Defending PHP Applications
Related Training
Related Services
2 Day Training
Intermediate Level
PHP Developers
Instructor Led
CBT / Remote
Training Available
Course Overview
Students will gain valuable insight in to developing secure PHP5 applications.
The course will show students the latest in web based threats and how students should go about defending them. Students will learn to define and identify secure code, differentiate between secure coding methods, employ secure code in practice, and build safer web applications from the start.
Students completing this class will find their secure coding abilities materially sharpened and able to integrate these techniques in your organization.
Learning Objectives
- Express the vulnerabilities and exploits facing modern web applications.
- Learn how insecure coding techniques can result in vulnerability within PHP applications.
- Implement defensive coding methods in PHP using secure code, tools and libraries that can help support secure coding for PHP.
Day 1 Outline
Introduction
- OWASP Top 10
- Defending PHP5
1. SQL Injection
- About SQL Injection
- Realtime example
- Newsflash
- Parameterized Queries
2. Cross-site Scripting
- About XSS
- Blacklist validation
- Whitelist validation
- Safe re-encoding
- Safe vs unsafe
- HTTPonly
3. Session Hijacking
- About Session Hijacking
- Stealing credentials
- Encryption
- Short session timeouts
4. Parameter Manipulation
- About Parameter Manipulation
- Server-side validation
- Session variables
5. Insecure Storage
- About Insecure Storage
- Sensitivity of information
- Threat modeling
- Hashing passwords
6. Forcible Browsing
- About Forcible Browsing
- Page Level authorization
- Programmed authorization
7. Cross-site Request Forgery
- About XSRF
- Meg goes shopping
- Decreasing timeouts
- XSRF tokens
- Re-authentication
8. Insecure Configuration
- About insecure configuration
- Users, Software
- Hardening
- Standardized builds
- Patch management
- Updates and audits
9. Unchecked Redirects
- About unchecked redirects
- Newsflash
- Validating parameters
- Server-side checks
10. Clear-Text communication
- About clear-text communication
- Eavesdropping
- Newsflash
- Encryption in transit
- Proper SSL implementations
Day 2 Outline
11. SQL Injection Defenses
- Common pitfalls in PHP
- Parameterized Queries in PHP
- MySQL
- PHP Data Objects
12. XSS Defenses
- Common pitfalls in PHP
- Whitelisting
- Output re-encoding in PHP
- HTTP Only in PHP
13. Session Hijacking Defenses
- Common pitfalls in PHP
- SSL Encryption
- Shorter session timeouts
14. Parameter Manipulation Defenses
- Common pitfalls in PHP
- Security Logic
- Regular Expressions
- Centralized Validation
15. Insecure Storage Defenses
- Common pitfalls in PHP
- MCrypt Library
- Hashing
- Storing Passwords with Bcrypt
16. Forcible Browsing Defenses
- Common pitfalls in PHP
- Access Controls
- Programmed Authorization
17. XSRF Defenses
- Common pitfalls in PHP
- Best Practices
- XSRF tokens
18. Insecure Configuration Defenses
- Common pitfalls in PHP
- Register globals
- Error reporting and trace
- Logging
- Safe mode
- Magic quotes
- Session management
19. Unchecked Redirects
- Common pitfalls in PHP
- PHP Header Redirects
- Indirect Object Mapping in PHP
20. Clear-Text communication
- Common pitfalls in PHP
- Enabling encryption
- Enforcing strong ciphers
Download Datasheet
Security Compass training courses are offered using a variety of delivery methods. Download the data sheet to learn more.
Public Classes
Security Compass offers this course as a public class. Contact us for a schedule of all our upcoming public training classes.
Free OWASP Top 10 CBT
We're offering our OWASP Top 10 course CBT online for free. Register now and take the course today.