Prison Theory of Web Development Security

Good talk - lots of good reminders for overall applications security. I liked the code snippets that were in there but I'd almost like to see a bit more depth on some of the topics. It seemed like a high level view of a load of security recommendations. Maybe more "how" and not so much "what".

Interesting way to look at security. I got some things to think about. I think you had a little too much text on the slides. We tend to read instead of listening.

Very thorough and helpful. A lot to think through, but they all seem to be important. The three automatic security scanning tools seem worth the price of admission!

First half of the talk is great, but the second half suggestions seemed somewhat tired or in need of updating.

it was a good run down on things, but too generic. the prison mindset is interesting, first time seeing it from that POV. Maybe i would have wanted some hands on or github repo to play with.

Very good talk. But Mike talks way too fast, very hard to understand at times.

I hope the slides will be available at a later time.

Excellent talk, interesting background stories, and a great overview of how to craft an in-depth security policy.

I agree with the comments on going more in depth. I typically like talks that aren't very high-level or abstract. (At least not for very long)

Good talk!
Just 2 small things:
1) the code snippets seemed too easy
2) would like to see some images also in the slides

Good job overall! Cheers!

Never heard someone suggest using obfuscation to improve security with a straight face.

I like the concept of thinking of your application as a prison with guards, watch towers, gates and the whole lot. The personal story telling made it even more appealing.

Thanks for sharing and making us more paranoid!

I enjoyed the prison theory spin on PHP security as well as the personal antidotes to make the talk interesting. Would of enjoyed more in-depth examples and best practices over the usual cry of "security is important".

Good talk, but spoke very quickly at times. Perhaps a bit less content would allow for a slower paced presentation.

Great talk with basic level of knowledge for securing a web application. If you've been around PHP a while you may think this outdated or obvious, but I can tell you I know people that still argue against validating on the server side if they're already doing it on the client side...for API requests...

Well done!

I also would have liked some more concrete examples. Perhaps take a form and show how to add the layers to it.

A bit too basic for veteran devs.

Thank you all for the great feedback, very much appreciated. I try not to address comments specifically, but in this case wanted to touch on the one regarding obfuscation:

"Never heard someone suggest using obfuscation to improve security with a straight face."

Obfuscation is a fairly common practice when it comes to security. While it can have a bad rap, this is due to it being relied on as the only layer of security or utilized as a lazy method of security. In essence, it provides an added layer of difficulty and security to an application, but should not be utilized as the only layer. Perhaps one the most common example of obfuscation in the "real world" is ReCaptcha, which can be implemented to help prevent brute force attacks on logins, or the ambiguous error page that simply states something went wrong without providing any source code details to the end user.

More often than not, it's the little things you do that add up and make your application more secure. Granted, some methods provide more security than others, but I don't think you can have an application that is "too secure," especially when entrusted with personal data that in the wrong hands could be detrimental to the real-world life of your end user.