Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Segurança com PHP: Indo Além do Código
Search
Diego Hernandes
November 23, 2016
Programming
2
170
Segurança com PHP: Indo Além do Código
Palestra do @hernandev.com na bhack.com.br / sala do PHPMG
Diego Hernandes
November 23, 2016
Tweet
Share
More Decks by Diego Hernandes
See All by Diego Hernandes
Em Busca do Estado da Arte
hernandev
0
140
Criptografia: Como Funciona o HTTPS
hernandev
0
140
Laravel 5.3 e Aplicações Real Time
hernandev
3
350
Other Decks in Programming
See All in Programming
検証も兼ねて個人開発でHonoとかと向き合った話
hanetsuki
1
1.2k
Site Reliability Engineering for GMO
pyama86
8
1.1k
Elm 0.19.0 Changes
bkuhlmann
0
490
Ruby Pattern Matching
bkuhlmann
0
930
StoreKit2によるiOSのアプリ内課金のリニューアル
kangnux
0
110
MicrosoftのPlatform Engineeringガイドを読んで実際になにかやってみた
ymd65536
1
430
Amazon SQSコンシューマー疎結合への旅 - 出張! #DevelopersIO IT技術ブログの中の人が語る勉強会 #3
quiver
0
280
PHP8.3の機能を振り返る / Review of PHP 8.3 features
seike460
PRO
1
110
はてなにおける CSS Modules、及び CSS Modules に足りないもの / CSS Modules in Hatena, and CSS Modules missing parts
mizdra
7
950
TYPO3 v13 – The road to LTS: What's new and new APIs
luisasofie_xoxo
0
210
Netty Chicago Java User Group 2024-04-17
sullis
0
190
大規模UIKitベースアプリへのTCAの段階的導入/gradual-adoption-of-tca-in-a-large-scale-uikit-based-app
takehilo
1
190
Featured
See All Featured
It's Worth the Effort
3n
180
27k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
125
32k
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k
Making Projects Easy
brettharned
108
5.5k
Agile that works and the tools we love
rasmusluckow
325
20k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k
How STYLIGHT went responsive
nonsquared
92
4.8k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
187
16k
Raft: Consensus for Rubyists
vanstee
132
6.3k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
40
4.4k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
79
43k
Transcript
Segurança com PHP Indo além do Código
$ whoami Diego Hernandes (@hernandev) – CTO @ Kino Contabilidade
– CO-Founder @ CODECASTS
Lets Deploy!
$ ./security_check_list.sh • Exception Handling • Input Handling • Routing
• 3rd Party Audit • DB Related Vulnerabilities • Injections • Forgeries • ... https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
$ ./01_go_passwordless.sh • SSH Key Auth • Certificate Based VPN
• Access Gateways
$ ./02_provision_vpn.sh • Expose Only What needs to be exposed
$ ./03_add_little_obscurity.sh • Expose Only What needs to be exposed
$ ./04_lower_privileges.sh • Not everyone needs to be root! Disclaimer:
Valid in all Layers
$ ./05_secure_transmission.sh • Secure HTTPS (I mean TLS, not SSL)
• Drop FTP support at all cost
$ ./06_add_protection_layer.sh • