.jpg)
PHP Secure?
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
Developer
PHP
Enterprise
User
![Page 22: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/22.jpg)
PHP Secure?
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
PHP is not the culprit, we (developer,sys
admin,architect) are.
![Page 23: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/23.jpg)
Why PHP?
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
“People have to understand their
systems well to know where security issues are likely to appear”
Rasmus Lerdorf
![Page 24: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/24.jpg)
Agenda
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
• You
• Me
• Anonymous
• Why PHP
• PHP Security
• Resources
![Page 25: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/25.jpg)
PHP Security
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
Secure Ecosystem
![Page 26: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/26.jpg)
PHP Security
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
Secure Ecosystem, Maintain it!
Dev/prod environment
Up to date
Secured network
Access (Permissions)
![Page 27: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/27.jpg)
PHP Security
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
Secure Operations
![Page 28: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/28.jpg)
PHP Security
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
Secure Operations, also practice
it!
Human only
User identitification
Role based actions
Track/Audit trail
![Page 29: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/29.jpg)
PHP Security
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
Secure Programming
![Page 30: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/30.jpg)
PHP Security
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
Secure Programming,
practice it!
Input validation
DB
XSS/CSRF/Session
Access (Permissions)
![Page 31: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/31.jpg)
PHP Security
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
“Security take an ongoing effort and a lot of little things instead of
one big one” Cal Evans
![Page 32: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/32.jpg)
Security. (Remember Risk – Usability)
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
![Page 33: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/33.jpg)
Resources
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
• php|architect’s Guide to PHP Security http://goo.gl/cUxuB
• Pro PHP Security http://goo.gl/HGIkI
• Defcon 19 http://goo.gl/S8Qw4
• Artur Ejsmont’s blog http://goo.gl/HGUkg
• Php.net
• Zend.com
• Phpcoe.mimos.my
![Page 34: Rise of the Planet of the Anonymous](https://reader035.vdocument.in/reader035/viewer/2022062514/5583a082d8b42a1f098b50dc/html5/thumbnails/34.jpg)
THANK YOU
www.mimos.my © 2011 MIMOS Berhad. All Rights Reserved.
* All images, logos and data are the copyright of their respective owners
@errazudin