Secure Coding with PHP

Course Objectives

  • Understand basic concepts of security, IT security and secure coding
  • Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
  • Learn to use various security features of PHP
  • Get information about some recent vulnerabilities of the PHP framework
  • Learn about typical coding mistakes and how to avoid them
  • Get practical knowledge in using security testing tools
  • Get sources and further reading on secure coding practices
Course duration

3 Days

Course outline

1 - IT security and secure coding
  • Nature of security
  • IT security related terms
  • Definition of risk
  • Different aspects of IT security
  • Requirements of different application areas
  • IT security vs. secure coding
  • From vulnerabilities to botnets and cyber Crime
  • Classification of security flaws
2 - Web application vulnerabilities

3 - Basics of cryptography
  • Cryptosystems
  • Symmetric-key cryptography
  • Other cryptographic algorithms
  • Asymmetric (public-key) cryptography
  • Public Key Infrastructure (PKI)
4 - Client-side security
  • JavaScript security
  • Ajax security
  • HTML5 Security
5 - PHP security services
  • Cryptography extensions in PHP
  • Input validation APIs
6 - PHP Environment
  • Server configuration
  • Securing PHP configuration
  • Environment security
  • Hardening
  • Configuration management
7 - Advices and principles
  • Matt Bishop’s principles of robust programming
  • The security principles of Saltzer and Schroeder
8 - Input validation
  • Input validation concepts
  • Knowledge sources
  • Secure coding sources – a starter kit
  • Remote PHP code execution
  • MySQL validation errors – beyond SQL Injection
  • Variable scope errors in PHP
  • File uploads, spammers
  • Environment manipulation
9 - Improper use of security features
  • Problems related to the use of security features
  • Insecure randomness
  • Weak PRNGs in PHP
  • Stronger PRNGs we can use in PHP
  • Password management – stored passwords
  • Some usual password management problems
  • Storing credentials for external systems
  • Privacy violation
  • Improper error and exception handling
10 - Time and state problems
  • Concurrency and threading
  • Concurrency in PHP
  • Preventing file race condition
  • Double submit problem
  • PHP session handling
  • A PHP design flaw – open_basedir race condition
  • Database race condition
  • Denial of service possibilities
  • Hashtable collision attack
11 - Using security testing tools
  • Web vulnerability scanners
  • SQL injection tools
  • Public database
  • Google hacking
  • Proxy servers and sniffers
  • Exercise – Capturing network traffic
  • Static code analysis

Wintrac Inc.
16523 SW McGwire Ct.
Beaverton OR 97007
© Wintrac, Inc. All rights reserved.                                                                               Site Map   |   Terms of Use   |   Privacy Policy