28.Jan.2012 at 09:05 by Michiel Rook
Nice talk, could have benefited from a little more technical depth.
Security audits as integral part of PHP application development
Sijmen Ruwhof (27.Jan.2012 at 14:40)
Talk at PHPBenelux Conference 2012 (English - US)
More often than not, web applications start off as a bright idea, which is then brought into realization at a fast and furious pace, with little eye for anything but result. Once all envisioned functionality is incorporated in the design and the project is launched, developers will be assigned to the next project.
Notwithstanding a few bug fixes, the final – yet essential – step of software development is more often than not, omitted: the security audit. Despite the fact that these checks are regarded as tedious and superfluous, practice shows that it is time well spent: numerous, often severe vulnerabilities come to light.
In his presentation, Sijmen Ruwhof will detail how to incorporate security checks into the software development process. He will also step through the implementation, and caveats of a security audit. Ruwhof works for Secundity as a security analyst specialized in PHP audits.
Quicklink: https://joind.in/4751
Track(s): Microsoft room
Slides: Security audits as integral part of PHP application development
Who are you?
By clicking this button you are declaring that you are the speaker responsible for it and a claim request will be sent to the administrator of the event.
If the claim is approved you will be able to edit the information for this talk.
Are you sure?
Comments
28.Jan.2012 at 09:14 by Ike Devolder
i was very dissapointed in the beginning, since most of us follow the news and did not need a summary of last years breakin's
it also might need some more technical depth, since if you are a php developer most of the topics touched by the talk you should now. so in the beginning it could use this summary and then some more advanced technical depth
28.Jan.2012 at 11:26 by Patrick van Kouteren
The importance of audits was made pretty clear.
Some "Oh yeah", and "I recognize that way of doing stuff". It gave some hints, tips (and eye-openers) where to start when auditing code.
As mentioned above: as programmers we expected some more technical detail.
28.Jan.2012 at 14:07 by Hans de Raad
The tooling part was usefull, but the pace and information density could have been higher.
28.Jan.2012 at 15:07 by Anonymous
great content, thanks!
28.Jan.2012 at 15:17 by Max
There where a lot of eye openers for me, and great advice to convince management to get budget for security.
28.Jan.2012 at 19:57 by Erik Snoeijs
I liked the fact that it wasn't YAST (Yet Another SQL injection Talk), but approached the subject of security a bit broader. Having said that, a bit more depth could have gone a long way. Perhaps showing a usage example of one of the tools. Just to make it a bit more involved.
I also think the speaker is more used to giving this talk in dutch, which made the flow of the talk a little less smooth then it could have been.
Overall a pretty reasonable talk, will certainly be checkout out some of the mentioned tools.
29.Jan.2012 at 09:15 by Yosh de Vos
I liked the technical and tooling part, but to bad he did not mentioned OWASP.
29.Jan.2012 at 10:45 by Kristian Zondervan
Good overview but I would have liked some more in-depth information. How where the example hacks done and what can we learn from that?
29.Jan.2012 at 15:13 by Chris Ramakers
An overview that barely scratches the surface of a very difficult topic, I think almost every webdeveloper more or less knows what security flaws there are so would benefit more from practical examples on how to detect and fix then rather than an overview of tools without any pracical implementation or usecases. A bit disappointed but there's potential.
29.Jan.2012 at 15:57 by Anonymous
This presentation was not an in depth technical tutorial on how to perform security audits, although some very good advice was given how you should perform such an audit. The talk was brought at a more general level. Not that that is bad, but as said by others, show us a demonstration of the mentioned tools, instead of screenshots. Overall, it was a very good talk!
29.Jan.2012 at 18:31 by Patrick van Bergen
Great introduction to the field. It gave me a number of pointers I can start with.
29.Jan.2012 at 21:30 by Bart Reunes
The long intro summarizing the news could have been a lót shorter. And the rest after it came down to "train someone to do audits", or "call secundity".
If you read php.net/security and find yourself reading the red boxes in the manual, this talk wasn't really adding something more to it, or clearing anything up. It would for one benefit from more technical additions, and real code examples, so the auditing becomes really a part of the daily development, by not making often made mistakes.
There are also a lot of tools mentioned in here, but without telling how one can actually benefit from them, and what they are good or bad at.
So for me, the talk missed to answer the only question I had: "how to make security audits an integral part of PHP application development"...
30.Jan.2012 at 08:37 by Anonymous
Show us demos of the mentioned tools and less examples, like said before. Besides that, inspiring talk and nice introduction to the security field - thanks a lot!
31.Jan.2012 at 19:59 by Anonymous
Speaker comment:
27.Feb.2012 at 22:09 by Sijmen Ruwhof
Thanks all for the feedback! It is very much appreciated. I've improved my talk and gave it again at the PHP UK Conference a month later, where it was received even better :-)
27.Jan.2012 at 21:44 by Lucas Aerbeydt
Maybe a bit too many examples in the beginning. The part after that was pretty nice and gave a good insight on how you audit PHP applications.