SlideShare une entreprise Scribd logo

Eight simple rules to writing secure PHP programs

Aleksandr Yampolskiy
Aleksandr Yampolskiy
TechnologieFormation
1  sur  46
Eight Simple Rules… for Writing Secure PHP Programs Aleksandr Yampolskiy
Security: Bird’s Eye View ... Hash Key Management Signature Encryption Security Toolbox DL(g x ) Fact(p*q) Hard problems Prob[ Attack ] ≤ ɛ Proof of security
Building Secure Systems … Looks safe to me
Building Secure Systems ,[object Object]
This Talk ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],vs.
Rule 1: Use proper cryptography ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Common mistakes ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Randomness
In Theory ,[object Object],[object Object],[object Object],[object Object],[object Object]
Examples of Real Problems ,[object Object],[object Object],[object Object],Problem: Secret keys aren’t truly random!
Lessons Learnt ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
What is (Pseudo)-Random? PRG random seed pseudorandom string random string look indistinguishable to any efficient observer Definition [Blum-Micali-Yao]: PRG is a polytime function whose output is indistinguishable from random by any efficient observer 01010111001… 11010011010… 1001
Implementation ,[object Object],[object Object],[object Object],[object Object]
Rule 2 – Validate all input ,[object Object],[object Object],[object Object]
Rule 2 – Validate all input (cont.) ,[object Object],[object Object],[object Object],[object Object],[object Object]
Rule 2 – Validate all input (cont.) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Tainted Variables ,[object Object],[object Object]
Rule 2 – Validate all input (cont.) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Rule 2 – Validate all input (cont.) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Example of Real Problem - XSS ,[object Object],[object Object],[object Object],[object Object]
Rule 3 - Sanitize data sent to other systems ,[object Object],[object Object],[object Object]
SQL Injection ,[object Object],[object Object],[object Object],[object Object]
SQL Injection (cont.) ,[object Object],[object Object],[object Object],[object Object],[object Object]
Global Variables ,[object Object],[object Object],[object Object],[object Object]
PHP.INI Security Settings ,[object Object],[object Object],[object Object],[object Object]
PHP.INI Security Settings ,[object Object],[object Object],[object Object],[object Object]
PHP.INI Security Settings ,[object Object],[object Object],[object Object],[object Object]
Rule 4 – Avoid information leakage ,[object Object],[object Object],[object Object],[object Object],[object Object]
Information Leakage - Example ,[object Object],[object Object],[object Object],[object Object],[object Object],<script type=&quot;text/javascript&quot;> $(function() {$(&quot;#19468751&quot;).qtip({content: '<div class=&quot;calendar_hover&quot;><div class=&quot;title_bar&quot;><h2 class=&quot;on&quot; lang=&quot;en&quot;>OGIO Bags</h2></div><img oncontextmenu=&quot;return false;&quot; galleryimg=&quot;no&quot; src=&quot;http://cdn1.gilt.com/images/share/uploads/0000/0000/1991/19911713/orig.jpg?43_1258590331&quot; height=&quot;207&quot; border=&quot;0&quot; alt=&quot;OGIO Bags&quot; width=&quot;303&quot; /></div>',style: {padding: 0,width: 303 + 2,border: {width: 0//color: '#575757',//radius: 1}},position: {target: 'mouse',adjust: {mouse: true,screen: true,x: 30,y: 0 }}});// Last resort if Andy can't figure out how to style a border/*var api = $(&quot;#19468751 &quot;).qtip(&quot;api&quot;);api.beforeRender = function() {// Strip out the default styledelete this.options.style.background;delete this.options.style.color;delete this.options.style.textAlign;this.options.style.width = {};delete this.options.style.padding;this.options.style.border = {};this.options.style.title = {};};*/});</script>
Information Leakage - Logging ,[object Object],[object Object],[object Object],[object Object]
Information Leakage - Logging
Rule 5 – Proper session management ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Example 1 - Session Hijacking ,[object Object],[object Object],[object Object],[object Object]
Example 2- CSRF Website Evil Doer ,[object Object],[object Object],1 2
Example 2- CSRF (cont.) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Proper session mgmt ,[object Object],[object Object],[object Object],[object Object]
Proper session mgmt (cont.) ,[object Object],[object Object],[object Object],[object Object],[object Object]
Proper session mgmt (cont). ,[object Object],[object Object],[object Object]
Rule 6 – Authentication & Entitlements ,[object Object],[object Object],[object Object],[object Object]
Authentication & Entitlements (cont.) ,[object Object],[object Object],[object Object],[object Object],[object Object]
Authentication & Entitlements (cont.) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Rule 7 – Use Secure Communication Channels ,[object Object],[object Object],[object Object],[object Object],[object Object]
Rule 8 – Keep Security Simple ,[object Object],[object Object],[object Object],[object Object],[object Object]
Recap : the 8 rules ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Often the easiest way to break security is to circumvent it rather than defeat it. Parting Thought
Eight simple rules to writing secure PHP programs

