Explore the dark depths of web security in this PHP UK Conference talk by Thomas Shone. Delve beyond typical security topics to understand hacker motivations and vulnerabilities in consumer websites. Learn about secure communication, encryption, and hashing while examining the results of a 4-year project on website vulnerabilities. Discover the importance of proper versioning, automatic patching, and plugin management in maintaining secure systems. Investigate trust assumptions in network configuration, user authentication, and computer integrity. Analyze weaknesses in encryption implementations, password reset processes, and two-factor authentication. Develop strategies for patching, training, and handling potential compromises. Gain insights into decoupling roles, adopting security standards, and improving overall system security to protect against evolving threats.
Overview
Syllabus
Intro
Security Theatre @thomas_shone
Denial
Internet of Things
SAMSUNG
Most popular software It's not what you think
OpenX Backdoored for almost a year
Versioning Projects with bad versioning also have some of the worst security issues
Automatic Patching If your software comes with automatic upgrading, people will use it
Plugins and Templates If an update needs manual changes for plugins or template, no one updates
The hardest part of security is not writing secure code
without vulnerability Vulnerability research and security updates
I trust that the network is configured properly and secure Good system administrators
I trust you are who you say you are TLS Certificate Peer Verification or Authentication
I trust your computer is not compromised ????
I trust that the user won't be the weak link Training and procedures
Weakening Compromising encryption or hashing is about reducing time to crack
Implementation A bad implementation helps reduce the time to crack
2 Factor Authentication composer require pragmarx/google2fa
Avoid old tutorials on encryption scott/e9319254c8ecbad4f227
One way encoding Comparisons / Integrity Checks
Timing Attacks Brute forcing cryptographic functions via time taken to execute
is critical in encryption Used for key generation and nonces
Weak password reset processes Can you Google the answer? How do you handle customer support reset?
Patching Strategy If a dependency prevents updating, resolve it now
Don't become comfortable Comfort breeds contempt
Training Strategy Have a process for dealing with account locks and resets
Compromise Strategy Have a plan before you need it
Information
Decouple roles Databases, servers, domains, roles, ...
Get behind PSR-9 & 10
Group Performance
Taught by
PHP UK Conference
