SlideShare a Scribd company logo

Enterprise-Class PHP Security

ZendCon, profile picture
ZendCon

This document discusses enterprise security as it relates to PHP applications. It begins by defining an enterprise as a high-stakes endeavor with significant scope, money, purpose, or impact. Enterprise security specifically aims to prevent harmful security events for applications where the stakes are high, with real risks and severe consequences of failure. The document then outlines some of the key differences between enterprise security and traditional low-stakes PHP application security, including dedicated security teams, formal standards, and a focus on risk management. It provides guidance for PHP developers on understanding enterprise security requirements and effectively partnering with security teams.

Technology
1 of 30
Downloaded 139 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Barry Austin Interactive Strategies doBoard
http://www.whoast.com/blog/whoast%20lemonade%20stand.JPG
http://www.kaushik.net/avinash/wp-content/uploads/2007/05/enterprise_class_warship.png
http://upload.wikimedia.org/wikipedia/commons/7/72/Enterprise_free_flight.jpg
http://graphic-engine.swarthmore.edu/wp-content/uploads/2008/05/enterprise_capture_02.jpg
Enterprise (n):  a high‐stakes endeavor
High‐stakes in terms of: Scope Money Purpose Impact
http://blogs.princeton.edu/eqn/images/bigstockphoto_Security_Pad_Locks_40080.jpg
Security is the prevention of harmful events
Enterprise Security is the prevention of  harmful events where the stakes are high Real risk involved Severe consequences of failure
If an enterprise app has a security breach… Public safety or military involved – people get  hurt, die amazon.com can’t process orders – enormous $$$  losses Facebook spreads malware – millions infected at,  say, $100 damage each… Yikes! Banks get robbed electronically – rumored to be  happening to the tune of hundreds of millions of $
PHP is growing up The Internet is growing up Bad guys are growing up
PHP is driving into the enterprise software  market Zend IBM Microsoft Others…
If my blog goes down… Who cares? Crickets? Did I hear crickets?
Case in point: Wordpress Has been beat upon in low‐stakes environments This is the norm for the PHP ecosystem PHP ecosystem has adapted to the security  needs of low‐stakes uses The stakes are changing
Enterprises pay specific attention to security Manage risk Hire and buy Establish standards, controls, process
Managing risk Risk is the probability of an event occuring  multiplied by impact Often managed as an aggregate covering all  identifiable events Risk can be avoided, mitigated, or transferred
Signs You’re Dealing With Enterprise Security Dedicated security team Scary consequences of security failure Formal security standards and requirements Security audit/review Biased against PHP
Expect a good security team to: Identify security drivers Apply requirements (standards) Find vulnerabilities Orchestrate and plan fixes Calculate overall risk level Recommend “go” or “no go”
Purpose of the application Level of trust in users Sensitivity of data Criticality of functions Integrity of transactions Threat environment Consequences of exploitation Laws, regulations, rules
ISO/IEC 27002 Payment Card Industry Data Security  Standard (PCI‐DSS) OWASP Application Security Verification  Standard (ASVS) NIST Special Publications series, FIPS Especially NIST SP 800‐53
Common failings of security teams Apply rules where not really needed Don’t operate tools (e.g. scanners) correctly Shift burden of proof entirely to your side Bring only “no”, never “yes” or “try this” Lose sight of the ultimate goal Are overwhelmed by minutiae
How to overcome security team failings Understand what they need to accomplish Be a step ahead – ask leading questions Remind them about the big picture Engage with the goal of finding solutions Escalate – find a voice of reason Encourage focus on most important issues Insist on balanced burden of proof
Master the basics Participate in security community OWASP events, conferences Other local meetups Experiment with secure coding frameworks  and techniques Inspekt ESAPI‐PHP Security features built into your framework of  choice
Define roles and responsibilities Classify data and functions Identify desired/required security properties Define basic security architecture Select baseline security controls Plan for lifecycle
Do a self‐assessment Check OWASP criteria Run a scanner or hire a specialist Review using industry checklist/standards Treat security requirements as any other  requirements or constraints Treat security vulnerabilities as bugs
Best way to get started is… to start!
High‐stakes organizations expect that PHP  applications can stand up to the scrutiny of  their risk management standards and  practices They do this to prevent harmful events that  can have severe consequences Enterprise‐class security is in a new league for  many PHPers, but with the right knowledge  and an effective approach we can handle it.
http://www.owasp.org http://www.owasp.org/index.php/Category:O WASP_AppSec_Conference http://code.google.com/p/inspekt/ http://www.owasp.org/index.php/Category:O WASP_Enterprise_Security_API
Enterprise-Class PHP Security

More Related Content

PDF
Asw feb13 low
Carlos Carvalho
 
PDF
Av MX HF June_2016 newsletter
Jeff Grenier
 
PPT
Computer Security Basics for UW-Madison Emeritus Faculty and Staff
Nicholas Davis
 