Recommandé

PHP Security
PHP SecurityPHP Security
PHP SecurityMindfire Solutions
 
Php Security
Php SecurityPhp Security
Php Securityguest7cf35c
 
PHP Security
PHP SecurityPHP Security
PHP Securitymanugoel2003
 
PHP security audits
PHP security auditsPHP security audits
PHP security auditsDamien Seguy
 
Code obfuscation, php shells & more
Code obfuscation, php shells & moreCode obfuscation, php shells & more
Code obfuscation, php shells & moreMattias Geniar
 
Filter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireFilter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireRob Ragan
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingRob Ragan
 
PHP - Web Development
PHP - Web DevelopmentPHP - Web Development
PHP - Web DevelopmentNiladri Karmakar
 

Recommandé

PHP Security
PHP SecurityPHP Security
PHP SecurityMindfire Solutions
 
Php Security
Php SecurityPhp Security
Php Securityguest7cf35c
 
PHP Security
PHP SecurityPHP Security
PHP Securitymanugoel2003
 
PHP security audits
PHP security auditsPHP security audits
PHP security auditsDamien Seguy
 
Code obfuscation, php shells & more
Code obfuscation, php shells & moreCode obfuscation, php shells & more
Code obfuscation, php shells & moreMattias Geniar
 
Filter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireFilter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireRob Ragan
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingRob Ragan
 
PHP - Web Development
PHP - Web DevelopmentPHP - Web Development
PHP - Web DevelopmentNiladri Karmakar
 
$kernel->infect(): Creating a cryptovirus for Symfony2 apps
$kernel->infect(): Creating a cryptovirus for Symfony2 apps$kernel->infect(): Creating a cryptovirus for Symfony2 apps
$kernel->infect(): Creating a cryptovirus for Symfony2 appsRaul Fraile
 
PHP Built-in String Validation Functions
PHP Built-in String Validation FunctionsPHP Built-in String Validation Functions
PHP Built-in String Validation FunctionsAung Khant
 
Php Security3895
Php Security3895Php Security3895
Php Security3895Aung Khant
 
Php security3895
Php security3895Php security3895
Php security3895PrinceGuru MS
 
Angular js security
Angular js securityAngular js security
Angular js securityJose Manuel Ortega Candel
 
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)securityxploded
 
Rails and security
Rails and securityRails and security
Rails and securityAndrey Tokarchuk
 
Listen afup 2010
Listen afup 2010Listen afup 2010
Listen afup 2010Gabriele Santini
 
Php tips-and-tricks4128
Php tips-and-tricks4128Php tips-and-tricks4128
Php tips-and-tricks4128PrinceGuru MS
 
PHP MySQL Workshop - facehook
PHP MySQL Workshop - facehookPHP MySQL Workshop - facehook
PHP MySQL Workshop - facehookBrainware Consultancy Pvt Ltd
 
Creating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QACreating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QAarchwisp
 
Php
PhpPhp
PhpRicha Goel
 
Introduction to writing readable and maintainable Perl
Introduction to writing readable and maintainable PerlIntroduction to writing readable and maintainable Perl
Introduction to writing readable and maintainable PerlAlex Balhatchet
 
Back to basics - PHP_Codesniffer
Back to basics - PHP_CodesnifferBack to basics - PHP_Codesniffer
Back to basics - PHP_CodesnifferSebastian Marek
 
Formatul Portable Executable
Formatul Portable Executable Formatul Portable Executable
Formatul Portable Executable DefCamp
 
PHP 2
PHP 2PHP 2
PHP 2Richa Goel
 
Zend Certification Preparation Tutorial
Zend Certification Preparation TutorialZend Certification Preparation Tutorial
Zend Certification Preparation TutorialLorna Mitchell
 
Data Types In PHP
Data Types In PHPData Types In PHP
Data Types In PHPMark Niebergall
 
Text in search queries with examples in Perl 6
Text in search queries with examples in Perl 6Text in search queries with examples in Perl 6
Text in search queries with examples in Perl 6Andrew Shitov
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 

Contenu connexe

Tendances

$kernel->infect(): Creating a cryptovirus for Symfony2 apps
$kernel->infect(): Creating a cryptovirus for Symfony2 apps$kernel->infect(): Creating a cryptovirus for Symfony2 apps
$kernel->infect(): Creating a cryptovirus for Symfony2 appsRaul Fraile
 
