Preparing for Pentesting (@ Longhorn PHP 2018)

At this year’s Longhorn PHP conference I’ll be presenting two talks: an updated version of my “Securing Legacy Applications” session and something new and a bit different for a conference primarily aimed at development topics. I’ll be giving a tutorial on the first day (April 19th) about penetration testing. For those not familiar with the topic, penetration testing is a common security practice where you make attempts to locate the flaws in an application, usually without knowledge of the code running underneath.

For a group that’s primarily focused on “building” rather than “breaking” it might be a bit of a mind shift but I hope to at least provide my attendees with the basic concepts and tools to try it out on their own applications. There have been several sessions recently that focus on securing the code but that’s only half of the equation.

So, if you’re going to be attending my tutorial, here are a few things that can help you hit the ground running when we start. There’ll be a brief introduction to some of the basic application security concepts but we’re not going to dive too deep into those. Instead, you’ll be attacking a series of challenges I’ve created to teach the basics.

Here’s how to prepare:

– Go over the OWASP Top 10 to be familiar with the common vulnerability types (hint: several are in the challenges)
– Grab the Community Edition of the PortSwigger Burp Suite tool. We’ll be using this to help solve some of the challenges
– Check out the PHP security cheat sheet, some of the top PHP security issues and this guide to building secure PHP applications

Don’t worry if you’re not a PHP security pro – that kind of knowledge isn’t required here. The topics we’ll cover are more from the security testing side and, as an added bonus can be used on any kind of web-based application – not just PHP ones!

I hope to see you on Thursday morning – we’re going to have some fun!


Speaking at Day Camp 4 Developers on Two-Factor Auth

Well, the official announcements are making the rounds now, but the next Day Camp 4 Developers,(Master Series) will be coming up in October (the 18th) and will feature several security related talks. I’ll be one of the four folks presenting at this event and will be giving a talk about two-factor authentication. Here’s the summary:

Two-factor authentication has gotten a lot of attention lately. It’s being praised as a way to help eliminate identify theft online and already has several major companies adapting their practices to use it. Let me guide you through the world of two-factor authentication and explain some of the basic concepts and dive deeper into the associated protocols and RFCs. I’ll also show you some common implementations with standalone and web service options to get you started quickly.

Other topics that’ll be a part of this PHP Master Series (Vol 2) are:

  • Fred Alger – The OWASP Top 10 and You
  • Mike Stowe – Prison Theory of Web Development Security
  • Anthony Ferrara – Password Storage (And Hacking) in PHP

Tickets are already on sale, so you can go ahead and reserve your spot. We hope it’ll help encourage more PHP developers to get proactive about the security of their applications and expose them to some of the good practices and new ideas they can use.