PHP Security: It doesn't have to be an oxymoron

Comments

Comments are closed.

Anonymous at 15:42 on 2 May 2013

Very easy to follow, great points, everything covered concisely but still enough to get out of it.

Steve knows his stuff. Today we learned a few gems. I was hoping for more of then hows and fixes, but the preso was a great learning stub for my team.

He indicated in his presentation that he gathered the information from presentations given by Rasmus Lerdorf. I thought it was a good presentation with definite security concerns to be aware of when developing in PHP.

Anonymous at 13:00 on 4 May 2013

Good information, but delivery was not very engaging.

Good presentation. Covered the basics, but even as a long time PHP user, I learned a few tricks to watch out for.

I credit Steve for getting me started on PHP about 13 years ago. It was good to see you again Steve!

Several great points were made that I can do immediately to improve the security of software I'm writing. This was great.

Thanks for all the great feedback! For the anonymous feedback, I did feel that it wasn't my greatest delivery, but I'm glad you and others got some good information from it. Trevor, to clarify your comment, I stated that about half of the examples I used came from a talk Rasmus had given years ago. He's the one who really got me interested in really understanding web application security.

This was a good talk. Nothing flashy, but direct and to the point. Steve has a real confidence that comes from years of experience, and I was glad to benefit from his insight.

I think Steve did a great job at explaining some of the issues in PHP security, and enjoyed the presentation.

Rasmus originally gave this talk six years ago so the tips were pretty old hat. Still relevant, but I was kind of hoping for something new or some greater detail. At one point Steve just said "you should implement access control" and that was basically it... no talk about HOW to do that.

I have to say I really took issue with Steve strongly suggesting that "other people's code" was rarely, if ever, to be trusted. It smacked of NIH syndrome and goes against the whole spirit of open source!

JLW - thanks for the feedback. I didn't intend to suggest that "other people's code was rarely, if ever, to be trusted". I stated that it is often more trustworthy. In fact, the point I was trying to make was that there are times when it is a very bad thing to invent your own code rather than using already proven code.

However, there are also times when it makes sense to use your own code rather than "some 13-year-old's code" (which is what I said in the talk). I was referring to random WordPress plugins and such that people like to install with no knowledge of how security-conscious the author is.

I apologize for not making this clear. I'll try to make that more clear in the future, along with some more details on access control. Access control is somewhat of an inexact science, however, as it really depends on your framework.