Application Logic Security


Comments are closed.

A lot of good info in this talk. I'll have to look over the slides. Thanks Ilia! Glad that you decided to skip over some of the more commonly talked about topics like cross-site scripting, etc.

Information packed! There's too much detail to digest all at once, but lots of great information in the slide deck. I'll have to go through it again later to get the most out of it. Very well researched.

Excellent. In my opinion, one of the best talks so far. Thanks for sharing

Great content. I'm glad you didn't cover all of the OWASP Top 10, but focused on more of the topics people glance by.

Nice mix of concepts with concrete examples. There was a lot of information condensed into that one talk though, it may have benefited from giving a bit more focus to fewer topics. Was definitely worth attending though and I'll be going back through the slides for reference material.

Definitely will be glad to access the slides. Tons of useful information in an easy to understand format.

I enjoyed this, and will review the material further.

Great information. Thank you, Ilia.

I didn't see the talk and I'm commenting just based on the slides. They are quite good overall but I see some things differently:

1. They often sacrifice UX for the sense of security:

1a. Strong passwords aren't really necessary if we use slow enough hashing function.

1b. Lockout future attempts for 10-15 minutes after 3-5 unsuccessful attempts is pretty harsh for users not remembering the password.

1c. Session expiry at 24-30 minutes is too aggressive, it wouldn't allow me to finish writing this comment. The same can be said about logout after 10 minutes of inactivity, users often do other stuff while being logged in.

1d. Preventing duplicate logins sounds crazy in the current world. I often start something on my phone and finish it on the computer and I would hate having to log in every time.

2. The Session Fixation protection is plain wrong. Attacker can generate a validated session id and then fixate the user with that. session_regenerate_id() must be called after escalating the privileges (usually after logging in). Please correct this slide if you can to not give programmers wrong advices.

3. The idea behind the __save() method is clear but the code doesn't make much sense to me. DataModel looks like a base class yet it's calling parent::save(). Also __save() is private - where is it called from?

Except the Session Fixation fail, these comments are just details or a matter of opinion. Thanks for sharing the slides.

Even tough I was somewhat prepared what to expect from the lecture (a colleague of mine did a review of Ilia's talk at zendcon 2014), it still pleased me a lot to hear some new things.