Basically, if you need a job, or hate your current job, and have time to commit, and if you’re a professional, or just disciplined and care about every little thing you do..Or, if you just want to work with me.. :

Geneva Data, an Internet Security company is looking for PHP developer to work on a unique project in San Antonio, Texas.
We?re open to a full-time, part-time, contract, consulting or project work. We just want the most innovative local PHP programmer available (with experience.)

“Experience” means you can show us proof of your work … whether you have been in the workforce for 6 months or 60 years.

“Innovative” means that you?ve never encountered a problem that you couldn?t solve. We appreciate individuals who experiment with new technologies on personal projects. Creativity is a plus with us.

? MySQL and/or Linux proficiency is a further plus.

? Experience …

I've spent my spare time the last few weekends helping a non-profit called Fast Forward here in the Columbia, SC area. I don't post this here to blow my own horn but rather to point out the need many non-profit organizations have for quality IT support. Most non-profits operate on a limited budget meaning they take help where they can get it. Often times there just isn't money left in the budget for a services contract, etc., even for an organization like Fast Forward.

This is where knowledgeable folks can really make a difference. I know the usual excuse: after spending all week looking at a computer screen, the last thing anyone wants to do is spend the weekend working on computers. I've been there, so I understand that feeling completely. However, I have to say that the time I've spent working at Fast Forward has been personally rewarding. There's a sense of accomplishment …

On Tuesday our CIO, Johann-Peter Hartmann, gave a Web-seminar about security issues in the Web 2.0 era. We had about 140 participants and some very good questions in the following Q&A Session. We would like to thank you for the response and also we´d like to thank Jürgen from MySQL, our webinar-host.

We uploaded our slides as promised. To download them, click here.

If you missed the Web-Seminar you get a chance to see the recording of it here.
But be aware: It´s in german!!!

For english readers/speakers: Johann held an english security talk some time ago. Find it here

We already heard that …

Hi Folks,

This is an announcement for a webinar in German. Therefore only written in German. If you are interested in the security topic be sure to see the english webinar, which is stored here.

Web-2.0-Anwendungen absichern

Die verbesserte Einsatztauglichkeit der Web-2.0-Anwendungen wird auf Kosten von neuen Sicherheitsproblemen erworben. Sowohl die mächtige Logik im JavaScript als auch der permanente Login auf vielen Sites bergen Risiken, die anders und gezielt beantwortet werden müssen. Dieses Webseminar gibt einen Überblick, bewertet die Probleme und stellt Lösungswege vor.

Wenn Sie Web 2.0- und AJAX-Anwendungen entwickeln, ist dieser Vortrag genau das Richtige für Sie! Hier erfahren …

It has only been two years since Tim O'Reilly coined the phrase Web 2.0 and even shorter time since Jesse James Garret created the shortcut AJAX for the base technology of modern internet applications. In this period the nature of web applications underwent a major change in user experience and development methods.

It is the age of integrated communication. Content is created using rich interfaces by users for others users, collected by feed aggregators, collaboratively bookmarked, tagged, complemented by maps and delivered as a service for mash-ups. A good portion of this services a supplied by the LAMP (Linux, Apache, MySQL, PHP / Python / Perl). Since every technology has its dark companion, new security risks arose, and others grew more important.

If you are developing Web 2.0 and AJAX applications and want to know about the old and new security risks, …

Looking for code inclusions?
The versatile google cluster has a solution for this, like for many other tasks.
This search

lang:php \secho\([^)]*_REQUEST[^)]*\); lets You find various places where some variable from the superglobal $_REQUEST is printed with echo. By the same means, you can easily find places where such a variable is directly included in an SQL query, for instance with lang:php \smysql_query\([^)]*_REQUEST[^)]*\); .
This alone yields 50 results for each query, but it may be varied with printf() instead of echo() or just …

Web applications can easily become very complex. Several hundreds of thousands of lines of code (no HTML templates!) is usual at larger corporate solutions. This also means that your PHP applications follows the standards like object oriented programming, nested classes etc.

When it comes down to detect security vulnerabilities, a lot of tools are available. In a previous post I told you that we developed Chorizo! mainly because we needed a tool that checks for security vulnerabilities (both XSS issues and server side issues) very easily. I think our GUI is very nice :-)

In a previous post I introduced Morcilla to you (see video here and here and …

Well, database operations are bread-and-butter work for most PHP applications. PHP and MySQL, for example, have been like brother and sister for many years. You may have heard about "SQL injections", a bad taste from the outside world of $_GET, $_POST, $_COOKIE and the like.

Everybody should know that you shouldn't pass variables from outside unfiltered to i.e. mysql_query. Of course, sometimes this can slip through because we are human and humans make errors. The initial development of Chorizo! was driven by our own need to make it easier for our developers to detect potential security issues and fix them in a second. With Morcilla, our server-side PHP extension, life will be much easier, especially when you turn display_errors = Off in your php.ini settings which won't give a hint to potential attackers that a modified GET variable produced a SQL error. With Morcilla, we look inside the server and can detect SQL injection …

(See bigger version with better quality at https://chorizo-scanner.com/flash_morcilla )

This video shows you how Morcilla, our brand new PHP extension, lets Chorizo! have a look inside your application on the server.

We are able to hook into every PHP function and trace the payloads of Chorizo!. By default, Morcilla hooks into the whole MySQL function family, fopen, mail, include/require/include_once/require_once, preg_* and others. With a ZendEngine patch, we are able to trace unset variables and a lot more.

See the video how it works (Google Video, YouTube). Check out the …

We think it's time to commoditize PHP web application security. You may have heard of Chorizo!. We're proud to announce that from now on it's possible to register for a free account on chorizo-scanner.com.

With this free account, it's possible to use the Chorizo! application service as a proxy and scan 1 host. All scan datas are encrypted, your data is only visible to you. There are also some valuable help documents available that explain the whole process from registering up to uploading the signature file onto your host and how to analyze the results. Please note: as Chorizo! is an application service, you can only scan your hosts that are publicly available or their firewall has the chorizo-scanner.com IP configured. For those of you who want to …