PPTX
PHP and Platform Independance in the Cloud
ZendCon
 
PPTX
MySQL Optimizer Overview
Olav Sandstå
 
PDF
Zend Core on IBM i - Security Considerations
ZendCon
 
PPT
MySQL Tech Tour 2015 - 5.7 Connector/J/Net
Mark Swarbrick
 
PDF
A Storage Story #ChefConf2013
Kyle Bader
 
Asw feb13 low
Carlos Carvalho
 
Av MX HF June_2016 newsletter
Jeff Grenier
 
Computer Security Basics for UW-Madison Emeritus Faculty and Staff
Nicholas Davis
 
PHP and Platform Independance in the Cloud
ZendCon
 
MySQL Optimizer Overview
Olav Sandstå
 
Zend Core on IBM i - Security Considerations
ZendCon
 
MySQL Tech Tour 2015 - 5.7 Connector/J/Net
Mark Swarbrick
 
A Storage Story #ChefConf2013
Kyle Bader
 

Viewers also liked (20)

PDF
MySQL Manchester TT - Replication Features
Mark Swarbrick
 
PDF
Script it
Giuseppe Maxia
 
PDF
MySQL Manchester TT - 5.7 Whats new
Mark Swarbrick
 
PDF
Oracle Compute Cloud Service介绍
Zhaoyang Wang
 
KEY
Framework Shootout
ZendCon
 
PPTX
Application Diagnosis with Zend Server Tracing
ZendCon
 
PDF
MySQL in your laptop
Giuseppe Maxia
 
PPT
PHP on Windows - What's New
ZendCon
 
KEY
Zend_Tool: Practical use and Extending
ZendCon
 
PDF
Oracle Compute Cloud Service快速实践
Zhaoyang Wang
 
PDF
Oracle cloud 使用云市场快速搭建小型电商网站
Zhaoyang Wang
 
PDF
Why MySQL High Availability Matters
Mark Swarbrick
 
PDF
Oracle cloud ravello介绍及测试账户申请
Zhaoyang Wang
 
PDF
Solving the C20K problem: Raising the bar in PHP Performance and Scalability
ZendCon
 
PPTX
PHP on IBM i Tutorial
ZendCon
 
PDF
MySQL Manchester TT - Security
Mark Swarbrick
 
PDF
Tiery Eyed
ZendCon
 
PPT
Functions in php
Mudasir Syed
 
PPTX
MySQL Head to Head Performance
Kyle Bader
 
PDF
MySQL Intro JSON NoSQL
Mark Swarbrick
 
MySQL Manchester TT - Replication Features
Mark Swarbrick
 
Script it
Giuseppe Maxia
 
MySQL Manchester TT - 5.7 Whats new
Mark Swarbrick
 
Oracle Compute Cloud Service介绍
Zhaoyang Wang
 
Framework Shootout
ZendCon
 
Application Diagnosis with Zend Server Tracing
ZendCon
 
MySQL in your laptop
Giuseppe Maxia
 
PHP on Windows - What's New
ZendCon
 
Zend_Tool: Practical use and Extending
ZendCon
 
Oracle Compute Cloud Service快速实践
Zhaoyang Wang
 
Oracle cloud 使用云市场快速搭建小型电商网站
Zhaoyang Wang
 
Why MySQL High Availability Matters
Mark Swarbrick
 
Oracle cloud ravello介绍及测试账户申请
Zhaoyang Wang
 
Solving the C20K problem: Raising the bar in PHP Performance and Scalability
ZendCon
 
PHP on IBM i Tutorial
ZendCon
 
MySQL Manchester TT - Security
Mark Swarbrick
 
Tiery Eyed
ZendCon
 
Functions in php
Mudasir Syed
 
MySQL Head to Head Performance
Kyle Bader
 
MySQL Intro JSON NoSQL
Mark Swarbrick
 
Ad

Similar to Enterprise-Class PHP Security (20)

PDF
How Current Advanced Cyber Threats Transform Business Operation
Eryk Budi Pratama
 
PDF
Journal+Feature-InsiderThreat
Anthony Buenger
 
PDF
Accounting Information Systems 11th Edition Bodnar Solutions Manual
marrincehiz
 
PPT
Eileen Presentation
jc06442n
 
PDF
2010 Sc World Congress Nyc
Bob Maley
 
PDF
Accounting Information Systems 11th Edition Bodnar Solutions Manual
geradojengel
 
PDF
Accounting Information Systems 11th Edition Bodnar Solutions Manual
gayosacissey70
 
PDF
Accounting Information Systems 11th Edition Bodnar Solutions Manual
schiemrossg3
 
PDF
Accounting Information Systems 11th Edition Bodnar Solutions Manual
camitatse
 
DOCX
Technological Threats to Businesses (Independent Study)
Gerard Keenan
 
PDF
Strengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
FitCEO, Inc. (FCI)
 
PDF
Whitepaper: BATTLING IT OUT: APPLICATION AND MOBILE SECURITY - Happiest Minds
Happiest Minds Technologies
 
PDF
Outsourcing
karlhennessy
 
PDF
Accounting Information Systems 11th Edition Bodnar Solutions Manual
grachalyako20
 
