Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Segurança com PHP: Indo Além do Código
Search
Diego Hernandes
November 23, 2016
Programming
2
170
Segurança com PHP: Indo Além do Código
Palestra do @hernandev.com na bhack.com.br / sala do PHPMG
Diego Hernandes
November 23, 2016
Tweet
Share
More Decks by Diego Hernandes
See All by Diego Hernandes
Em Busca do Estado da Arte
hernandev
0
190
Criptografia: Como Funciona o HTTPS
hernandev
0
160
Laravel 5.3 e Aplicações Real Time
hernandev
3
420
Other Decks in Programming
See All in Programming
SourceGeneratorのマーカー属性問題について
htkym
0
140
あなたはユーザーではない #PdENight
kajitack
4
300
nilとは何か 〜interfaceの構造とnil!=nilから理解する〜
kuro_kurorrr
3
1.6k
Fundamentals of Software Engineering In the Age of AI
therealdanvega
0
160
PJのドキュメントを全部Git管理にしたら、一番喜んだのはAIだった
nanaism
0
230
Python’s True Superpower
hynek
0
200
コーディングルールの鮮度を保ちたい / keep-fresh-go-internal-conventions
handlename
0
160
守る「だけ」の優しいEMを抜けて、 事業とチームを両方見る視点を身につけた話
maroon8021
3
280
浮動小数の比較について
kishikawakatsumi
0
380
CSC307 Lecture 12
javiergs
PRO
0
460
new(1.26) ← これすき / kamakura.go #8
utgwkk
0
1.6k
どんと来い、データベース信頼性エンジニアリング / Introduction to DBRE
nnaka2992
1
140
Featured
See All Featured
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
madoxten
60
51k
Conquering PDFs: document understanding beyond plain text
inesmontani
PRO
4
2.4k
AI Search: Where Are We & What Can We Do About It?
aleyda
0
7.1k
Chasing Engaging Ingredients in Design
codingconduct
0
130
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
The Curious Case for Waylosing
cassininazir
0
260
Kristin Tynski - Automating Marketing Tasks With AI
techseoconnect
PRO
0
180
HU Berlin: Industrial-Strength Natural Language Processing with spaCy and Prodigy
inesmontani
PRO
0
250
Optimising Largest Contentful Paint
csswizardry
37
3.6k
Writing Fast Ruby
sferik
630
63k
The SEO identity crisis: Don't let AI make you average
varn
0
400
Transcript
Segurança com PHP Indo além do Código
$ whoami Diego Hernandes (@hernandev) – CTO @ Kino Contabilidade
– CO-Founder @ CODECASTS
Lets Deploy!
$ ./security_check_list.sh • Exception Handling • Input Handling • Routing
• 3rd Party Audit • DB Related Vulnerabilities • Injections • Forgeries • ... https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
$ ./01_go_passwordless.sh • SSH Key Auth • Certificate Based VPN
• Access Gateways
$ ./02_provision_vpn.sh • Expose Only What needs to be exposed
$ ./03_add_little_obscurity.sh • Expose Only What needs to be exposed
$ ./04_lower_privileges.sh • Not everyone needs to be root! Disclaimer:
Valid in all Layers
$ ./05_secure_transmission.sh • Secure HTTPS (I mean TLS, not SSL)
• Drop FTP support at all cost
$ ./06_add_protection_layer.sh • Cloudflare • Incapsula
$ ./07_double_test_acl.sh All security is not enough when your application
has flaws In other words: NEVER Keep any Backdoor
$ ./08_shields_up.sh On almost any Server Hosting, “Private Networking” only
Means INTERNAL Networks. You’re still not safe.
$ ./09_add_ci_and_code_review.sh Drop Team privileges by implementing a CI/CD No
obscure code should go live without at least 1 other person review! Trust No One
$ ./10_keep_it_up_to_date.sh OLD != STABLE OLD != SECURE
$ ./00_update_security_policy.sh Create, Keep, Improve, Review, Colaborate, on a Security
Policy
hernandev
htkym
kajitack
kuro_kurorrr
therealdanvega
nanaism
hynek
handlename
maroon8021
kishikawakatsumi
javiergs
utgwkk
nnaka2992
chriscoyier
madoxten
inesmontani
aleyda
codingconduct
keithpitt
cassininazir
techseoconnect
csswizardry
sferik
varn
