Monday, December 28, 2015

Wide Open to Interpretation: PHP

We're teaching a 2 day class at INFILTRATE this year on PHP and another one on Java. Both of them are linked, but in fact cover very different concepts. My main point is this: Just because you don't use PHP at your company doesn't mean you don't use PHP-like technologies. The deserialization issues PHP had last year, Java has this year. Getting ahead in software security means cross-training where possible.

It's also true that auditing PHP apps never goes out of style. Everyone uses PHP apps, just as everyone eats fries, no matter how vegan.

So what are you going to learn if you come to INFILTRATE and take the class? Here are some slides.

We've of course cut our sample target code down to show basic concepts but each is pulled from an impactful vulnerability.

PHP bugs can be deceptively simple at first.

One hint is that the researcher was wrong is that we include them in our slides. :)

In any case - you should sign up for the class before it fills up, as it invariably does RIGHT BEFORE EVERYONE WANTS TO SIGN UP. But we cannot add more seats last minute. So a little prep-time is all I'm asking for this year. :)

No comments:

Post a Comment