Back to Writing
Speaking 2026-05-21

Don't Get Pwned: OWASP Top 10 for the Lazy PHP Developer

A 50-minute walk through the ten most critical web app risks of 2025 — and the laziest possible PHP fix for each. Delivered at php[tek] 2026.

A 50-minute conference talk delivered at php[tek] 2026.

The lazy developer’s security manifesto is simple:

  1. Don’t Invent. If a library exists, use it.
  2. Don’t Think. If a tool can check it, automate it.
  3. Don’t Trust. Assume everyone is trying to break your code, even you.

This talk walks through the OWASP Top 10:2025 list one item at a time and shows the absolute laziest, most boring, most maintenance-free way to fix each one in modern PHP — Policies and Voters for access control, Argon2id and password_hash() for cryptographic failures, parameter binding for injection, and a half-dozen other one-liners that take care of the eight-figure problems.

No hoodies. No green text on black. Just the minimum effective dose.

Slides

Your browser doesn't display PDFs inline. Download the slides (PDF).

Download slides (PDF, 2.2 MB) ↓

Talk details

  • Conference: php[tek] 2026
  • Duration: 50 minutes
  • Audience: PHP developers who want to be secure but have deadlines
  • Topics covered: A01 Broken Access Control · A02 Cryptographic Failures · A03 Injection · A04 Insecure Design · A05 Security Misconfiguration · A06 Vulnerable Components · A07 Identification & Auth Failures · A08 Software & Data Integrity · A09 Logging & Monitoring · A10 SSRF