PPT
Risk Management on the Internet
sekiur
 
PPTX
Importance of cyber security in education sector
Seqrite
 
PPT
Security analysis
Yulisa Rosliana S.Kom
 
PDF
Accounting Information Systems 11th Edition Bodnar Solutions Manual
molicochoual
 
PPTX
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
 
PPTX
Copy of OWASP Threat and Safeguard Matrix.pptx
jayceefied
 
How Current Advanced Cyber Threats Transform Business Operation
Eryk Budi Pratama
 
Journal+Feature-InsiderThreat
Anthony Buenger
 
Accounting Information Systems 11th Edition Bodnar Solutions Manual
marrincehiz
 
Eileen Presentation
jc06442n
 
2010 Sc World Congress Nyc
Bob Maley
 
Accounting Information Systems 11th Edition Bodnar Solutions Manual
geradojengel
 
Accounting Information Systems 11th Edition Bodnar Solutions Manual
gayosacissey70
 
Accounting Information Systems 11th Edition Bodnar Solutions Manual
schiemrossg3
 
Accounting Information Systems 11th Edition Bodnar Solutions Manual
camitatse
 
Technological Threats to Businesses (Independent Study)
Gerard Keenan
 
Strengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
FitCEO, Inc. (FCI)
 
Whitepaper: BATTLING IT OUT: APPLICATION AND MOBILE SECURITY - Happiest Minds
Happiest Minds Technologies
 
Outsourcing
karlhennessy
 
Accounting Information Systems 11th Edition Bodnar Solutions Manual
grachalyako20
 
Risk Management on the Internet
sekiur
 
Importance of cyber security in education sector
Seqrite
 
Security analysis
Yulisa Rosliana S.Kom
 
Accounting Information Systems 11th Edition Bodnar Solutions Manual
molicochoual
 
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
 
Copy of OWASP Threat and Safeguard Matrix.pptx
jayceefied
 
Ad

More from ZendCon (20)

PPT
I18n with PHP 5.3
ZendCon
 
PDF
Cloud Computing: The Hard Problems Never Go Away
ZendCon
 
PPT
Planning for Synchronization with Browser-Local Databases
ZendCon
 
PPT
Magento - a Zend Framework Application
ZendCon
 
PDF
PHP and IBM i - Database Alternatives
ZendCon
 
PDF
Insights from the Experts: How PHP Leaders Are Transforming High-Impact PHP A...
ZendCon
 
PDF
Joe Staner Zend Con 2008
ZendCon
 
PDF
Make your PHP Application Software-as-a-Service (SaaS) Ready with the Paralle...
ZendCon
 
PDF
DB2 Storage Engine for MySQL and Open Source Applications Session
ZendCon
 
PDF
Digital Identity
ZendCon
 
PDF
Modernizing i5 Applications
ZendCon
 
PDF
Lesser Known Security Problems in PHP Applications
ZendCon
 
PDF
Architecting for PHP5 - Why "Runs on PHP5" is not "Written for PHP5"
ZendCon
 
PDF
SQL Query Tuning: The Legend of Drunken Query Master
ZendCon
 
PDF
ZendCon 2008 Closing Keynote
ZendCon
 
PDF
Top Zend Studio Secrets
ZendCon
 
PDF
VIM for (PHP) Programmers
ZendCon
 
PDF
Test Driven Development
ZendCon
 
PDF
Rickroll To Go With PHP, WURFL, and Other Open Source Tools
ZendCon
 
PDF
PECL Picks - Extensions to make your life better
ZendCon
 
I18n with PHP 5.3
ZendCon
 
Cloud Computing: The Hard Problems Never Go Away
ZendCon
 
Planning for Synchronization with Browser-Local Databases
ZendCon
 
Magento - a Zend Framework Application
ZendCon
 
PHP and IBM i - Database Alternatives
ZendCon
 
Insights from the Experts: How PHP Leaders Are Transforming High-Impact PHP A...
ZendCon
 
Joe Staner Zend Con 2008
ZendCon
 
Make your PHP Application Software-as-a-Service (SaaS) Ready with the Paralle...
ZendCon
 
DB2 Storage Engine for MySQL and Open Source Applications Session
ZendCon
 
Digital Identity
ZendCon
 
Modernizing i5 Applications
ZendCon
 
Lesser Known Security Problems in PHP Applications
ZendCon
 
Architecting for PHP5 - Why "Runs on PHP5" is not "Written for PHP5"
ZendCon
 
SQL Query Tuning: The Legend of Drunken Query Master
ZendCon
 
ZendCon 2008 Closing Keynote
ZendCon
 
Top Zend Studio Secrets
ZendCon
 
VIM for (PHP) Programmers
ZendCon
 
Test Driven Development
ZendCon
 
Rickroll To Go With PHP, WURFL, and Other Open Source Tools
ZendCon
 
PECL Picks - Extensions to make your life better
ZendCon
 

Recently uploaded (20)

PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 

Enterprise-Class PHP Security