I gave an hour-long presentation at the Columbus OWASP chapter meeting today concerning PHP Security. The slides might not be super-useful on their own, since I’m not standing in front of them to provide context and bad jokes, but people asked for them, so they’re available.

Download the slides (4.8MB PDF)

This is the PDF version that was shown at the OWASP presentation (including the OWASP chapter introduction), with the following changes:

• HIPPA spelling corrected to HIPAA (yes, I work in this field).
• OWASP’s PHP ESAPI (Enterprise Security API) link added near the end of the presentation.

Since I’m horrible at remembering names and faces, I can’t actually give credit for these fixes. If that was you: let me know, and I’m sorry.

Important Note: There’s an example of how to implement a Random Form Token to help prevent against CSRF attacks. This is a very naive implementation — in particular, since the token is generated from the current timestamp, someone could (with the proper tools) guess the correct token, which defeats the purpose of having the token at all. This was all covered during the talk.

The presentation (at least my part) was developed in Keynote, and I have the source files available if anyone thinks they’d be useful.