This course explores measures that developers can take both from a coding and configuration perspective to secure their PHP applications.
PHP is a powerful and versatile web development platform that is widely used throughout the industry. PHP applications are generally affected by most of the same risks that affect web applications written in other languages. Although it has a lot in common with other web platforms, there are specific aspects of PHP that set it apart from the other technologies. This is also true from a risk perspective. Some PHP risks are unique or amplified by the platform.
This course highlights the features and specifics of the platform that can potentially introduce risks including (but not limited to) unsafe PHP configuration, null-byte issues, dangerous APIs, cryptography, and dynamic file inclusion issues. Once PHP features and risks are understood by the student, this course builds upon this knowledge and teaches a set of defensive programming techniques that can be followed to create secure PHP applications including in the areas of file system access, session management, authentication, input validation/output encoding, cross-site request forgery, transport security, and injection attacks.
This course is structured into modules that cover the areas of concentration for defensive programming for the PHP platform and includes code analysis and remediation exercises. The high-level topics for this course are:
PHP Platform Security
The PHP Application Risk Landscape
Secure Design Principles
Defensive Programming Techniques in PHP
- Secure PHP Architecture and Configuration
Objectives After successfully completing this course, students will:
Comprehend the PHP Platform
Appreciate the Risks Affecting PHP Applications
Write Secure Web Applications Using PHP
Design and Architect Secure PHP Applications
- Configure Your PHP Applications Securely
Labs and Demonstrations If students bring their own laptops with VirtualBox software installed, they can install an Ubuntu VM (provided by the instructor) with a vulnerable PHP application on it and participate in two interactive lab sessions. There are also two interactive demonstrations during which the PHP application is ex- ploited to show directory traversal, information leakage, and SQL injection. The labs are not compulso- ry to get the full value of the course.
