This was a great talk that went into the basics of OWASP and web security. But you also had great content for developers that knew web security well and gave more information about how to keep things up to date.
Eli did a great job of turning a "What Not To Do" guide into a "Common Pitfalls" type of guide. They were some moments when it was "you should bad if you have every done this" (not a direct quote, he was too nice for that) but those really were important facts to take home even if nothing else stuck. I was a bit torn because there were more don't do this than here's the solution but realistically, and as Eli described, most solutions aren't one-size fits all.
That said, my constructive criticism would be:
SQL filter injection is a bit over-played in all security talks at this point; more attention could be paid to some of the lesser-known attack vectors: using string combinations that exploit escaping and filtering, SQL select/table parameter injection, anything TLS before 1.2, etc.
Comments
Comments are closed.
Good high-level insight into the main attack vectors over the web. Thanks Eli!
Great overview of the common things PHP developers have to look out for and what can be done to mitigate risk.
I wish I knew this years ago ... BRB ... lots of rewriting to do ...
Great overview to common ignored security vulnerability
Informative and entertaining
This was a great talk that went into the basics of OWASP and web security. But you also had great content for developers that knew web security well and gave more information about how to keep things up to date.
Thorough, nicely-paced overview of very important information!
Great overview of a variery of security risks and mitigation techniques for defending against them.
As a beginning php developer, I know I will appreciate this talk a great deal down the road when I don't have to go back and fix everything later.
Eli did a great job of turning a "What Not To Do" guide into a "Common Pitfalls" type of guide. They were some moments when it was "you should bad if you have every done this" (not a direct quote, he was too nice for that) but those really were important facts to take home even if nothing else stuck. I was a bit torn because there were more don't do this than here's the solution but realistically, and as Eli described, most solutions aren't one-size fits all.
A good talk, presented well by a good speaker.
That said, my constructive criticism would be:
SQL filter injection is a bit over-played in all security talks at this point; more attention could be paid to some of the lesser-known attack vectors: using string combinations that exploit escaping and filtering, SQL select/table parameter injection, anything TLS before 1.2, etc.