Talk in English - UK at True North PHP 2012
Track Name:
Room 2
View Slides: http://www.slideshare.net/markstory/owasp-top-10-14999548
Short URL: https://joind.in/talk/6b2ef
(QR-Code (opens in new window))
Avoiding the OWASP Top 10 security exploits
Comments
Comments are closed.
Great content...I figured it was a bit more than could fit in the time allotted, but he definitely knows his stuff. I'd like to see this extended out into a tutorial session with some good hands-on examples.
Excellent talk on a very important topic. I know you were trying to avoid a feeling of doom and gloom, but I think some examples of bad things happening in the wild would really help to drive the point home. Other than that, well done.
Good talk. I especially appreciated the BCRYPT/MCRYPT discussion, two very important and under-emphasized libraries
Excellent, well-presented talk! The references to using bcrypt and mcrypt to do hashing and encryption the right way were a nice touch, something I feel is still a bit underpromoted in the PHP community. My only suggestion is to list an instance or two of each particular vulnerability being exploited in the wild. For instance, you mentioned LinkedIn off-hand during the hashing point. I think this would help drive home the point that these things are real and not just theoretical.
The cohesion between the ten items seemed light (contrast to Rafael's "code sucks" talk, where he brought it back together at the end), but the content itself was solid and Mark did a great job talking through it. There were some timing/balance issues, where it felt we sped through some items much quicker than others (and not for lack of importance).
As an improvement, I think mixing in real world examples or stories from CakePHP's development would be beneficial. Most of us are used to seeing harmless alerts for XSS demonstrations, but seeing an actual attack would drive the point home and alleviate the need to explain "this looks innocuous but it can be something far worse".
Great review of OWASP top 10 security exploit, incredible how old issues likes SQLi continues very strong and present in a bunch of legacy and even new apps.
Enjoyed this presentation by Mark despite the doom and gloom. Thought there may not be enough time, it may be good to throw in a little bit about how these exploits tend to persist because of old tutorials that teach people how to make SQL queries and process form data in insecure ways from the beginning.