Play all

Intro

Security Theatre @thomas_shone

Denial

Internet of Things

SAMSUNG

Most popular software It's not what you think

OpenX Backdoored for almost a year

Versioning Projects with bad versioning also have some of the worst security issues

Automatic Patching If your software comes with automatic upgrading, people will use it

Plugins and Templates If an update needs manual changes for plugins or template, no one updates

The hardest part of security is not writing secure code

without vulnerability Vulnerability research and security updates

I trust that the network is configured properly and secure Good system administrators

I trust you are who you say you are TLS Certificate Peer Verification or Authentication

I trust your computer is not compromised ????

I trust that the user won't be the weak link Training and procedures

Weakening Compromising encryption or hashing is about reducing time to crack

Implementation A bad implementation helps reduce the time to crack

2 Factor Authentication composer require pragmarx/google2fa

Avoid old tutorials on encryption scott/e9319254c8ecbad4f227

One way encoding Comparisons / Integrity Checks

Timing Attacks Brute forcing cryptographic functions via time taken to execute

is critical in encryption Used for key generation and nonces

Weak password reset processes Can you Google the answer? How do you handle customer support reset?

Patching Strategy If a dependency prevents updating, resolve it now

Don't become comfortable Comfort breeds contempt

Training Strategy Have a process for dealing with account locks and resets

Compromise Strategy Have a plan before you need it

Information

Decouple roles Databases, servers, domains, roles, ...

Get behind PSR-9 & 10

Group Performance

Description:

Explore the dark depths of web security in this PHP UK Conference talk by Thomas Shone. Delve beyond typical security topics to understand hacker motivations and vulnerabilities in consumer websites. Learn about secure communication, encryption, and hashing while examining the results of a 4-year project on website vulnerabilities. Discover the importance of proper versioning, automatic patching, and plugin management in maintaining secure systems. Investigate trust assumptions in network configuration, user authentication, and computer integrity. Analyze weaknesses in encryption implementations, password reset processes, and two-factor authentication. Develop strategies for patching, training, and handling potential compromises. Gain insights into decoupling roles, adopting security standards, and improving overall system security to protect against evolving threats.

Security Theatre

PHP UK Conference

Add to list

#Conference Talks #PHP UK Conference #Information Security (InfoSec) #Cybersecurity #Ethical Hacking #Social Engineering #Secure Communication #Computer Science #Cryptography #Encryption #Hashing #Vulnerability Research

0:00 / 0:00