Secure Development Trainings

SCPHP – DevSec PHP Masterclass

Learn how to attack and defend PHP applications and become a PHP security champions



Picture of Davide Cioccia

Davide Cioccia

Founder and Principal Security Architect @DCODX

Hi there! I’m Davide Cioccia, founder of DCODX, an ethical hacking, and DevSecOps consulting and coaching firm. Besides helping companies implement their Sec in DevOps, I’m also a developer of security tools (check our GitHub), OWASP Mobile Security Testing Guide contributor and DevSecCon Chapter Lead for the Netherlands. You can find my talks at security conferences like BlackHat, OWASP AppSec, DevSecCon, DevDays Europe and more online, together with some CVE disclosed to Microsoft and other big vendors. Enjoy my course :)  

Course overview

Unlock the secrets of secure PHP development as we guide you through various scenarios, illuminating how attackers scrutinize code and applications. Whether you’re building a blog extension or a robust e-commerce platform, understanding vulnerable patterns is crucial for crafting impenetrable code. Drawing upon industry-leading standards like the OWASP Top 10 2021 and the OWASP ASVS v4, our training equips you with the knowledge and tools to fortify your applications across the entire software development lifecycle. Join us on this captivating journey where you will:
  • Gain deep insights into PHP vulnerabilities and their exploitation techniques.
  • Acquire the skills to perform meticulous PHP secure code reviews.
  • Master remediation strategies to safeguard your PHP applications.
  • Explore the OWASP Top 10 2021 and the OWASP ASVS v4, industry benchmarks for secure PHP development.
Don’t miss your chance to become a PHP security champion.  


  • Knowledge about PHP fundamentals
  • Basic knowledge of Laravel
  • Basic knowledge of SQL syntax
  • Interest in security

Target audience

  • Security Engineers
  • Security Champions
  • DevOps
  • Developers

Tools used

  • Any IDE
  • Docker (docker-compose)
  • Burp Suite Community edition
  • Semgrep
  • Coffee or Tea ☕️


Secure coding introduction
Secure coding principles
OWASP Top 10 2021
OWASP ASVS and security requirements
CVSS: how to rate vulnerabilities
Exploiting the client side
LAB: XSS (Cross Side Scripting): DOM, Stored and Reflected
LAB: CORS misconfigurations
LAB: Security Headers (Attacking CSP)
LAB: Client side open redirect
Authentication Mechanisms in PHP and Laravel
Protecting routes
Authorization and Access Control
LAB: Broken Access Control
LAB: Type Juggling attacks on hashing functions
LAB: Mass Assignment
LAB: Insecure Direct Object Reference
LAB: Path Traversal
LAB: CSRF (Cross Site Request Forgery)
Server Side Injections
LAB: SQL injections
LAB: Command injection
LAB: Code Injection
LAB: XML External Entities
LAB: Server-Side Request Forgery
LAB: Server Side Template Injections in Twig
Vulnerable and Outdated Components
The importance of SCA (Static Component Analysis)
LAB: Detecting known vulnerabilities using Snyk
Integrate SCA in the CI/CD pipeline
Detecting vulnerabilities in Laravel using SCA
Scanning your code using Semgrep
Semgrep basics
LAB: Semgrep for PHP: How to write rules
Semgrep automation in CI/CD