Date: June 2, 2017
Time: 9:00 AM – 3:00 PM CDT
Location: Online or video download
Application security is on everybody’s mind these days. Every day we hear of another site hacked or another data breach. Does your team do everything it can to keep your site secure and your data safe?
Join us for the next Day Camp 4 Developers as five experts teach you and your team about Cryptography and Security. Get your whole team a ticket for Day Camp 4 Developers: PHPAppSec on June 2, 2017
Day Camp 4 Developers, invest a day in your career.
Mastering OAuth 2.0
Ben Ramsey, @ramsey
OAuth 2.0 isn’t easy, and everyone has a slightly different implementation, making interoperability a nightmare. Fortunately, the PHP League of Extraordinary Packages provides league/oauth2-client. Aiming for simplicity and ease-of-use, league/oauth2-client provides a common way to access providers. This talk introduces OAuth concepts and demonstrates how to perform OAuth flows with league/oauth2-client, using Instagram as an example.
Cryptography In Depth
Adam Englander, @adam_englander
Cryptography is the invisible layer protecting everything around us. As software engineers, we are required to have some understanding of cryptography. PHP makes strong cryptography available and fairly simple to utilize. What PHP does not often do is help us understand which extensions, functions, and options to use for our software. In this presentation, we will dive deep into the essence of how cryptography works as it relates to encryption, digital signatures, and hashing. We’ll also cover the PHP extensions that provide those functions and how the different functions and options can be utilized to provide strong cryptography.
Cooking with Sodium in PHP 7.2
Scott Arciszewski, @CiPHPerCoder
Sodium is a modern cryptography library for encryption, signatures, password hashing, and more. Although it’s available in PECL today, libsodium is coming as a core extension in PHP 7.2. Scott (author of the RFC to make libsodium a core extension and maintains the documentation for the PECL extension) will demonstrate libsodium’s powerful features and offer specific guidelines for working with cryptography securely.
Let’s Get Random: Under the Hood of PHP 7’s CSPRNG
Sammy Powers, @SammyK
Randomness is really important in many cryptographic contexts. Unfortunately true randomness is a non-trivial achievement for computers. In fact, using weak sources of randomness can leave your application open to myriad vulnerabilities. Enter: a good cryptographically secure pseudorandom number generator (CSPRNG).
We’ll discuss the importance of using good sources of randomness, the CSPRNG options we had in PHP 5.x, and how the new-hotness CSPRNG functions in PHP 7 work under the hood.
Keep it Secret, Keep it Safe
Eric Mann, @EricMann
Managing passwords in userland is tricky enough, but clever tools like 1Password and LastPass have made it easier than ever to protect our social media accounts. Two-factor authentication tools have made us safer still by preventing even weak password from being easily bypassed. Unfortunately, none of this helps us with passwords and credentials in our code.
First, we’ll define the threat models that affect secret data within our PHP apps – and how this sensitive information could be exploited. Then, we’ll survey the landscape of tools available to manage secrets safely so our data stays secure. Finally, we’ll work through the code required to tie everything together and keep our access keys both secret and safe from nefarious third parties.