This was an excellent overview of some of the 'classic' security blunders as well as some new ones I haven't heard of (like XML bombs). Awesome talk. Chris is very knowledgable and has calm, professional demeanor. Highly recommended.
Very informative talk, although I would like to have seen a bit more advanced topics. Though the top 3 things are still relevant, they have been presented in many talks in the past. Also, many frameworks and libraries protect against some of the most basic attacks. I would have also like to see measures to prevent common web apps to get hacked like WP, Joomla, Drupal, etc.
A little to basic for me. And I think there was a lot of important material that was kind of glazed over that probably should have been explained.
Things like the small gotchas in PDO prepared statement. Making sure charsets are set and htmlentities /htmlspecialchars are passed the current charset. I think password storage section could stressed on the importance of per-user salts, and maybe an overview of what password hashing actually does... and why even salted md5/sha etc.. are still not good enough. I think some examples of CSRF tokens and how they actually work would have driven the point home better.
Good points, is that I'm glad OWASP was stressed so much. And that the top 10 was used as a guideline for the talk.
Comments
Comments are closed.
This was an excellent overview of some of the 'classic' security blunders as well as some new ones I haven't heard of (like XML bombs). Awesome talk. Chris is very knowledgable and has calm, professional demeanor. Highly recommended.
Great content, learned a couple of things. Thanks.
Great talk, but I was hoping to get a little farther beyond the basics :)
Very informative talk, although I would like to have seen a bit more advanced topics. Though the top 3 things are still relevant, they have been presented in many talks in the past. Also, many frameworks and libraries protect against some of the most basic attacks. I would have also like to see measures to prevent common web apps to get hacked like WP, Joomla, Drupal, etc.
A little to basic for me. And I think there was a lot of important material that was kind of glazed over that probably should have been explained.
Things like the small gotchas in PDO prepared statement. Making sure charsets are set and htmlentities /htmlspecialchars are passed the current charset. I think password storage section could stressed on the importance of per-user salts, and maybe an overview of what password hashing actually does... and why even salted md5/sha etc.. are still not good enough. I think some examples of CSRF tokens and how they actually work would have driven the point home better.
Good points, is that I'm glad OWASP was stressed so much. And that the top 10 was used as a guideline for the talk.
Have to agree with the other reviewers. I thought the talk was really great-- good slides, good delivery-- I just wanted to get in even deeper.