secure php development with inspekt
DESCRIPTION
TRANSCRIPT
PUT DOWN THE SUPERGLOBALS!Secure PHP Dev with Inspekt
Ed Finkler • inspekt.org • @funkatron
tek-X 2010 • #tekx • #inspekt • http://joind.in/1593
Thursday; May 20, 2010 - Inspekt.org
Vulnerabilities!
Thursday; May 20, 2010 - Inspekt.org
What causes them?
Thursday; May 20, 2010 - Inspekt.org
Letting bad stuff in!
Thursday; May 20, 2010 - Inspekt.org
Where's bad stuff?
Thursday; May 20, 2010 - Inspekt.org
EVERYWHERE!!!
Thursday; May 20, 2010 - Inspekt.org
☞ FIEO ☜
Thursday; May 20, 2010 - Inspekt.org
Keep bad stuff from getting in
Thursday; May 20, 2010 - Inspekt.org
Don't send bad stuff out
Thursday; May 20, 2010 - Inspekt.org
Most of us know this
Thursday; May 20, 2010 - Inspekt.org
PHP makes it harderthan it should be
Thursday; May 20, 2010 - Inspekt.org
It should be easyto do safe things
Thursday; May 20, 2010 - Inspekt.org
It should be hardto do dangerous things
Thursday; May 20, 2010 - Inspekt.org
Right nowit's harder to be safe
Thursday; May 20, 2010 - Inspekt.org
That sucks
Thursday; May 20, 2010 - Inspekt.org
That won't changeanytime soon
Thursday; May 20, 2010 - Inspekt.org
Inspekt is an attemptto change that
Thursday; May 20, 2010 - Inspekt.org
Make developers show intent
Thursday; May 20, 2010 - Inspekt.org
Stop direct accessto Superglobals
Thursday; May 20, 2010 - Inspekt.org
example: SuperCage
Thursday; May 20, 2010 - Inspekt.org
Consequences
Thursday; May 20, 2010 - Inspekt.org
Simplify
Thursday; May 20, 2010 - Inspekt.org
Centralize
Thursday; May 20, 2010 - Inspekt.org
Avoid piecemeal filtering
Thursday; May 20, 2010 - Inspekt.org
Force demonstration of intent
Thursday; May 20, 2010 - Inspekt.org
Auditability
Thursday; May 20, 2010 - Inspekt.org
☞ $_ ☜OH NO YOU DIDN'T
Thursday; May 20, 2010 - Inspekt.org
Scoping
Thursday; May 20, 2010 - Inspekt.org
Superglobals are indeed GLOBAL
Thursday; May 20, 2010 - Inspekt.org
Use Singleton
Thursday; May 20, 2010 - Inspekt.org
Additional Functionality
Thursday; May 20, 2010 - Inspekt.org
Auto-filtering
Thursday; May 20, 2010 - Inspekt.org
example:config
Thursday; May 20, 2010 - Inspekt.org
wrap an arbitrary array in a cage
Thursday; May 20, 2010 - Inspekt.org
example:filter_array_cage
Thursday; May 20, 2010 - Inspekt.org
Build your own filters
Thursday; May 20, 2010 - Inspekt.org
example:extending
Thursday; May 20, 2010 - Inspekt.org
filter an array or scalar
Thursday; May 20, 2010 - Inspekt.org
example:filter_static_methods
Thursday; May 20, 2010 - Inspekt.org
Questions?
http://funkatron.github.com/inspekt/