Securing PHP - Security Compass

bemutefrogtownSecurity

Nov 18, 2013 (3 years and 10 months ago)

72 views

Security Compass 2012. Application Security Training Datasheet. Securing PHP 1

























Securing PHP

Application Security Training Datasheet


Security Compass 2012. Application Security Training Datasheet. Securing PHP 2


Securing
PHP

COURSE OVERVIEW
Students will gain valuable insight in to developing secure PHP5 applications.
The course will show students the latest in web based threats and how
students should go about defending them. Students will learn to define and
identify secure code, differentiate between secure coding methods, employ
secure code in practice, and build safer web applications from the start.

Students completing this class will find their secure coding abilities materially
sharpened and able to integrate these techniques in your organization.


COURSE DETAILS
Audience
PHP Developers, Architects

Instructor Led Delivery
3 Day on-site or remote instructor led
training
Computer Based Training (CBT)
Approximately 1 hour narration.
Courses are online in our Polaris LMS system or
exportable to AICC/SCORM format for your
organization’s hosting

LEARNING OBJECTIVES
• Express the vulnerabilities and exploits facing modern web applications
• Learn how insecure coding techniques can result in vulnerability within
PHP applications
• Implement defensive coding methods in PHP using secure code, tools and
libraries that can help support secure coding for PHP

Intermediate
Level
Instructor led

CBT available

2 Day
Training
PHP
Developers
Security Compass 2012. Application Security Training Datasheet. Securing PHP 3


Introduction

- OWASP Top 10
- Defending PHP5

1. SQL Injection
- About SQL Injection
- Realtime example
- Newsflash
- Parameterized Queries

2. Cross-site Scripting
- About XSS
- Blacklist validation
- Whitelist validation
- Safe re-encoding
- Safe vs unsafe
- HTTPonly

3. Session Hijacking

- About Session Hijacking
- Stealing credentials
- Encryption
- Short session timeouts

4. Parameter Manipulation
- About Parameter Manipulation
- Server-side validation
- Session variables

5. Insecure Storage
- About Insecure Storage
- Sensitivity of information
- Threat modeling
- Hashing passwords

6.
Forcible

Browsing

- About Forcible Browsing
- Page Level authorization
- Programmed authorization

7. Cross-site Request Forgery
- About XSRF
- Meg goes shopping
- Decreasing timeouts
- XSRF tokens
- Re-authentication

8. Insecure Configuration
- About insecure configuration
- Users, Software
- Hardening
- Standardized builds
- Patch management
- Updates and audits

9. Unchecked Redirects

- About unchecked redirects
- Newsflash
- Validating parameters
- Server-side checks

10. Clear-Text communication
- About clear-text communication
- Eavesdropping
- Newsflash
- Encryption in transit
- Proper SSL implementations

Day

1

Security Compass 2012. Application Security Training Datasheet. Securing PHP 4

























Day

2
:
PHP Defenses

11.
SQL Injection

Defenses

- Common pitfalls in PHP
- Parameterized Queries in PHP
- MySQL
- PHP Data Objects

12. XSS Defenses
- Common pitfalls in PHP
- Whitelisting
- Output re-encoding in PHP
- HTTP Only in PHP

13. Session Hijacking Defenses

- Common pitfalls in PHP
- SSL Encryption
- Shorter session timeouts

14. Parameter Manipulation
Defenses
- Common pitfalls in PHP
- Security Logic
- Regular Expressions
- Centralized Validation

15. Insecure Storage Defenses
- Common pitfalls in PHP
- MCrypt Library
- Hashing
- Storing Passwords with Bcrypt

1
6.
Forcible

Browsing

Defenses

- Common pitfalls in PHP
- Access Controls
- Programmed Authorization

17. XSRF Defenses
- Common pitfalls in PHP
- Best Practices
- XSRF tokens

18. Insecure Configuration
Defenses
- Common pitfalls in PHP
- Register globals
- Error reporting and trace
- Logging
- Safe mode
- Magic quotes
- Session management

19. Unchecked Redirects

- Common pitfalls in PHP
- PHP Header Redirects
- Indirect Object Mapping in PHP

20. Clear-Text communication
- Common pitfalls in PHP
- Enabling encryption
- Enforcing strong ciphers
Security Compass 2012. Application Security Training Datasheet. Securing PHP 5
























What can we do for you?
We understand application security. We breathe it. We
strive to provide you with the best training experience for
your staff.
Our experience helping our clients research and manage
real world security risks allows us to drive our training
material with the latest threats and vulnerabilities seen in
every day engagements.
What does that mean? It means that your staff is ready to
respond to with forward thinking concepts to securing
your business’ most sensitive applications.

Here to help.

Reach out to Security Compass’ advisors who can help.
Oliver Ng
Director of Training
oliver@securitycompass.com
1-888-777-2211 ext. 125

Sahba Kazerooni
Director of Professional Services
sahba@securitycompass.com
1-888-777-2211 ext. 103