La parole est aux speakers : Antti Rössi
Jusqu’au Forum PHP 2020, retrouvez nos interviews de speakers pour mieux comprendre leur parcours et le sujet qu’ils ou elles aborderont lors de leur conférence !
How your PHP application can get hacked, and how to prevent that from happening?
You’ve probably heard about XSS, SQL Injection, and RCE. Very few developers out there have witnessed first-hand what exploiting any of the mentioned vulnerabilities looks like, and therefore don’t necessarily understand the consequences that having such vulnerabilities in your application can have. In this talk, we’ll exploit some commonly known vulnerabilities (OWASP top 10) and misconfigurations that can occur to a PHP application running on a Linux based host. By learning to think like a hacker you’ll be able to develop more secure applications with PHP, and to keep your users, clients, and yourself safe.
This presentation consists of security concept theory sections from PHP developers' point-of-view and a few hands-on hacking demonstrations. At the end of the presentation, we go through a set of concrete action steps to secure our applications from the vulnerabilities we learned about earlier.
In the context of the recent Twitter hacks, is source code the first thing to improve when talking about security? What about processes and employees training ?
Source code alone should certainly not be the de facto first thing to improve when talking about security. The security of your systems and solutions is always equal to the security and robustness of the single weakest link in your system.
As an example running a secure and well-crafted web application on an otherwise unhardened and outdated web server will most certainly cause an overall system compromise. A stolen admin password can also easily result in total mayhem if you’re not utilizing strong multi-factor authentication for admin users, and you for example allow them to query and export sensitive data.
Malicious insiders and social engineering attacks are often ones of the toughest threats for a company to mitigate, like we saw in the recent Twitter hack incident. The best preparations for these kinds of threats include staff awareness training and separation of duties, which both focus on the people and process side of security. When a single weak link can and will compromise your overall security, you need to look at security much more comprehensively than just the technical side.
Regarding the performance aspect, it’s a feature for high concurrency or for real-time exchanges but less important on batch processing. At which point or level do you consider security move from a « nice-to-have » to a « must-have »?
In my personal opinion as both a business owner and a security professional, this dilemma boils down to two critical questions. How big of a loss can you and your project handle, and what is a reasonable and tolerable likelihood of that risk realizing? The bigger the stakes, the earlier security becomes a must-have for you.
Setting this threshold is an important business decision that has to be made on the very top management level, and it requires the buy-in of all management and leadership in order to be enforced throughout the organization properly.
What would you advise to a PHP developer who would like into CTF (Capture The Flag) and bug bounty programs?
|Antti is an IT entrepreneur, a PHP enthusiast, and an OSCP certified white-hat hacker based in Helsinki Finland. During the daytime, he’s leading an innovative recruitment technology company called Jobilla, where he’s mainly focusing hands-on in the product design and development processes day-to-day. For the night time and weekends, he turns into a white hat hacker that loves to solve CTF challenges and puzzles and to spend time penetration testing software in bug bounty programs in order to make the web a safer place for us all. He is passionate about teaching fellow developers about software security (especially within the PHP community), and is known for concrete hands-on oriented presentations and workshops.|
La parole est aux speakers : Ben Smith
- La parole est aux speakers : Gilles Dowek
- La parole est aux speakers : Hélène Maître-Marchois
- La parole est aux speakers : Estelle Landry
- La parole est aux speakers : Pascal Martin et Martin Supiot
- La parole est aux speakers : Lucas Legname & Maxime Richard
- La parole est aux speakers : Maxime Veber
- La parole est aux speakers : Agnès Haasser
- La parole est aux speakers : Mikael Randy
- La parole est aux speakers : Mathieu Girard
- La parole est aux speakers : Frédéric Bouchery
- La parole est aux speakers : Jean-Pierre Vincent
- La parole est aux speakers : Benoit Jacquemont
- La parole est aux speakers : Ben Smith
- La parole est aux speakers : Antoine Bluchet
- La parole est aux speakers : Jonathan Van Belle
- La parole est aux speakers : Olivier Dolbeau
- La parole est aux speakers : Karim Pinchon
- La parole est aux speakers : Damien Alexandre
- La parole est aux speakers : Gabriel Caruso