What if every security vulnerability in your PHP application could be traced back to a missing test? This presentation challenges the traditional separation between security and testing, demonstrating that comprehensive test coverage is your most effective first line of defence against common security weaknesses.
Using the Common Weakness Enumeration (CWE) list as a framework, we will explore the most critical weaknesses affecting PHP applications, from command injection (CWE-78) and cross-site scripting (CWE-79) to SQL injection (CWE-89) and improper authorization (CWE-285), among others. You will learn how to identify attack vectors and, more importantly, how to use tests to prevent vulnerabilities from ever reaching production.
Walk away with a practical, test-driven approach to security that fits into the workflow you already have.
I most recently presented "Test-Driven Security" at the International PHP Conference on in Berlin.
I am the creator and maintainer of PHPUnit, the de facto standard testing framework within the PHP ecosystem. Used by millions of developers, it is embedded in the build pipelines of start-ups, Fortune 500 companies, and public sector organisations alike. I serve on the board of the PHP Foundation and am a co-founder of thePHP.cc, where I advise organisations on testing strategy, software architecture, and secure development practices.
I have over 25 years of experience working with Open Source software, having contributed to the PHP language itself as well as the tools on which that ecosystem depends. Across that time I have seen the same pattern again and again: the vulnerabilities that reach production are rarely exotic — they are command injection, cross-site scripting, SQL injection, and broken authorization, the very weaknesses the CWE list has catalogued for years. What they share is not a missing security tool but a missing test. That conviction — that security is a property you can specify, exercise, and defend with the testing workflow you already have — informs my writing and speaking on software quality and secure development.
From to , I will be in Opatija at the Web Summer Camp. There I will give the presentations "Accelerating development without losing control" and "Test-Driven Security".
You can follow @phpunit@phpc.social to stay up to date with PHPUnit's development.
You can subscribe to the PHPUnit Updates newsletter to receive updates about and tips for PHPUnit.