do… Web Application Development and Security

Posts Tagged ‘Security’

Who Says PHP Security Sucks?

Tuesday, November 24th, 2009

Who would say such a thing? Obviously we can’t let that stand. It’s time to bust some myths while raising our own game to the next level.

(An earlier version was published in php|architect, April 2009)

Aside from the trolls who frequent forums and blogs, it’s mainly the enterprise community which carries the lingering perception, rightly or wrongly, that PHP security sucks. As PHP continues to evolve toward the enterprise, it’s going through a slow and messy collision with enterprise culture, standards and criticism. Naturally, PHP and the community have been absorbing lessons and improving, though one of the least understood aspects of this is security and security perceptions. I hope that by discussing security, PHP’s progress can be made smoother and easier than otherwise.
Continue Reading…

See You at ZendCon 2009

Tuesday, October 6th, 2009

ZendCon 2009 Speaker

I’m looking forward to seeing everyone at ZendCon 2009, “the premier PHP conference”. I was selected to present a session:

Enterprise-Class PHP Security

Oxymoron no more! Learn what high-stakes organizations expect when evaluating the security of PHP applications. We’ll cover formal standards and processes, and tips on how to successfully navigate through the minefield.

Selected for php|tek Unconference Session

Wednesday, May 27th, 2009

I delivered my updated talk – Crypto Your PHP – at the php|tek Unconference in Chicago on Thursday, May 21st. It was selected by a voting process from a field that included many well-known community leaders. In other words I was lucky to have the opportunity. Kudos to everyone who submitted talks and thanks to those who voted, attended and organized!


If you’d like a refresher on crypto capabilities and practices in PHP, or if you’d like some tips on the topic from a former security engineer, this talk is for you. We’ll discuss a few common scenarios such as data transit, data storage, and password authentication. We’ll explore the rich variety of crypto-enabled functions available to PHP. We’ll see why some crypto algorithms are better than others. And we’ll discuss the practices of good crypto implementation and the clues that indicate when it’s not a good idea to build it alone.

“Who Says PHP Security Sucks?” Published in php|architect

Wednesday, April 29th, 2009

You heard right – my first article in print is in the April 2009 issue of php|architect.

The title isn’t just a rhetorical question; I actually describe who would say such a thing about PHP security. I also explain what about this perception is distorted and what isn’t – and how the PHP community can accelerate its growth into a market where it’s just becoming a contender.

If you already read the article, please comment!

Crypto Your PHP

Friday, April 24th, 2009

I just gave a talk on PHP cryptography via webcast, as part of the free webcast series for the php|tek conference. Thanks to Keith Casey for the kind intro and for organizing the webcast series. I hope to see many of you at tek in May – I’ll submit an updated version of this talk for the php|tek Unconference.

A video recording will be posted on the webcast web page and at Blue Parabola, and the slides are here. Please feel free to ask questions and to leave any other feedback as comments to this post.

How to Make Application Security Suck Less

Wednesday, June 4th, 2008

Application security sucks because it’s a wicked hard problem to mix the goals of security and application development within real-life projects.

If application development is about making an app do what it’s supposed to do, then application security is about making sure an app doesn’t do what it’s not supposed to do, despite real world conditions which may be hostile and chaotic.

“Hard core” security has become a massively complex black art with its own priesthood. As a result, the security community has generated an enormous volume of arcane information about security vulnerabilities and countermeasures.

Many conference presentations, books and articles about application security have tried to boil that down for the developer community, with excellent coverage of the top several types of security flaws. But security has a long tail, so that approach leaves vast territory uncovered.

That approach also doesn’t necessarily give developers the context and perspective necessary to judge the costs and benefits of security, and to make sound decisions about what really does or doesn’t need to be done. So I decided to address application security in a different way.

I gave a talk on this topic yesterday at the 2008 DC PHP Conference in Washington, DC. I’m posting a copy of the presentation slides and speaker notes for all of you here.

