90K Reasons Security is a Must - PHPWorld 2014

2

http

s://w

ww.

flick

r.com

/pho

tos/

busc

hap/

3112

2390

16

90K reasonswhy security is a must

in it2PROFESSIONAL PHP SERVICES

About a year ago

2

A year later

3

Today, 2 months later

4

5

http

s://w

ww.

flick

r.com

/pho

tos/

andy

mag

/934

9743

409

Neverending awareness

6

http

s://w

ww.

flick

r.com

/pho

tos/

yono

late

ngo/

8338

5975

58

Why bother?

7

http

s://w

ww.

flick

r.com

/pho

tos/

emag

ic/5

6206

868

8

In the news…

http

s://w

ww.

flick

r.com

/pho

tos/

3990

8901

@N

06/6

9234

0893

8

Yes, you’re a target!

9

http

s://w

ww.

flick

r.com

/pho

tos/

jeep

ersm

edia

/145

4605

9371

Email addresses are valuable!

10

http

s://w

ww.

flick

r.com

/pho

tos/

horia

varla

n/45

1416

4700

One password, many sites!

11

abc123

Advice on tools!!!

12

Password managers!

2-factor authentication

13

http://www.google.com/landing/2step/

Or just use SMS

14

http://twillio.com

Who’s after my data?

15

http

s://w

ww.

flick

r.com

/pho

tos/

teeg

ardi

n/60

9381

0333

Script kiddies

16

Amateur hacker

17

http

s://w

ww.

flick

r.com

/pho

tos/

hack

ny/6

2033

0570

6

Professional hacker

18

http

s://w

ww.

flick

r.com

/pho

tos/

equi

noxe

fr/68

5717

4987

Business Competition

19

http

s://w

ww.

flick

r.com

/pho

tos/

hagg

ism

ac/5

0900

2851

3

Governments

20

http

s://w

ww.

flick

r.com

/pho

tos/

defe

ncei

mag

es/7

9856

9559

1

What to do against it?

21

http

s://w

ww.

flick

r.com

/pho

tos/

drac

hman

n/32

7122

302

Cultural differences

22

http

s://w

ww.

flick

r.com

/pho

tos/

robd

eman

/239

0666

040

Legal regulations

23

http

s://w

ww.

flick

r.com

/pho

tos/

puis

ney/

1674

5868

21

Architectural considerations

24

http

s://w

ww.

flick

r.com

/pho

tos/

nifty

nial

l/127

6892

2813

Restrict physical access

25

http

s://w

ww.

flick

r.com

/pho

tos/

zapt

hedi

ngba

t/487

1337

20

Secure your network

26

http

s://w

ww.

flick

r.com

/pho

tos/

9927

9135

@N

05/1

4618

3422

77

Extra care for privacy data

27

http

s://w

ww.

flick

r.com

/pho

tos/

hyku

/368

9125

57

Use encryption

28

http

s://w

ww.

flick

r.com

/pho

tos/

ideo

nexu

s/51

7538

3269

Lock down your application

29

http

s://w

ww.

flick

r.com

/pho

tos/

sim

on_c

ocks

/453

4589

059

Create security checkpoints

30

http

s://w

ww.

flick

r.com

/pho

tos/

paul

k/22

1299

2458

Track movements

31

http

s://w

ww.

flick

r.com

/pho

tos/

timsa

mof

f/362

7307

55

Code considerations

32

http

s://w

ww.

flick

r.com

/pho

tos/

nyuh

uhuu

/444

3886

636

Security is not an afterthought!

33

http

s://w

ww.

flick

r.com

/pho

tos/

web

b-za

hn/1

0971

2154

25

Little bobby tables

34

xkcd.com/327

Sanitise data, always<?php   $id = $_GET['id'];   // sanitise tainted data $clean_id = filter_var($id, FILTER_SANITIZE_NUMBER_INT); $clean_id = filter_var($clean_id, FILTER_VALIDATE_INT); if (0 < $clean_id) { $stmt = $pdo->prepare( 'SELECT * FROM TABLE WHERE `id` = ?' ); $stmt->bindParam(1, $clean_id, PDO::PARAM_INT); $stmt->execute(); }

35

36

Use the right tool for the job

37

http

s://w

ww.

flick

r.com

/pho

tos/

floria

nric

/726

3382

550

38

39

Layered security

40

http

s://w

ww.

flick

r.com

/pho

tos/

fees

ta/2

7005

7520

1

You know all this, right!

41

http

s://w

ww.

flick

r.com

/pho

tos/

sara

hrei

do/3

1208

7734

8

Victim of an attack?

42

http

s://w

ww.

flick

r.com

/pho

tos/

mar

ittol

edo/

8512

2449

45

Know you’ve been hacked!

43

Inform everyone ASAP!

44

http

s://w

ww.

flick

r.com

/pho

tos/

blue

robo

t/549

0728

061

Get security advise!

45

Inform the world

46

Your turn

47

http

s://w

ww.

flick

r.com

/pho

tos/

tmab

2003

/427

7896

845

Spread the word

48

http

s://w

ww.

flick

r.com

/pho

tos/

sune

ko/3

7331

0729

Comment on “bad” practices

49

http

s://w

ww.

flick

r.com

/pho

tos/

seba

stia

n_be

rgm

ann/

3991

5396

05

Learn about the risks

50

Learn the basics of hacking

51

hack.me

Use hack cheat sheets

52

ha.ckers.org

Continuously unit test!

53

Other resources…

54

PHP Security Checker

55

https://github.com/psecio/parse

Essential PHP Security

56

Security Checklist

57

snipe.ly/risk_matrix

May the force be with you

58

Questions

59

http

s://w

ww.

flick

r.com

/pho

tos/

colin

kinn

er/2

2005

0002

4

60

joind.in/11858If you like it, thanks.

If you don’t, please tell me how to improve

Contact us

61

Consulting - Training - Audits - Graphics

www.in2it.be - info@in2it.be

62

http

s://w

ww.

flick

r.com

/pho

tos/

psd/

2086

641