About the Author

Chris Shiflett

Hi, I’m Chris: entrepreneur, community leader, husband, and father. I live and work in Boulder, CO.

All posts for Jul 2006

OmniTI Seeks Junior Security Analyst

Are you a good PHP developer searching for a cool place to work?

OmniTI (where I work) employs several industry leaders, including Theo Schlossnagle, George Schlossnagle, Laura Thomson, and Wez Furlong. We do lots of interesting, challenging work for some of the largest and most recognizable names on the Internet. Not only do we predominantly use open source technologies, our staff are major contributors to many notable open source projects. In other words, I think this is a really cool place to work. :-)

We're expanding our web application security practice and are looking to hire some experienced PHP developers who are interested in learning all about web application security. We need people who have good communication skills and work well with others, because this is a friendly, collaborative environment. The ideal candidates will also be capable of learning quickly and advancing into more senior roles in the company.

If this sounds exciting to you, please contact me directly or email jobs [at] omniti.com. The official job description follows:

Junior Security Analyst

The Junior Security Analyst role at OmniTI provides a spectacular opportunity for professional development while working on large-scale, mission-critical projects. OmniTI's leadership consists of many published authors, frequent speakers at leading industry conferences, and world-renowned experts, all of which participate in the mentoring of our junior staff.

This is a technical position for an aspiring web application security specialist with a strong background in web development and a desire to work on challenging, security-related projects.


Columbia, MD

Main Responsibilities

  • Auditing of web application code
  • Analysis of a diverse set of platforms and environments
  • Developing tools to advance the web application security practice
  • Engaging in research as necessary to remain ahead of the curve


  • College degree in a computer-related discipline, or equivalent industry experience
  • Excellent communication skills and a thirst for knowledge
  • 3 years of professional web development experience
  • Comprehensive understanding of programming and programming principles
  • Advanced knowledge of web protocols and programming requirements
  • Comprehensive understanding of PHP, HTML, and JavaScript
  • Experience with Perl a plus
  • Good understanding of web application security concerns
  • Experience working with version control systems such as CVS or Subversion
  • Good understanding of relational databases (primarily MySQL, PostgreSQL, and Oracle)

PHP Security Hoedown at OSCON

For those of you attending OSCON in a couple of weeks, you might be interested in the PHP Security Hoedown BOF being hosted Wednesday night by Ed Finkler of CERIAS:

An open discussion about the current state of PHP security. Are we making progress? What should our goals be, and how do we achieve those goals? Are we reaching the "average PHP user?"

I'm planning to be there, and hopefully we can all learn something and have a good time. I consulted the dictionary, and apparently an event must include square dancing to earn the right to be called a hoedown. :-)


OWASP, the Open Web Application Security Project, is famous for its Top Ten list of security vulnerabilities. David ported the list to PHP (PHP and the OWASP Top Ten), and now OWASP has released its own PHP-specific list, the PHP Top 5:

The PHP Top 5 is based upon attack frequency in 2005 as reported to Bugtraq. This information is a valuable insight into the most devastating attacks against the world's most popular web application framework.

In 2005, OWASP collaborated with SANS to research and write a completely new PHP section to their successful Top 20 2005. The OWASP PHP Top 5 is the full unabridged text, updated to reflect recent XSS attacks and SQL injection vectors.

The top five concerns for PHP developers, according to this research, are:

  • Remote Code Execution
  • Cross-Site Scripting
  • SQL Injection
  • PHP Configuration
  • Filesystem Attacks

Remote code execution (also called remote code injection or code injection) should see a reduction in popularity in PHP 6. The following list of changes is from the PHP 6 meeting notes that Derick posted:

  • We split allow_url_fopen into two distinct settings: allow_url_fopen and allow_url_include. If allow_url_fopen is off, then allow_url_include will be off too.
  • We enable allow_url_fopen by default.
  • We disable allow_url_include by default.

SQL injection could also see a reduction in popularity if more and more developers start using PDO and its support for prepared statements. From the manual:

Prepared statements are so useful that they are the only feature that PDO will emulate for drivers that don't support them. This ensures that you will be able to use the same data access paradigm regardless of the capabilities of the database.

Thanks, Wez!

PHP Security by Example

Almost an entire month has passed since my last blog entry, and a lot has happened. I'll try to catch up over the next week or two.

About a week ago, the Flash version of PHP Security by Example was Dugg.

I'm always disappointed to see trolls (Digg seems to have a bigger problem with this than Slashdot), but a few of the comments raise some valid questions. I'll try to summarize and answer those here.

It's true that slides are never a substitute for a talk, and this is especially true for this one, because it's a hands-on workshop. It's something Marco calls a BYOL (bring your own laptop), and it involves a lot of one-on-one attention and hand-holding.

The reason it's in Flash is because the person submitting the story linked to the Flash version. :-) To be fair, the only other format available for this talk is PDF. I've been wanting to create a nice web application for viewing Keynote slides. I think the best approach might be to export the slides as images, and create a simple slide navigator. I can always continue to also offer PDF, Quicktime, and Flash formats.

One comment really stands out:

If these tips helped you in a commercial website, then you should refund your customers money because you have no business writing software. The last thing the world needs is another PHP programmer that doesn't understand security.

I disagree with this type of comment (the underlying sentiment is shared by others) for a couple of reasons:

  • The attacks covered in this talk have been known to affect many major web applications, including Google, Amazon, and Yahoo. CSRF in particular is still a dangerous attack that seems to be hovering below the radar of many developers. Ignorance is not exactly the same thing as incompetence.
  • Elitism does nothing to promote the education of up-and-coming developers. This industry needs a nurturing environment, not one where those who don't know something are afraid to ask questions. This is especially true for niche topics such as web application security. Don't assume everyone who doesn't know about XSS is an idiot.

These comments have motivated me to improve the slides for this talk, and I might try to prepare a video that demonstrates some of these attacks, so that it's more useful to an Internet audience.

This is a perfect opportunity to promote Dan Kuykendall's new Hackme Test Site. It's a hands-on environment where you can try some XSS and SQL injection attacks of your own. Check it out.