Security audits as integral part of PHP application development


Comments are closed.

Maybe a bit too many examples in the beginning. The part after that was pretty nice and gave a good insight on how you audit PHP applications.

Nice talk, could have benefited from a little more technical depth.

i was very dissapointed in the beginning, since most of us follow the news and did not need a summary of last years breakin's

it also might need some more technical depth, since if you are a php developer most of the topics touched by the talk you should now. so in the beginning it could use this summary and then some more advanced technical depth

Not too informatieve, I'm with Ike.

much examples. not very much technical details.

The importance of audits was made pretty clear.
Some "Oh yeah", and "I recognize that way of doing stuff". It gave some hints, tips (and eye-openers) where to start when auditing code.
As mentioned above: as programmers we expected some more technical detail.

The tooling part was usefull, but the pace and information density could have been higher.

Anonymous at 16:07 on 28 Jan 2012

great content, thanks!

There where a lot of eye openers for me, and great advice to convince management to get budget for security.

I liked the fact that it wasn't YAST (Yet Another SQL injection Talk), but approached the subject of security a bit broader. Having said that, a bit more depth could have gone a long way. Perhaps showing a usage example of one of the tools. Just to make it a bit more involved.

I also think the speaker is more used to giving this talk in dutch, which made the flow of the talk a little less smooth then it could have been.

Overall a pretty reasonable talk, will certainly be checkout out some of the mentioned tools.

I liked the technical and tooling part, but to bad he did not mentioned OWASP.

Good overview but I would have liked some more in-depth information. How where the example hacks done and what can we learn from that?

An overview that barely scratches the surface of a very difficult topic, I think almost every webdeveloper more or less knows what security flaws there are so would benefit more from practical examples on how to detect and fix then rather than an overview of tools without any pracical implementation or usecases. A bit disappointed but there's potential.

Anonymous at 16:57 on 29 Jan 2012

This presentation was not an in depth technical tutorial on how to perform security audits, although some very good advice was given how you should perform such an audit. The talk was brought at a more general level. Not that that is bad, but as said by others, show us a demonstration of the mentioned tools, instead of screenshots. Overall, it was a very good talk!

Great introduction to the field. It gave me a number of pointers I can start with.

The long intro summarizing the news could have been a lót shorter. And the rest after it came down to "train someone to do audits", or "call secundity".

If you read and find yourself reading the red boxes in the manual, this talk wasn't really adding something more to it, or clearing anything up. It would for one benefit from more technical additions, and real code examples, so the auditing becomes really a part of the daily development, by not making often made mistakes.

There are also a lot of tools mentioned in here, but without telling how one can actually benefit from them, and what they are good or bad at.

So for me, the talk missed to answer the only question I had: "how to make security audits an integral part of PHP application development"...

Anonymous at 09:37 on 30 Jan 2012

Show us demos of the mentioned tools and less examples, like said before. Besides that, inspiring talk and nice introduction to the security field - thanks a lot!

Well brought, nice real life examples.

Anonymous at 20:59 on 31 Jan 2012

Thanks all for the feedback! It is very much appreciated. I've improved my talk and gave it again at the PHP UK Conference a month later, where it was received even better :-)