This comprehensive three-day Secure Coding for PHP Boot Camp discusses web vulnerabilities through PHP-based examples. You’ll learn concepts beyond the OWASP Top Ten, tackling various injection attacks, script injections, attacks against session handling of PHP, insecure direct object references, issues with file upload and many others.

Both the introduction of vulnerabilities and the configuration practices are supported by a number of hands-on exercises demonstrating the consequences of successful attacks, showing how to apply mitigation techniques and introducing the use of various extensions and tools.

• Three full days of of secure coding training with an expert instructor
• Infosec digital courseware (physical textbooks available to purchase)
• 90-day access to replays of daily lessons (Flex Pro)
• 90-day access to hosted labs (Flex Pro)
• 100% Satisfaction Guarantee

This boot camp teaches you how poor security practices leave applications open to attack and how to implement the necessary tools, techniques and best practices to write code in a secure manner. It will help develop your knowledge and skills around:

• Basic concepts of security, IT security and secure coding
• Web vulnerabilities beyond the OWASP Top Ten and know how to avoid them
• Various security features of PHP
• Recent vulnerabilities of the PHP framework
• Typical coding mistakes and how to avoid them
• Using security testing tools

• PHP developers
• Managers, architects and technologists involved in PHP
• Anyone interested in learning more about secure PHP coding

Basic to advanced knowledge of PHP, including experience developing PHP applications, as well as familiarity with Apache, MySQL and SQL.

IT security and secure coding

• Nature of security
• IT security related terms
• Definition of risk
• Different aspects of IT security
• Requirements of different application areas
• IT security vs. secure coding
• From vulnerabilities to botnets and cybercrime
• Classification of security flaws

Web application vulnerabilities

Basics of cryptography

• Cryptosystems
• Symmetric-key cryptography
• Other cryptographic algorithms
• Asymmetric (public-key) cryptography
• Public Key Infrastructure (PKI)

Client-side security

• JavaScript security
• AJAX security
• HTML5 security

PHP security services

• ​Cryptography extensions in PHP
• Input validation APIs

PHP environment

• ​Server configuration
• Securing PHP configuration
• Environment security
• Hardening
• Configuration management

Advice and principles

• ​Matt Bishop’s principles of robust programming
• The security principles of Saltzer and Schroeder

Input validation

• Input validation concepts
• Remote PHP code execution
• MySQL validation errors – beyond SQL Injection
• Variable scope errors in PHP
• File uploads, spammers
• Environment manipulation

Improper use of security features

• ​Problems related to the use of security features
• Insecure randomness
• Weak PRNGs in PHP
• Stronger PRNGs we can use in PHP
• Password management – stored passwords
• Some usual password management problems
• Storing credentials for external systems
• Privacy violation
• Improper error and exception handling
• Classification of security flaws

Time and state problems

• ​Concurrency and threading
• Concurrency in PHP
• Preventing file race condition
• Double submit problem
• PHP session handling
• A PHP design flaw – open_basedir race condition
• Database race condition
• Denial of service possibilities
• Hashtable collision attack
• Classification of security flaws

Using security testing tools

• Web vulnerability scanners
• SQL injection tools
• Public database
• Google hacking
• Proxy servers and sniffers
• Exercise – Capturing network traffic
• Static code analysis