Upcoming list view

This is a joint meeting with the Open Web Application Security Project (OWASP) group. All are welcome to join us on Tuesday as we discuss web application security.

When: December 3rd, 2009 6:30pm - 8:30pm
Where: Wu & Chen Auditorium, Levine Hall, University of Pennsylvania
3330 Walnut St. Philadelphia, PA 19104

Agenda:
1.) Opening Remarks
2.) Discovering PHP Vulnerabilities Via Code Auditing, Justin Klein Keane
3.) TBD: Bruce Diamond

Directions to Levine Hall

Questions should be directed to Darian Anthony Patrick

Discovering PHP Vulnerabilities Via Code Auditing

Abstract: PHP provides an accessible, easy to use platform for developing dynamic web applications. As the number of web based applications grow, so too does the threat from external attackers. The open and global nature of the web means that web applications are exposed to attack from around the world around the clock. Automated web application vulnerability scanning technology is still very much in its infancy, and unable to identify complex vulnerabilities that could lead to complete server compromise. While intrusion detection systems prove very valuable in detecting attacks, the best way to prevent vulnerabilities is to engage in active code review. There are many advantages of direct code review over automated testing, from the ability to identify complex edge scenario vulnerabilities to finding non-exploitable flaws and fixing them proactively. Many vulnerabilities in PHP based web applications are introduced with common misuse of the language or misunderstanding of how functions can be safely utilized. By understanding the common ways in which vulnerabilities are introduced into PHP code it becomes easy to quickly and accurately review PHP code and identify problems. In addition to common problems, PHP includes some obscure functionality that can lead developers to unwittingly introduce vulnerabilities into their applications. By understanding the security implications of some common PHP functions, code reviewers can pinpoint the use of such functions in code and inspect them to ensure safety.

Speaker: Justin Klein Keane

Bio: Justin C. Klein Keane has over 8 years of experience in information security starting with his role as Editor in Chief of the Hack in the Box e-zine. Currently Justin works as in Information Security Specialist with the University of Pennsylvania School of Arts and Sciences' Information Security and Unix Systems group. Justin's past work included several positions as a web application developer, often utilizing PHP. Justin is a regular contributer to the Full-Disclosure mailing list and is credited with dozens of vulnerability discoveries. Justin holds several ethical hacking and penetration testing certifications and regularly posts computer security related articles on his website http://www.MadIrish.net.