Web Application Security, Part 1 with Scott Arciszewski

In this weeks episode we chat with Scott Arciszewski about all things Security and Cryptography. We start off the show by explaining how he got interested in this field of work, correcting PHP security related answers on Stack Overflow and why he focuses on PHP security. From here, we move on to highlight what the OWASP Top Ten is, how you can distill many security principles into data/code seperation and what is involved in a software audit. This leads us on to discuss what HTTPS actually is, touching on TLS, PKI’s, Ciphersuites, and reported attacks against TLS and ECB. Finally, we highlight some important browser security features that can be used, pushing new software releases in a secure manor, thoughts on Cryptocurrencies and how everyone wants to solve their problem with a blockchain at this time.

Show Links

• Scott Arciszewski on Twitter
• Paragon Initiative Enterprises
• The 2018 Guide to Building Secure PHP Software
• RPG Maker
• Hack This Site!
• The Enigma Group
• PHP Password Hashing
• Problematic PHP Cryptography Advice in Popular Questions - Meta Stack Overflow
• Usage Statistics of Server-side Programming Languages for Websites
• Hardened-PHP Project
• The Month of PHP Security
• Psalm - a static analysis tool for PHP
• OWASP Top Ten Project
• Burp Suite Scanner
• OWASP Zed Attack Proxy Project
• On The Design and Implementation of a Stealth Backdoor for Web Applications
• Padding oracle attack
• Public key infrastructure
• PCI Council pushes back TLS 1.0 End of Life Date to June 2018
• The ECB Penguin
• Attacks against Transport Layer Security
• DigiNotar SSL certificate hack amounts to cyberwar, says expert
• Is TLS Fast Yet?
• Content Security Policy - An Introduction
• Subresource Integrity
• CMS Airship - Secure PHP CMS for the Modern Web
• paragonie/chronicle - Public append-only ledger microservice built with Slim Framework
• Zcash - All coins are created equal.