December 7–11, 2009 | Sheraton Waikiki Hotel | Honolulu, Hawaii, USA

• Program
• Call for Participation
• Committees

• About ACSAC
• Past ACSACs
• Mailing List
• Security Bookshelf
• FAQs

2009 Annual Computer Security Applications Conference

Tutorial T5 – WebAppSec.php: Developing Secure Web Applications

Mr. Robert H'obbes' Zakon, Zakon Group LLC

Tuesday, December 8th, Full Day

Web applications are the new frontier of wide-spread security breaches. This tutorial will guide you through development practices to ensure the security and integrity of your application, in turn protecting user data and the infrastructure the application runs on. Several attack types will be reviewed, along with how the proper development practices can mitigate their damage. Although the tutorial targets the security of PHP-based applications, much of the content is applicable to other programming languages as well.

Outline

1. Overview & Scope
2. Secure Coding Practices (+)
   • Configuration & Settings
   • Logging & Notification
   • Coding Standards
   • Data Validation & Filtering
   • Pitfalls
   • Sensitive Data Access
   • Review & Testing
3. Attack Types & Prevention (+)
   • Spoofed Submissions
   • Spoofed HTTP Requests
   • Cross-Site Scripting (XSS)
   • Cross-Site Request Forgery (CSRF/XSRF)
   • SQL Injection
   • Session Hijacking / Fixation
   • Malicious File Execution
   • Additional Attack Types
4. Web 2.0, AJAX (+)
   • What's Different About Web 2.0
   • AJAX XSS
   • XML/SOAP Poisoning/Injection
   • RSS/Atom Injection
   • XPath Injection
   • JSON Hijacking
   • WSDL Scanning & Enumeration
   • Additional Vectors
5. Grand Finale

Prerequisites

This tutorial is geared towards programmers developing web applications, although others with an interest in web security or managing a group of web developers may benefit as well. A good understanding of web programming, preferably with some database programming experience, will be helpful. Familiarity with PHP, although not required, may be useful as examples covered will be PHP based.

About the Instructor

Mr. Robert Zakon is a technology consultant and developer who has been programming web applications since the Web's infancy, over 15 years ago. In addition to developing web applications for web sites receiving millions of daily hits, he works with organizations in an interim CTO capacity, and advises corporations, non-profits and government agencies on technology, information, and security architecture and infrastructure. Robert is a former Principal Engineer with MITRE's Information Security Center, CTO of an Internet consumer portal and application service provider, and Director of a university research lab. He is a Senior Member of the IEEE, and holds BS & MS degrees from Case Western Reserve University in Computer Engineering & Science with concentrations in Philosophy & Psychology. His interests are diverse and can be explored at www.Zakon.org.

Home | Mailing List | FAQs | Privacy Policy | Contact Us

Copyright © 2009 ACSAC