La parole est aux speakers : Antti Rössi

Publié le

Jusqu’au Forum PHP 2020, retrouvez nos interviews de speakers pour mieux comprendre leur parcours et le sujet qu’ils ou elles aborderont lors de leur conférence !

La conférence

How your PHP application can get hacked, and how to prevent that from happening?

You’ve probably heard about XSS, SQL Injection, and RCE. Very few developers out there have witnessed first-hand what exploiting any of the mentioned vulnerabilities looks like, and therefore don’t necessarily understand the consequences that having such vulnerabilities in your application can have. In this talk, we’ll exploit some commonly known vulnerabilities (OWASP top 10) and misconfigurations that can occur to a PHP application running on a Linux based host. By learning to think like a hacker you’ll be able to develop more secure applications with PHP, and to keep your users, clients, and yourself safe.

This presentation consists of security concept theory sections from PHP developers' point-of-view and a few hands-on hacking demonstrations. At the end of the presentation, we go through a set of concrete action steps to secure our applications from the vulnerabilities we learned about earlier.

Grace Hopper

In the context of the recent Twitter hacks, is source code the first thing to improve when talking about security? What about processes and employees training ?

Source code alone should certainly not be the de facto first thing to improve when talking about security. The security of your systems and solutions is always equal to the security and robustness of the single weakest link in your system.
As an example running a secure and well-crafted web application on an otherwise unhardened and outdated web server will most certainly cause an overall system compromise. A stolen admin password can also easily result in total mayhem if you’re not utilizing strong multi-factor authentication for admin users, and you for example allow them to query and export sensitive data.

Malicious insiders and social engineering attacks are often ones of the toughest threats for a company to mitigate, like we saw in the recent Twitter hack incident. The best preparations for these kinds of threats include staff awareness training and separation of duties, which both focus on the people and process side of security. When a single weak link can and will compromise your overall security, you need to look at security much more comprehensively than just the technical side.

Regarding the performance aspect, it’s a feature for high concurrency or for real-time exchanges but less important on batch processing. At which point or level do you consider security move from a « nice-to-have » to a « must-have »?

In my personal opinion as both a business owner and a security professional, this dilemma boils down to two critical questions. How big of a loss can you and your project handle, and what is a reasonable and tolerable likelihood of that risk realizing? The bigger the stakes, the earlier security becomes a must-have for you.
Setting this threshold is an important business decision that has to be made on the very top management level, and it requires the buy-in of all management and leadership in order to be enforced throughout the organization properly.

What would you advise to a PHP developer who would like into CTF (Capture The Flag) and bug bounty programs?

Being a developer, especially a PHP developer, gives you a brilliant foundation to succeed in both CTFs and bug bounty programs. Since you’re already familiar with the single most widely used web technology out there (+ probably JavaScript), and you’re used to understanding “how things work under the hood”, you’re already knee-deep into what’s required to succeed and enjoy CTFs and bug bounty programs. I’d highly recommend joining a local hacker community or event to get to see and experience a CTF competition first-hand, they’re awesome. There’s a perfect combination of learning, having fun, and of course frustrated debugging, that keeps me coming back for more time after time. The cybersecurity scene is most of the time very open and helpful, and you’ll be able to learn what resources other people have found useful getting up to speed with hacking and CTFs. What are you waiting for?!

Une conférence présentée par

Antti is an IT entrepreneur, a PHP enthusiast, and an OSCP certified white-hat hacker based in Helsinki Finland. During the daytime, he’s leading an innovative recruitment technology company called Jobilla, where he’s mainly focusing hands-on in the product design and development processes day-to-day. For the night time and weekends, he turns into a white hat hacker that loves to solve CTF challenges and puzzles and to spend time penetration testing software in bug bounty programs in order to make the web a safer place for us all. He is passionate about teaching fellow developers about software security (especially within the PHP community), and is known for concrete hands-on oriented presentations and workshops.

Autres interviews

La parole est aux speakers : Ben Smith