Wim GoddenCu.be Solutions
My app is secure...I think
Who am I ?
Wim Godden (@wimgtr)
Where I'm from
Where I'm from
Where I'm from
Where I'm from
Where I'm from
Where I'm from
My town
My town
Belgium the traffic
Who am I ?
Wim Godden (@wimgtr)
Founder of Cu.be Solutions (http://cu.be)
Open Source developer since 1997
Developer of PHPCompatibility, OpenX, Nginx SLIC, ...
Speaker at PHP and Open Source conferences
Who are you ?
Developers ?
System engineers ?
Network engineers ?
Ever had a hack ?Through the code ?
Through the server ?
This tutorial
Based on 2-day training
Big group no Vagrant/VirtualBox required
Code samples will be provided after tutorial
Lots of links at the end slides on Joind.in
This morning we're going to talk about security.
This tutorial is based on a 2day training that we offer.
Training exercises with Vagrant/Virtualbox
Only 3h too short to try everything usually takes 30min before everyone's ready
We have a lot of ground to cover, because...
My app is secure... I think
Basic stuff = known... or is it ?
Code is not enoughCode
Webserver
Database server
Operating system
Network
Tutorial is titled...
devs know basic security no-nosoften unaware of less-common issues
More importantly : creating secure app = more than creating secure code.
Web app = chain of software and hardwareEvery part of chain = equally important.Neglecting single component app and data at risk
So next 3h code and how to secure itAlso security of web stack.Detect hack attempt, again both in code and stackTechniques to make it harder to go unnoticed
Disclaimer
Do not use these techniques to hack
Use the knowledge to prevent others from hacking you
Before we begin :Little disclaimer
Looking at techniques hackers use
Not promoting techniques
Explaining to help you understand there's lot more than meets the eye.
Use knowledge to improve security, not exploit bad code
Reasons for hackers to hack
Steal and sell your data
Use your infrastructure as a jumpstation to hack other servers
Send out lots of spam
Use your server in a botnet for DDOS attacks
Bring down your systems
Part 1 : the most common attacks
OWASP
Open Web Application Security Project
www.owasp.org
Top 10
SQL Injection (OWASP #1)
Over 15 years
Still #1 problem
.
That's the reason to spend a little time explainingwhy there's so much more to SQL injection than what most people think or talk about in talks
SQL Injection (OWASP #1)
.
That's the reason to spend a little time explainingwhy there's so much more to SQL injection than what most people think or talk about in talks
SQL Injection (OWASP #1)
Over 15 years
Still #1 problem
Easy to exploit
Easy to automate (scan + exploit)
Often misunderstood
.
That's the reason to spend a little time explainingwhy there's so much more to SQL injection than what most people think or talk about in talks
Standard SQL injection example
Top Related