PHP Built-in String Validation Functions
PHP Built-in String Validation FunctionsPHP Built-in String Validation Functions
PHP Built-in String Validation FunctionsAung Khant
 
Php Security3895
Php Security3895Php Security3895
Php Security3895Aung Khant
 
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)securityxploded
 
Php tips-and-tricks4128
Php tips-and-tricks4128Php tips-and-tricks4128
Php tips-and-tricks4128PrinceGuru MS
 
Creating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QACreating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QAarchwisp
 
Introduction to writing readable and maintainable Perl
Introduction to writing readable and maintainable PerlIntroduction to writing readable and maintainable Perl
Introduction to writing readable and maintainable PerlAlex Balhatchet
 
Back to basics - PHP_Codesniffer
Back to basics - PHP_CodesnifferBack to basics - PHP_Codesniffer
Back to basics - PHP_CodesnifferSebastian Marek
 
Formatul Portable Executable
Formatul Portable Executable Formatul Portable Executable
Formatul Portable Executable DefCamp
 
Zend Certification Preparation Tutorial
Zend Certification Preparation TutorialZend Certification Preparation Tutorial
Zend Certification Preparation TutorialLorna Mitchell
 
Text in search queries with examples in Perl 6
Text in search queries with examples in Perl 6Text in search queries with examples in Perl 6
Text in search queries with examples in Perl 6Andrew Shitov
 

Tendances (19)

$kernel->infect(): Creating a cryptovirus for Symfony2 apps
$kernel->infect(): Creating a cryptovirus for Symfony2 apps$kernel->infect(): Creating a cryptovirus for Symfony2 apps
$kernel->infect(): Creating a cryptovirus for Symfony2 apps
 
PHP Built-in String Validation Functions
PHP Built-in String Validation FunctionsPHP Built-in String Validation Functions
PHP Built-in String Validation Functions
 
Php Security3895
Php Security3895Php Security3895
Php Security3895
 
Php security3895
Php security3895Php security3895
Php security3895
 
Angular js security
Angular js securityAngular js security
Angular js security
 
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
 
Rails and security
Rails and securityRails and security
Rails and security
 
Listen afup 2010
Listen afup 2010Listen afup 2010
Listen afup 2010
 
Php tips-and-tricks4128
Php tips-and-tricks4128Php tips-and-tricks4128
Php tips-and-tricks4128
 
PHP MySQL Workshop - facehook
PHP MySQL Workshop - facehookPHP MySQL Workshop - facehook
PHP MySQL Workshop - facehook
 
Creating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QACreating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QA
 
Php
PhpPhp
Php
 
Introduction to writing readable and maintainable Perl
Introduction to writing readable and maintainable PerlIntroduction to writing readable and maintainable Perl
Introduction to writing readable and maintainable Perl
 
Back to basics - PHP_Codesniffer
Back to basics - PHP_CodesnifferBack to basics - PHP_Codesniffer
Back to basics - PHP_Codesniffer
 
Formatul Portable Executable
Formatul Portable Executable Formatul Portable Executable
Formatul Portable Executable
 
PHP 2
PHP 2PHP 2
PHP 2
 
Zend Certification Preparation Tutorial
Zend Certification Preparation TutorialZend Certification Preparation Tutorial
Zend Certification Preparation Tutorial
 
Data Types In PHP
Data Types In PHPData Types In PHP
Data Types In PHP
 
Text in search queries with examples in Perl 6
Text in search queries with examples in Perl 6Text in search queries with examples in Perl 6
Text in search queries with examples in Perl 6
 

Similaire à Eight simple rules to writing secure PHP programs

My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Balázs Tatár
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And AnishOSSCube
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Indexwebhostingguy
 
Secure Programming
Secure ProgrammingSecure Programming
Secure Programmingalpha0
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidOwaspCzech
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidFilip Šebesta
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
 

Similaire à Eight simple rules to writing secure PHP programs (20)

My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Web application security
Web application securityWeb application security
Web application security
 
Application Security
Application SecurityApplication Security
Application Security
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
secure php
secure phpsecure php
secure php
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
Secure Programming
Secure ProgrammingSecure Programming
Secure Programming
 
Rust Hack
Rust HackRust Hack
Rust Hack
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
XSS
XSSXSS
XSS
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
 

Plus de Aleksandr Yampolskiy

New York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome SessionNew York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome SessionAleksandr Yampolskiy
 
"Managing software development" by Peter Bell
"Managing software development" by Peter Bell"Managing software development" by Peter Bell
"Managing software development" by Peter BellAleksandr Yampolskiy
 
Recruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy StepsRecruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy StepsAleksandr Yampolskiy
 
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing ItYou Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing ItAleksandr Yampolskiy
 
Malware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingMalware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingAleksandr Yampolskiy
 
