Secure Coding in PHP

Short course

Inhouse

£ 201-500

Description

  • Type

    Short course

  • Level

    Intermediate

  • Methodology

    Inhouse

  • Duration

    2 Days

  • Start date

    Different dates available

The course provides essential skills for PHP developers necessary to make their applications resistant to contemporary attacks through the Internet. Web vulnerabilities are discussed through PHP-based examples going beyond the OWASP top ten, tackling various injection attacks, script injections, attacks against session handling of PHP, insecure direct object references, issues with file upload, and many others. PHP-related vulnerabilities are introduced and are grouped into the standard vulnerability types of missing or improper input validation, incorrect error and exception handling, improper use of security features and time- and state-related problems. For the latter we discuss attacks like the open_basedir circumvention, denial-of-service through magic float or the hash table collision attack. In all cases participants will get familiarize with the most important techniques and functions to be used to mitigate the enlisted risks.A special focus is given to client-side security tackling security issues of JavaScript, Ajax and HTML5. A number of security-related extensions to PHP are introduced like hash, mcrypt and OpenSSL for cryptography, or Ctype, ext/filter and HTML Purifier for input validation. Hardening best practices are given in connection with PHP configuration (setting php.ini), Apache and the server in general. Finally, an overview is given to various security testing tools and techniques which developers and testers can use, including security scanners, penetration testing and exploit packs, sniffers, proxy servers, fuzzing tools and static source code analyzers.

Facilities

Location

Start date

Inhouse

Start date

Different dates availableEnrolment now open

About this course

Upon completion of this course, you will be able to:* Understand basic concepts of security, IT security and secure coding* Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them* Learn to use various security features of PHP* Get information about some recent vulnerabilities of the PHP framework* Learn about typical coding mistakes and how to avoid them* Get practical knowledge in using security testing tools* Get sources and further reading on secure coding practices

Web developers, architects, and testers

None

Both the introduction of vulnerabilities and the configuration practices are supported by a number of hands-on exercises demonstrating the consequences of successful attacks, showing how to apply mitigation techniques and introducing the use of various extensions and tools.

Questions & Answers

Add your question

Our advisors and other users will be able to reply to you

Who would you like to address this question to?

Fill in your details to get a reply

We will only publish your name and question

Reviews

This centre's achievements

2018

All courses are up to date

The average rating is higher than 3.7

More than 50 reviews in the last 12 months

This centre has featured on Emagister for 6 years

Subjects

  • Javascript training
  • Testing
  • Java
  • Server
  • Javascript
  • PHP
  • Ajax
  • Proxy
  • Web
  • Public

Teachers and trainers (1)

Bright  Solutions

Bright Solutions

Trainer

Course programme


#text-block-10 { margin-bottom:0px; text-align:left; }

IT security and secure coding

* Nature of security
* IT security related terms
* Definition of risk
* Different aspects of IT security
* Requirements of different application areas
* IT security vs. secure coding
* From vulnerabilities to botnets and cyber crime
* Classification of security flaws
Web application vulnerabilities

Basics of cryptography

* Cryptosystems
* Symmetric-key cryptography
* Other cryptographic algorithms
* Asymmetric (public-key) cryptography
* Public Key Infrastructure (PKI)

Client-side security

* JavaScript security
* Ajax security
* HTML5 Security

PHP security services

* Cryptography extensions in PHP
* Input validation APIs

PHP Environment

* Server configuration
* Securing PHP configuration
* Environment security
* Hardening
* Configuration management

Advices and principles

* Matt Bishop’s principles of robust programming
* The security principles of Saltzer and Schroeder

#text-block-11 { margin-bottom:0px; text-align:left; }

Input validation

* Input validation concepts
* Remote PHP code execution
* MySQL validation errors – beyond SQL Injection
* Variable scope errors in PHP
* File uploads, spammers
* Environment manipulation

Improper use of security features

* Problems related to the use of security features
* Insecure randomness
* Weak PRNGs in PHP
* Stronger PRNGs we can use in PHP
* Password management – stored passwords
* Some usual password management problems
* Storing credentials for external systems
* Privacy violation
* Improper error and exception handling

Time and state problems

* Concurrency and threading
* Concurrency in PHP
* Preventing file race condition
* Double submit problem
* PHP session handling
* A PHP design flaw – open_basedir race condition
* Database race condition
* Denial of service possibilities
* Hashtable collision attack

Using security testing tools

* Web vulnerability scanners
* SQL injection tools
* Public database
* Google hacking
* Proxy servers and sniffers
* Exercise – Capturing network traffic
* Static code analysis

Knowledge sources

* Secure coding sources – a starter kit
* Vulnerability databases

Secure Coding in PHP

£ 201-500