PHP Security by Example06 Jul 2006
Almost an entire month has passed since my last blog entry, and a lot has happened. I'll try to catch up over the next week or two.
About a week ago, the Flash version of PHP Security by Example was Dugg.
I'm always disappointed to see trolls (Digg seems to have a bigger problem with this than Slashdot), but a few of the comments raise some valid questions. I'll try to summarize and answer those here.
It's true that slides are never a substitute for a talk, and this is especially true for this one, because it's a hands-on workshop. It's something Marco calls a BYOL (bring your own laptop), and it involves a lot of one-on-one attention and hand-holding.
The reason it's in Flash is because the person submitting the story linked to the Flash version. :-) To be fair, the only other format available for this talk is PDF. I've been wanting to create a nice web application for viewing Keynote slides. I think the best approach might be to export the slides as images, and create a simple slide navigator. I can always continue to also offer PDF, Quicktime, and Flash formats.
One comment really stands out:
If these tips helped you in a commercial website, then you should refund your customers money because you have no business writing software. The last thing the world needs is another PHP programmer that doesn't understand security.
I disagree with this type of comment (the underlying sentiment is shared by others) for a couple of reasons:
- The attacks covered in this talk have been known to affect many major web applications, including Google, Amazon, and Yahoo. CSRF in particular is still a dangerous attack that seems to be hovering below the radar of many developers. Ignorance is not exactly the same thing as incompetence.
- Elitism does nothing to promote the education of up-and-coming developers. This industry needs a nurturing environment, not one where those who don't know something are afraid to ask questions. This is especially true for niche topics such as web application security. Don't assume everyone who doesn't know about XSS is an idiot.
These comments have motivated me to improve the slides for this talk, and I might try to prepare a video that demonstrates some of these attacks, so that it's more useful to an Internet audience.
This is a perfect opportunity to promote Dan Kuykendall's new Hackme Test Site. It's a hands-on environment where you can try some XSS and SQL injection attacks of your own. Check it out.