Presentation

Preparing for Pentesting (@ Longhorn PHP 2018)

At this year’s Longhorn PHP conference I’ll be presenting two talks: an updated version of my “Securing Legacy Applications” session and something new and a bit different for a conference primarily aimed at development topics. I’ll be giving a tutorial on the first day (April 19th) about penetration testing. For those not familiar with the topic, penetration testing is a common security practice where you make attempts to locate the flaws in an application, usually without knowledge of the code running underneath.

For a group that’s primarily focused on “building” rather than “breaking” it might be a bit of a mind shift but I hope to at least provide my attendees with the basic concepts and tools to try it out on their own applications. There have been several sessions recently that focus on securing the code but that’s only half of the equation.

So, if you’re going to be attending my tutorial, here are a few things that can help you hit the ground running when we start. There’ll be a brief introduction to some of the basic application security concepts but we’re not going to dive too deep into those. Instead, you’ll be attacking a series of challenges I’ve created to teach the basics.

Here’s how to prepare:

– Go over the OWASP Top 10 to be familiar with the common vulnerability types (hint: several are in the challenges)
– Grab the Community Edition of the PortSwigger Burp Suite tool. We’ll be using this to help solve some of the challenges
– Check out the PHP security cheat sheet, some of the top PHP security issues and this guide to building secure PHP applications

Don’t worry if you’re not a PHP security pro – that kind of knowledge isn’t required here. The topics we’ll cover are more from the security testing side and, as an added bonus can be used on any kind of web-based application – not just PHP ones!

I hope to see you on Thursday morning – we’re going to have some fun!

Advertisement

Speaking at DPC12 & a Lone Star PHP Update

Well, I’ve been a little lazy around here and haven’t posted since the beginning of the year. I figured I’d fix that by posting an update about a few things going on around here.

First off, since the schedule was just released, I’ll mention that I’ll be presenting at this year’s Dutch PHP Conference with three different sessions (well, kind of just two):

  • Agile Applications with ExtJS and Zend Framework
    ExtJS is an enterprise-level Javascript framework, the Zend Framework is one of the most powerful and flexible PHP frameworks to date – its a match made in heaven. I’ll introduce you to these two technologies and how to combine them into an easy to maintain, agile application that can move as fast as your project needs. I’ll show you how to build a sample application including a frontend MVC, REST backend and unit testing the result. (Tutorial)
  • The API Dilema
    Creating a good, useful and functional API for your application can be one of the most difficult parts of a project. With more and more things becoming API-powered, it’s important to plan well and provide what the user expects. I’ll look at some principles you can follow to make sure the API you write is the right one, both from the developer perspective and what you, as a user, should expect of a quality web service API. (Session)
  • Agile Applications with ExtJS and Zend Framework
    ExtJS is an enterprise-level Javascript framework, the Zend Framework is one of the most powerful and flexible PHP frameworks to date – its a match made in heaven. I’ll introduce you to these two technologies and how to combine them into an easy to maintain, agile application that can move as fast as your project needs. I’ll show you how to build a sample application including a frontend MVC, REST backend and unit testing the result. (Session)

No, I didn’t repeat myself – the first session and the last session are on the same topics – they’re just different lengths. The tutorial on the first day will get more into coding and examples of ExtJS+ZF and the second shorter session will just give a high level overview of each tool and how they hook together. If you’re interested in the “guts” of an Ext-based app, you’d do better in the Tutorial.

Also, for those that don’t know me, I’m a co-organizer of the Dallas PHP User Group. Last year we decided to put on a local PHP-centric event and it was a great success. So, we’re back this year with the Lone Star PHP Conference 2012. We’ve just wrapped up our Call for Papers and are in the process of selecting the best fits for our schedule.

We’ll be announcing the schedule and opening the registration soon, so keep an eye out on the Lone Star PHP conference site for more updates!

Speaking at CodeWorks 2010 : Austin

Since Marco Tabini won’t be able to make it to the CodeWorks Austin spot this year, Keith Casey asked me if I could fill his spot and give his talk on working with the object oriented features that the PHP 5.3.x series has to offer. Here’s his summary:

With version 5.3, PHP has finally acquired a well-rounded object-orientation model that rivals – and in many way exceed – those of most other languages, while maintaining PHP’s trademark simplicity and ease of use. In this session, Marco will explore the new OOP features in 5.3 and show you how they can improve your coding.

There’s other great talks coming along with the tour that’ll fill you in on things like unit testing strategies, building effective APIs and scalability. If you haven’t picked up your ticket for the Austin stop and want to join us on November 13th (a Saturday), you can still grab a ticket. Full admission for the day packed full of great sessions and community interaction is $100 USD and, if you’d like to purchase a ticket for the Day Camp 4 Developers event, it’s only another $10 USD on top of that!

Come on down (over/up/above?) and join us for this <a href="great day-long event!

Speaking at Dallas TechFest 2010 – Building a Web Service API

Just a heads up for all of those in the Dallas/Ft. Worth area – there’s a great one-day event coming up this Friday (July 31st) blending PHP, .NET, Java, new media, Joomla and WordPress into one packed day of sessions – Dallas TechFest 2010 at the University of Texas at Dallas.

I’ll be giving a session called “Building a Web Service API” from 10:30 – 11:45am in the PHP track. Here’s a summary of the session:

When is a web application more than just a web application? Hook up an API and you’ll see! I’ll walk you through the basics of what an API is and the concepts behind it as well as key pieces of technology you can use to create both the client and server. There’s a focus on PHP but other languages and tools will be touched on as well.

There’s still time to register for the event – tickets can be purchased for an early bird price (ending today) of $50 or $60 at the door. You can see the full list of sessions here.

Speaking in the Fall

With the announcement of the speakers for this year’s Zend/PHP Conference it seems I’ll be giving three talks this fall (in the span of two months):

First at CodeWorks 2009 (Dallas) I’ll be giving a talk on best practices, standards and tools to help with both in your PHP development:

  • “B,S,T…Easy as 1,2,3”

The other two will be at ZendCon (in San Jose). They’re on two different topics:

  • “Taming the Deployment Beast” – looking at some of the development and deployment practices that can make releasing your code simpler
  • “Right Where You Belong (The PHP Community)” – no matter what your skill level or area of focus, everyone has a place they can call their own in the PHP community. This talk highlights a few of them.

Hope to see you all there! Here’s more info on the two conferences: CodeWorks (Sept. 26th-27th in Dallas) and ZendCon (Oct. 19th-22nd in San Jose)

Slides for my php|tek talk: “No Really, It’s All About You”

I’ve put my slides for my framework presentation from this year’s php|tek conference – “No Really, It’s All About You” comparing CakePHP, CodeIgniter, Solar and the Zend Framework – up on Slideshare:

No Really, It's All About Youhttp://static.slidesharecdn.com/swf/ssplayer2.swf?doc=tek09-allaboutyou-090522102231-phpapp01&stripped_title=no-really-its-all-about-you

View more PDF documents from ccornutt.

Unfortunately, no one was there to record the resulting “discussion” that came from the questions after – heh.