Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 5 years ago.
Improve this question
I've started reading a book on PHP security (but it's really all theoretical not so much practical) and have it in my plan to read Chris Shiflett's and Schenider's blogs, but does anyone know of a formal course that I can attend or even get a certificate that proves I know how to write secure PHP code?
Edit: I got a lot of answers, some of which don't answer my question. So I'm quoting ircmaxell's comment because it really hits the point.
While I agree with the cert not
mattering (and that finding
vulnerabilities is the best way to
learn), I'm not sure that answers the
question. How should one go from not
knowing anything about security to the
point where they can do audits to be
able to find vulnerabilities
What I want to add though is that while I agree that experience is more important that certification, certification is not unimportant. It's a quick proof that I know more than the high school hobbyist programmer from India who's charging $30 for a full project.
http://www.zend.com/services/certification/ is a good one.
Before you take that exam you might want to have a look at:
- httpOnly Cookies
- cross-site request forgeries
- OWASP development guide
- SQL injection
- rules for processing credit cards
- SSL/HTTPS
- cross site scripting (XSS)
- Cross-site request forgery
- The Google Browser Security Handbook
- The Web Application Hacker's Handbook
Writing secure code spans more than just PHP: good code, proper code is language agnostic. While there are nuances in each language, there are a base set of principals to learn that are transferable no matter what you write in. It's best to learn those core values and then learn about the specifics of the language. Basic knowledge of cryptography, good database design, proper memory management, and operating system principals will give you more insight to security than just being certified in PHP security.
When it comes right down to the point, writing secure code should be a part of any programmer's skill set.
http://www.zend.com/services/certification/
I highly recommend Chris Shiflett's book. I think it should be required reading for all web developers, not just PHP dev's, as the principles, attacks and defenses outlined are applicable to all web languages. It's also a quick read but would give you a firm grounding in web app security IMHO, negating the need for a course. The chapter on security in the Zend Certified Engineer study guide is also good but covers the same ground as Shiflett's book.
There was the OWASP Certification Project, but from what I can tell it's not active anymore (although some of the content linked still appears to be active).
While not PHP specific, there's also the GIAC Certification. It's targeted towards general security as opposed to language specific techniques (from what I can gather anyway)...
There's also the Software Security Institute... I have no background with them, so I can't really vouch, but it appears to have what you're looking at.
Edit: After some reflection:
Honestly, I don't see the point in certificates. If you want to attend training, great! But all that a certificate does is prove you were able to pass a test. It doesn't say anything about what you know or your capabilities... Get real world experience, that's worth more than any certificate any day of the week. Get involved with open source projects (especially from the security front, a lot need help there in my experience). Get involved with OWASP. Gain some real world experience, attend conferences and user groups to continue learning. It'll be worth 10 times as much as the certificate...
Get a CVE number for a PHP project. If you can't find vulnerabilities in PHP code is what matters, having a certification doesn't mean a damn thing.
In order to understand how code can be insecure I suggest Installing Damn Vulnerable WebApp. You should also look at real world vulnerabilities such as the ones found on The Whitebox. The blog and shop where PHP/MySQL projects that where abandoned because they are so insecure. The challenges are difficult security systems found in the wild, however they too are very insecure. For some offensive PHP security reading I suggest A Study In Scarlet.
