Invitation
Press Release
Speech Abstract
Schedule Meeting
|
Automated PHP Vulnerability Detection Using Static Analysis
- Wayne Huang, Founder & CEO of Armorize Technologies, Inc.
Even though it is the most widely used Web language, PHP has yet to win the commercial Web sector. With security being the enterpriseˇ¦s biggest concerns in adopting Web and in migrating to Web 2.0, experts suggest the future dominant Web language to be the one with the strongest security. A small number of current PHP security problems can be traced to PHP engine bugs, but the remaining majority is the result of design flaws and insecure coding practices by PHP developers. Existing solutions include following secure coding practices as described in the PHP security literature, placing intrusion detection modules into PHP engines and/or Web servers, deploying network-based application firewalls, exercising automatic/manual penetration tests, and conducting manual code reviews. After giving an overview of PHP security problems and a comparison of current solutions, we will introduce an innovative technologyˇXautomated static analysis (ASA)ˇXfor identifying PHP vulnerabilities early in the software development life cycle (SDLC). We will briefly introduce different enabling technologies to ASA and describe PHP-specific program constructs and features that lead to challenges in developing an ASA tool for PHP. We will then present several case studies in which ASA tools have been integrated into PHP SDLCs and share our observations on the mass application of ASA to existing open source and commercial PHP applications. We will also discuss return-on-security-investment (ROSI), implications for enterprises willing to adopt ASA, and benchmarking ASA tools. We will then respond to audience questions on these topics and other potential uses of ASA for PHP security certification. We will conclude by sharing our views on ASA market potential, planned improvements, and limitations.
An experienced speaker, Wayne leads a team of PHP ASA experts that have conducted mass application of ASA on open source PHP code as early as in 2003 (230 PHP projects from SourceForge, with results published in WWW 2004, DSN 2004, ISSRE 2004 and Journal of Computer Networks ). His talk will give the audience a good understanding of ASA technology and tools, how to use them to improve PHP security, their advantages and limitations, and how to evaluate and benchmark them.
About Wayne Huang
Wayne is a Co-Founder of Armorize Technologies. He is a highly experienced security expert having an extensive knowledge in information, network, and software security. He is well-known for his expertise in Web application security and has published many journals worldwide on the subject, in addition he is a frequent speaker at global security conferences.
Wayne is the first author of two award-winning papers in the International World Wide Web (WWW) Conferences (2003, 2004), and co-author of theˇ§Web Application Security ˇV Past, Present, and Futureˇ¨chapter of 'Security in the 21st Century. (Springer-Verlag). For more information please visit:http://www.armorize.com/managementteam.php
About Armorize Technologies, Inc.
Armorize Technologies is a software solutions provider focused on developing Web applications security solutions. The company provides automated security assessment and assurance products based on award-winning, patented source code analysis technology. Led by a number of internationally acclaimed security veterans and financed by top Silicon Valley investors, the company was formed in 2005 with its headquarters in Santa Clara, CA, and its R&D centre in the NanKang Software Parkˇ¦s software incubator in Taipei, Taiwan. Find more about Armorize at http://www.armorize.com
|