Code Review for Security

Anthony Ferrara (06.Feb.2014 at 09:00, 3 hr )
Workshop at SunshinePHP 2014 (English - US)

Rating: 4 of 5

Code Review for Security

Who are you?

Claim talk

Talk claims have been moved to the new Joind.in site.

Please login to the new site to claim your talk

 
Comments closed.

Comments

Rating: 5 of 5

06.Feb.2014 at 14:54 by Rodolfo Puig (33 comments)

Great talk/tutorial, very hands on.

Rating: 5 of 5

07.Feb.2014 at 17:28 by Jeremy Lindblom (65 comments)

This tutorial was very informative and fun. It was definitely worth coming for the tutorial day to be in this talk. Anthony's knowledge and passion on this subject come through so naturally.

Rating: 5 of 5

08.Feb.2014 at 09:58 by Szymon Karnecki (4 comments)

Great talk!

Rating: 3 of 5

08.Feb.2014 at 13:27 by Chad Baker (17 comments)

The basics of this session were a good review of application security.

Would have preferred more of a walk through on some of the code. Might have fun to try writing secure code, rather than always reviewing existing code. I'd also like to see non-framework/platform code.

Rating: 5 of 5

08.Feb.2014 at 14:39 by Anonymous


Rating: 4 of 5

09.Feb.2014 at 00:13 by LuisCordova (90 comments)

it was excellent however i wish we could have had more time to dive into the other repos that were left more as homework. I learned a lot.

Rating: 5 of 5

09.Feb.2014 at 22:15 by Peter Wilson-Ferrer (21 comments)

Great tutorial. He did a great job of getting everyone involved.

Rating: 5 of 5

10.Feb.2014 at 08:24 by Melissa Billias (8 comments)

Excellent talk. I love how he made us think about what was wrong and made us find things on our own, but some of the repositories were a bit long for us to go through in the small time frame given. After we analyzed them ourselves and discussed what we found I would have liked it if Anthony would have showed us where he started and all the points he had found so that we would know what we missed. This seemed to happen sometimes, but not with them all and I think there were many things we missed that weren't discussed.

Maybe instead of relying solely on audience recon, have an answers slide(s) after each repo with all the problems with the code and we can discuss how to fix them all. Then maybe ask the audience if they saw anything else to discuss.

Rating: 3 of 5

10.Feb.2014 at 14:58 by Stephen Rees (12 comments)

I'd have enjoyed a little less of, "Here, see what you can find in this code" and a little more on how things work and best practices to avoid the pitfalls.

For example, the discussion on timing attacks was very interesting. Mr. Ferrara did a fair job explaining how it worked, but glossed over the solution a little too quickly.

The repos were too deep for a cursory look to identify issues quickly for an audience who isn't habituated to doing so.

Even something like a walkthrough of creating a secure login page and process for tracking valid authentication would have been wonderful. Could have stepped through how and why each pitfall was mitigated. I've often been told how 'not to do something' without the information on how it 'should' be done.

We were told that when using the mcrypt library, using ECB mode with rijndael was bad, and CBC was good. Information on why would have been nice, and how bad is 'bad'? If you used CBC, you have to be able to recover your IV for decryption, right? What if you don't want to use the same IV for all your data, or store that in your DB to protect the encryption in case of theft of the DB? ECB might need to be an option. Perhaps a separate talk on how to properly implement the mcrypt (or other crypt) library would be nice. (NOT how to roll your own encryption, which we all know is bad.)

Clearly Mr. Ferrara knows what he is talking about. Would just like a little different format in the tutorial.

Rating: 4 of 5

10.Feb.2014 at 21:04 by Rizer (15 comments)

I enjoyed your security review, and I'll be checking out your blog.

Rating: 5 of 5

17.Feb.2014 at 22:58 by Raul Rodriguez (6 comments)

This was one of the talks I was expecting to attend and I enjoyed it and learn a lot more about security, reviewing code for security on open source repos was really fun.
The only thing that I wish we've done is to review code in pairs or share some of our own code to review.

Rating: 5 of 5

21.Feb.2014 at 10:01 by Michael Moussa (50 comments)

One of the best talks I attended at this conference. Anthony was a very clear and focused speaker, and his presentation was very hands-on. The code snippets and real-life open-source projects he selected for examples demonstrated a lot of the topics he covered. I learned quite a lot!

© Joind.in 2018