The goal of this talk is to help you wrap your brain around core concepts of application security, and thereby to make it easier to deal with correctly.

The talk begins with “What is Security, Really?”, poking fun at misconceptions and presenting the idea that security is keeping bad events to a minimum despite even skillful attempts to cause them.

Then it covers fundamental concepts and practices including: how to identify what needs protection; vulnerabilities and countermeasures with PHP examples; and how to avoid security excess by considering risk in a consistent way.

By the end, you should have a conceptual framework for application security that will at the same time simplify the problem space and provide more rigorous results.

So it’ll suck less.

DC PHP Conference & Expo, June 2-4, 2008

Sunday, April 13th, 2008

I’m going to talk about “How to Make Application Security Suck Less” at this international conference, hosted locally in Washington, DC.

The keynote speakers will be Kshemendra Paul from OMB, Christopher Jones from Oracle, and Chris Shiflett from OmniTI.

Local PHP agitator Keith Casey will moderate the featured panel discussion on PHP IDEs. Panelists will be: Cal Evans (Zend), Wez Furlong (OmniTI), David Sklar (Ning), Eli White (Digg), and Jeff Griffiths (ActiveState).

I’m looking forward to the interesting people, informative talks and great conversations that I expect based on last year’s experience. Hope to see you there!

ShmooCon Memories

Wednesday, March 26th, 2008

I’ve been procrastinating on writing about the ShmooCon hacker convention, and today the thought bugged me enough to finally do something.

I signed up at Hackers for Charity, formerly known as, after originally committing at ShmooCon. I ran into the founder and legendary hacker Johnny Long in the hallway.

Factoid: It may be illegal to possess Kevin Mitnick’s business card in DC because it doubles as a lockpicking kit.

GSM encryption technology (specifically, the widely used a5 algorithm) is essentially broken. At the time of presentation, a research team had gone 1 month into a 3 month process of calculating the full rainbow table needed to accelerate the process of cracking session keys. With custom hardware, it will be possible to decrypt a conversation after 30 minutes (one FPGA and laptop) or 30 seconds (16 FPGAs and solid state drives at total cost around $500K). This is well within the reach of some criminals, wealthy organizations, and governments.

I knew that voting machines (especially, but not only, the electronic touch-screen type) had security issues, but I had no idea just how shockingly bad. If you were to research the subject now you might find some reports that were redacted and otherwise watered down. But at ShmooCon I saw a presentation given by Sandy Clark, one of the top investigators chartered by the state of Ohio. She presented specific examples of how, with the right knowledge, a few simple tools in some cases, and the wrong intentions, it would be fairly easy to abuse commonly used voting machines and thereby alter the results of elections and the integrity of the counting & recounting processes. For unethical and ruthless politicians and their supporters, this provides a powerful means to influence or steal the vote. For anyone who doesn’t want more unethical and ruthless people running our country, it’s critically important to get those machines fixed, and that means overcoming the inertia of government bureaucracies and entrenched interests.

OWASP February 2008

Friday, February 8th, 2008

At my first local OWASP meeting, Andre Ludwig presented on “…the intersection between web application security and the attackers mindset.”

Doug Wilson and Mark Bristow were very active participants and just happened to have a laptop with the same presentation and security demo I saw them use at Refresh DC a couple months ago. Very handy!

CapSec January 2008

Thursday, January 31st, 2008

After work today I walked to The Brickskeller and enjoyed a couple beers with a few of the CapSec group including Doug Wilson.

One thing we discussed was that with tech groups formed around common interests, like web development, linux, or security, it’s very easy for people to stick with what and who they know. But in security, work roles tend to be multidisciplinary. Security often is one of several hats to wear or is built upon another specialty such as networking or development. Because of this many security professionals have the perspective and the opportunity to cross-pollinate by participating in other groups where security isn’t the primary focus but is still relevant.

I think, the more people who act on that thought, the better for the community.