On Tuesday our CIO, Johann-Peter Hartmann, gave a Web-seminar about security issues in the Web 2.0 era. We had about 140 participants and some very good questions in the following Q&A Session. We would like to thank you for the response and also we´d like to thank Jürgen from MySQL, our webinar-host.

We uploaded our slides as promised. To download them, click here.

If you missed the Web-Seminar you get a chance to see the recording of it here.
But be aware: It´s in german!!!

For english readers/speakers: Johann held an english security talk some time ago. Find it here

We already heard that …

Hi Folks,

This is an announcement for a webinar in German. Therefore only written in German. If you are interested in the security topic be sure to see the english webinar, which is stored here.

Web-2.0-Anwendungen absichern

Die verbesserte Einsatztauglichkeit der Web-2.0-Anwendungen wird auf Kosten von neuen Sicherheitsproblemen erworben. Sowohl die mächtige Logik im JavaScript als auch der permanente Login auf vielen Sites bergen Risiken, die anders und gezielt beantwortet werden müssen. Dieses Webseminar gibt einen Überblick, bewertet die Probleme und stellt Lösungswege vor.

Wenn Sie Web 2.0- und AJAX-Anwendungen entwickeln, ist dieser Vortrag genau das Richtige für Sie! Hier erfahren …

It has only been two years since Tim O'Reilly coined the phrase Web 2.0 and even shorter time since Jesse James Garret created the shortcut AJAX for the base technology of modern internet applications. In this period the nature of web applications underwent a major change in user experience and development methods.

It is the age of integrated communication. Content is created using rich interfaces by users for others users, collected by feed aggregators, collaboratively bookmarked, tagged, complemented by maps and delivered as a service for mash-ups. A good portion of this services a supplied by the LAMP (Linux, Apache, MySQL, PHP / Python / Perl). Since every technology has its dark companion, new security risks arose, and others grew more important.

If you are developing Web 2.0 and AJAX applications and want to know about the old and new security risks, …

Web applications can easily become very complex. Several hundreds of thousands of lines of code (no HTML templates!) is usual at larger corporate solutions. This also means that your PHP applications follows the standards like object oriented programming, nested classes etc.

When it comes down to detect security vulnerabilities, a lot of tools are available. In a previous post I told you that we developed Chorizo! mainly because we needed a tool that checks for security vulnerabilities (both XSS issues and server side issues) very easily. I think our GUI is very nice :-)

In a previous post I introduced Morcilla to you (see video here and here and …

Well, database operations are bread-and-butter work for most PHP applications. PHP and MySQL, for example, have been like brother and sister for many years. You may have heard about "SQL injections", a bad taste from the outside world of $_GET, $_POST, $_COOKIE and the like.

Everybody should know that you shouldn't pass variables from outside unfiltered to i.e. mysql_query. Of course, sometimes this can slip through because we are human and humans make errors. The initial development of Chorizo! was driven by our own need to make it easier for our developers to detect potential security issues and fix them in a second. With Morcilla, our server-side PHP extension, life will be much easier, especially when you turn display_errors = Off in your php.ini settings which won't give a hint to potential attackers that a modified GET variable produced a SQL error. With Morcilla, we look inside the server and can detect SQL injection …

We think it's time to commoditize PHP web application security. You may have heard of Chorizo!. We're proud to announce that from now on it's possible to register for a free account on chorizo-scanner.com.

With this free account, it's possible to use the Chorizo! application service as a proxy and scan 1 host. All scan datas are encrypted, your data is only visible to you. There are also some valuable help documents available that explain the whole process from registering up to uploading the signature file onto your host and how to analyze the results. Please note: as Chorizo! is an application service, you can only scan your hosts that are publicly available or their firewall has the chorizo-scanner.com IP configured. For those of you who want to …