Social Engineering and What to do About it
Social Engineering and What to do About itSocial Engineering and What to do About it
Social Engineering and What to do About itAleksandr Yampolskiy
 
Inoculation strategies for victims of viruses
Inoculation strategies for victims of virusesInoculation strategies for victims of viruses
Inoculation strategies for victims of virusesAleksandr Yampolskiy
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Aleksandr Yampolskiy
 
Threshold and Proactive Pseudo-Random Permutations
Threshold and Proactive Pseudo-Random PermutationsThreshold and Proactive Pseudo-Random Permutations
Threshold and Proactive Pseudo-Random PermutationsAleksandr Yampolskiy
 
Secure information aggregation in sensor networks
Secure information aggregation in sensor networksSecure information aggregation in sensor networks
Secure information aggregation in sensor networksAleksandr Yampolskiy
 
A verifiable random function with short proofs and keys
A verifiable random function with short proofs and keysA verifiable random function with short proofs and keys
A verifiable random function with short proofs and keysAleksandr Yampolskiy
 
Towards a theory of data entangelement
Towards a theory of data entangelementTowards a theory of data entangelement
Towards a theory of data entangelementAleksandr Yampolskiy
 
Price of anarchy is independent of network topology
Price of anarchy is independent of network topologyPrice of anarchy is independent of network topology
Price of anarchy is independent of network topologyAleksandr Yampolskiy
 

Plus de Aleksandr Yampolskiy (20)

New York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome SessionNew York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome Session
 
"Managing software development" by Peter Bell
"Managing software development" by Peter Bell"Managing software development" by Peter Bell
"Managing software development" by Peter Bell
 
Recruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy StepsRecruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy Steps
 
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing ItYou Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
 
Malware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingMalware Goes to the Movies - Briefing
Malware Goes to the Movies - Briefing
 
Privacy and E-Commerce
Privacy and E-CommercePrivacy and E-Commerce
Privacy and E-Commerce
 
Social media security challenges
Social media security challengesSocial media security challenges
Social media security challenges
 
Social Engineering and What to do About it
Social Engineering and What to do About itSocial Engineering and What to do About it
Social Engineering and What to do About it
 
OWASP Much ado about randomness
OWASP Much ado about randomnessOWASP Much ado about randomness
OWASP Much ado about randomness
 
Malware goes to the movies
Malware goes to the moviesMalware goes to the movies
Malware goes to the movies
 
Inoculation strategies for victims of viruses
Inoculation strategies for victims of virusesInoculation strategies for victims of viruses
Inoculation strategies for victims of viruses
 
Number theory lecture (part 1)
Number theory lecture (part 1)Number theory lecture (part 1)
Number theory lecture (part 1)
 
Number theory lecture (part 2)
Number theory lecture (part 2)Number theory lecture (part 2)
Number theory lecture (part 2)
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?
 
Threshold and Proactive Pseudo-Random Permutations
Threshold and Proactive Pseudo-Random PermutationsThreshold and Proactive Pseudo-Random Permutations
Threshold and Proactive Pseudo-Random Permutations
 
Secure information aggregation in sensor networks
Secure information aggregation in sensor networksSecure information aggregation in sensor networks
Secure information aggregation in sensor networks
 
A verifiable random function with short proofs and keys
A verifiable random function with short proofs and keysA verifiable random function with short proofs and keys
A verifiable random function with short proofs and keys
 
Towards a theory of data entangelement
Towards a theory of data entangelementTowards a theory of data entangelement
Towards a theory of data entangelement
 
Price of anarchy is independent of network topology
Price of anarchy is independent of network topologyPrice of anarchy is independent of network topology
Price of anarchy is independent of network topology
 
Business Case Studies
Business Case Studies Business Case Studies
Business Case Studies
 

Dernier

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 

Dernier (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 

Eight simple rules to writing secure PHP programs

  • 1. Eight Simple Rules… for Writing Secure PHP Programs Aleksandr Yampolskiy
  • 2. Security: Bird’s Eye View ... Hash Key Management Signature Encryption Security Toolbox DL(g x ) Fact(p*q) Hard problems Prob[ Attack ] ≤ ɛ Proof of security
  • 3. Building Secure Systems … Looks safe to me
  • 4.
  • 5.
  • 6.
  • 7.
  • 9.
  • 10.
  • 11.
  • 12. What is (Pseudo)-Random? PRG random seed pseudorandom string random string look indistinguishable to any efficient observer Definition [Blum-Micali-Yao]: PRG is a polytime function whose output is indistinguishable from random by any efficient observer 01010111001… 11010011010… 1001
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45. Often the easiest way to break security is to circumvent it rather than defeat it. Parting Thought