Training courses (or certification) for PHP securi

2020-06-17 06:09发布

I've started reading a book on PHP security (but it's really all theoretical not so much practical) and have it in my plan to read Chris Shiflett's and Schenider's blogs, but does anyone know of a formal course that I can attend or even get a certificate that proves I know how to write secure PHP code?


Edit: I got a lot of answers, some of which don't answer my question. So I'm quoting ircmaxell's comment because it really hits the point.

While I agree with the cert not mattering (and that finding vulnerabilities is the best way to learn), I'm not sure that answers the question. How should one go from not knowing anything about security to the point where they can do audits to be able to find vulnerabilities

What I want to add though is that while I agree that experience is more important that certification, certification is not unimportant. It's a quick proof that I know more than the high school hobbyist programmer from India who's charging $30 for a full project.

标签: php security
6条回答
我只想做你的唯一
3楼-- · 2020-06-17 06:34

Get a CVE number for a PHP project. If you can't find vulnerabilities in PHP code is what matters, having a certification doesn't mean a damn thing.

In order to understand how code can be insecure I suggest Installing Damn Vulnerable WebApp. You should also look at real world vulnerabilities such as the ones found on The Whitebox. The blog and shop where PHP/MySQL projects that where abandoned because they are so insecure. The challenges are difficult security systems found in the wild, however they too are very insecure. For some offensive PHP security reading I suggest A Study In Scarlet.

查看更多
别忘想泡老子
4楼-- · 2020-06-17 06:36

There was the OWASP Certification Project, but from what I can tell it's not active anymore (although some of the content linked still appears to be active).

While not PHP specific, there's also the GIAC Certification. It's targeted towards general security as opposed to language specific techniques (from what I can gather anyway)...

There's also the Software Security Institute... I have no background with them, so I can't really vouch, but it appears to have what you're looking at.

Edit: After some reflection:

Honestly, I don't see the point in certificates. If you want to attend training, great! But all that a certificate does is prove you were able to pass a test. It doesn't say anything about what you know or your capabilities... Get real world experience, that's worth more than any certificate any day of the week. Get involved with open source projects (especially from the security front, a lot need help there in my experience). Get involved with OWASP. Gain some real world experience, attend conferences and user groups to continue learning. It'll be worth 10 times as much as the certificate...

查看更多
放荡不羁爱自由
6楼-- · 2020-06-17 06:50

Writing secure code spans more than just PHP: good code, proper code is language agnostic. While there are nuances in each language, there are a base set of principals to learn that are transferable no matter what you write in. It's best to learn those core values and then learn about the specifics of the language. Basic knowledge of cryptography, good database design, proper memory management, and operating system principals will give you more insight to security than just being certified in PHP security.

When it comes right down to the point, writing secure code should be a part of any programmer's skill set.

查看更多
可以哭但决不认输i
7楼-- · 2020-06-17 06:52

I highly recommend Chris Shiflett's book. I think it should be required reading for all web developers, not just PHP dev's, as the principles, attacks and defenses outlined are applicable to all web languages. It's also a quick read but would give you a firm grounding in web app security IMHO, negating the need for a course. The chapter on security in the Zend Certified Engineer study guide is also good but covers the same ground as Shiflett's book.

查看更多
登录 后发表回答