Wim clearly knows what he's talking about, and I seriously learned a lot, especially in the latter half. He answered questions very well too. But I have to give this talk 3 stars for two reasons: 1. The first hour (of 2.5 hours) was dedicated to code that was clearly ancient. mysql_escape_string() and addslashes()? While yes, we need to know about SQL injection, but manually concatenating SQL strings with unescaped user input is definitely not mainstream anymore. Other code examples appeared to be coming from phpBB or something similarly outdated. Maybe that code is still out there, but is that what we current developers are at risk of building now? I doubt it. How is this relevant, for example, to my REST API using oAuth authentication? 2. More time and detail could have been given to techniques for dealing with a breach after it has already happened. How to avoid it in future? What are some possible consequences long-term? How to convince stakeholders to spend money on security-related infrastructure, etc.
Good and interesting information. But I thought to get more things, that a PHP developer normaly doesn't know. MySQL injection should be no problem for a developer anymore.
I really enjoyed this session. It was very focused on completely custom applications or those authoring frameworks. There were some basics, but I was still picking up new tidbits of information.
I would have preferred more focus on the types of security issues you can see in applications that are already using a framework of some kind. Most of the issues talked about are "solved" problems as long as you follow what your framework documents. Discussion of the unsolved app or API layer problems would be a great followup to this talk.
A good overview of security concerns. Potentially more suitable as a talk rather than a workshop since it's hard to do any hands-on exercises in the given time frame
Comments
Comments are closed.
Very good talk
Excellent overview of security essentials.
Massive overview of everything relating to security. Very informative and fascinating. Really enjoyed it.
It's a complex topic, so it's hard to go into a lot of detail about everything. But it was a good checklist of things to be aware of.
Wim clearly knows what he's talking about, and I seriously learned a lot, especially in the latter half. He answered questions very well too. But I have to give this talk 3 stars for two reasons: 1. The first hour (of 2.5 hours) was dedicated to code that was clearly ancient. mysql_escape_string() and addslashes()? While yes, we need to know about SQL injection, but manually concatenating SQL strings with unescaped user input is definitely not mainstream anymore. Other code examples appeared to be coming from phpBB or something similarly outdated. Maybe that code is still out there, but is that what we current developers are at risk of building now? I doubt it. How is this relevant, for example, to my REST API using oAuth authentication? 2. More time and detail could have been given to techniques for dealing with a breach after it has already happened. How to avoid it in future? What are some possible consequences long-term? How to convince stakeholders to spend money on security-related infrastructure, etc.
Good and interesting information. But I thought to get more things, that a PHP developer normaly doesn't know. MySQL injection should be no problem for a developer anymore.
I learned a lot about the details of how some exploits work. Things that I had heard of, but never really knew the details of how they were done.
Good information, well presented.
I really enjoyed this session. It was very focused on completely custom applications or those authoring frameworks. There were some basics, but I was still picking up new tidbits of information.
I would have preferred more focus on the types of security issues you can see in applications that are already using a framework of some kind. Most of the issues talked about are "solved" problems as long as you follow what your framework documents. Discussion of the unsolved app or API layer problems would be a great followup to this talk.
A good overview of security concerns. Potentially more suitable as a talk rather than a workshop since it's hard to do any hands-on exercises in the given time frame
The presentation provided a very good overview of security issues. However, I would have liked to have seen more up-to-date code samples.
Good overview of security issues in the entire stack, and different ways that they can be handled.
Some of the code was a bit hard to read from the back, but the overall message and important info was spot on.
Very good presentation, I'd like to see more updated examples of current security vulnerabilities.