AppSec Europe 2014 has ended
Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days
Back To Schedule
Tuesday, June 24 • 09:00 - 13:00
Training room 7 - Defensive Programming in PHP

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

This course explores measures that developers can take both from a coding and configuration perspective to secure their PHP applications.

PHP is a powerful and versatile web development platform that is widely used throughout the industry. PHP applications are generally affected by most of the same risks that affect web applications written in other languages. Although it has a lot in common with other web platforms, there are specific aspects of PHP that set it apart from the other technologies. This is also true from a risk perspective. Some PHP risks are unique or amplified by the platform.

This course highlights the features and specifics of the platform that can potentially introduce risks including (but not limited to) unsafe PHP configuration, null-byte issues, dangerous APIs, cryptography, and dynamic file inclusion issues. Once PHP features and risks are understood by the student, this course builds upon this knowledge and teaches a set of defensive programming techniques that can be followed to create secure PHP applications including in the areas of file system access, session management, authentication, input validation/output encoding, cross-site request forgery, transport security, and injection attacks.

This course is structured into modules that cover the areas of concentration for defensive programming for the PHP platform and includes code analysis and remediation exercises. The high-level topics for this course are:

  • PHP Platform Security

  • The PHP Application Risk Landscape

  • Secure Design Principles

  • Defensive Programming Techniques in PHP

  • Secure PHP Architecture and Configuration


After successfully completing this course, students will:

  • Comprehend the PHP Platform

  • Appreciate the Risks Affecting PHP Applications

  • Write Secure Web Applications Using PHP

  • Design and Architect Secure PHP Applications

  • Configure Your PHP Applications Securely

Labs and Demonstrations

If students bring their own laptops with VirtualBox software installed, they can install an Ubuntu VM (provided by the instructor) with a vulnerable PHP application on it and participate in two interactive lab sessions. There are also two interactive demonstrations during which the PHP application is ex- ploited to show directory traversal, information leakage, and SQL injection. The labs are not compulso- ry to get the full value of the course. 

avatar for Paco Hope

Paco Hope

Principal Consultant, Cigital
Author of two security books and frequent conference speaker, Paco Hope is a Principal Consultant with Cigital Ltd and has been working in the field of software security for over 12 years. The oldest PHP code he could find on his systems was dated 3 November 1999. Paco helps clients... Read More →

Tuesday June 24, 2014 09:00 - 13:00 BST

Attendees (0)