This past weekend I had the honor of presenting some PHP security research I’ve been pulling together for some time now. The presentation was based on my AppSecDC PHPIDS talk however I emphasized overall PHP security more than PHPIDS. Here’s the title, abstract, and link to download the slides. Thanks to @jkouns, @chrissullo, @hackrva and the rest of the @rvasec crew for running an awesome conference!
“PHP Website Security, Attack Analysis, & Mitigations”
PHP is a very powerful language for easily developing web applications however this convenience sometimes comes at the cost of security. Issues can arise from everything from language vulnerabilities and weak default settings to insecure coding practices and misconfigurations. This presentation plans to address many of these concerns by providing valuable lessons in the security of, attacks against, and management of PHP in your environment. The talk begins with an overview of PHP security, including it’s known issues and corresponding security enhancements the maintainers have incorporated over time. Beginning with a general discussion of PHPIDS and how it can be used as an event tracker, the presentation next provides a peak into some of the more interesting attacks against a security website as well as overall trends from two years in deployment. The talk closes with a strategy for analyzing the risks in your PHP environment and applying corresponding PHP and platform/network mitigations to minimize your attack surface.
If you were at RVAsec and got a chance to hear my talk … let me know what you thought! Today’s post pic is from richSEC.com. See ya!