The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

Defensive Programming for PHP Security

Course Description

This course covers how to design, build, and integrate with frameworks and native PHP functionality to secure applications. It is geared toward lead developers or developers with a strong interest in security, or the need to resolve threat model, secure code review, or penetration test reports. It provides students with the knowledge and skills required to protect data and applications from attack. By the conclusion of this course, students will understand how to design and implement security functionality, and how to leverage native PHP and common frameworks to secure their applications.

Learning Objectives

  • Authenticate users, including using modern JWT SSO, and integrate with two-factor authentication
  • Store sensitive state securely on the server
  • Build and enforce access control policies, including implementing role-based access control, as well understand capabilities-based access control, which is heavily used in mobile applications
  • Implement a full range of input validation and output encoding to avoid common pitfalls such as XSS and DOM XSS, and SQL injection
  • Design and implement secure storage of sensitive data
  • Configure PHP securely

Details

Delivery Format: eLearning

Duration: 1 hours 45 minutes

Level: Intermediate

Intended Audience:

  • Back-End Developers
  • Front-End Developers
  • Architects

Prerequisites: 

Course Outline

Architecture

  • Introduction to PHP Architecture
  • Security Architecture for Responsive Web Apps
  • Traditional Full-Stack PHP Architecture
  • MVC Frameworks
  • Security in Microservices
  • Using Modern Frameworks
  • Object-Oriented Design
  • Modern Frameworks Protect Against SQL Injection
  • Security Helpers
  • Unit Testing
  • Principle: Defense in Depth
  • Principle: Least Privilege
  • Inter-Tier Auth/Process IDs
  • Encrypted Communication Between Components
  • Hacking Team

Authentication

  • Advanced Password Handling
  • Using JWTs
  • How to Integrate with JWTs
  • How to Authenticate
  • Verifying the JWT
  • How to Log Out
  • How to Support Two-Factor Authentication
  • Enrolling Your User in Google Two-Factor Authentication
  • Validating Google Codes

Session Management

  • Session Management in PHP
  • Session Management at Scale
  • Session Management Using Frameworks
  • Protecting Cookies
  • Scope
  • Cautions About Remember Me
  • Http Only (HttpOnly)
  • Secure Flag
  • Session Fixation and Regeneration of Session IDs
  • How to Access
  • Web Farms
  • Destroying Sessions and Protecting Data

Access Control

  • Access Control in Frameworks
  • Identities, Credentials, and Roles—Oh My!
  • Zend Framework Roles
  • Access Control: Capabilities-Based versus Role-Based
  • Business Logic Business Controls: Protecting Secured Records and Functions
  • ACL Matrices
  • Testing for Negative and Abuse Cases
  • Advanced CSRF Protections
  • Exposure of Sensitive Information at a Health Facility

Input Validation

  • Introduction to Input Validation
  • A General Framework for Input Validation
  • Client-Side Validation
  • Specific Consideration of PHP 7
  • Zend Framework
  • Input Validation Using Allowlisting
  • Blocklisting
  • Data Breach at a Free Webhost

Output Encoding

  • Output Encoding Basics
  • Output Encoding in Frameworks
  • PHP 7
  • Zend Framework
  • Automatic Encoding Using Template Engines

Error Handling, Logging, and Auditing

  • Secure Logging
  • Preventing Log Injection
  • Logging Frameworks
  • Auditing
  • Web Application Firewalls (WAFs)
  • Using OWASP Core Rule Set

Advanced Data Protection

  • Collection and Protection of Sensitive Records
  • The Years of the Megabreach
  • Concerns Both Regional and Global
  • Sensitive Data at Rest
  • Protecting Against Misuse
  • Protecting Against Unauthorized Change
  • Protecting Against Unauthorized Disclosure
  • Encryption for Personally Identifiable Records
  • Third-Party Packages
  • Zend Framework
  • ACME Cinemas in the News
  • CISO Response

Business Logic Flaws

  • Business Logic Flaws and Thinking Evil
  • ACME Cinemas in Booking Nightmare
  • Threat Modeling
  • Spoofing
  • Tampering
  • Repudiation
  • Information Disclosure
  • Denial of Service
  • Elevation of Privilege
  • Race Conditions
  • Easter Eggs
  • Discovering Time Bombs, Deliberate Logic Flaws, and Easter Eggs

Configuration

  • Configuration
  • Disabling Dangerous Functions
  • Dis-allow Includes from Unexpected Locations
  • HttpOnly
  • Secure Flag
  • Scope
  • Working with ZIP Files
  • Working with Images
  • EXIF Infiltration
  • Simple Concatenation
  • Backup and Incidental Files
  • Dependency Checks
  • TLS Configuration
  • Configuring Content Security Policies
  • Advanced CSP
  • Unsafe Inline
  • Unsafe Eval
  • Privacy Breach Due to Configuration Error

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster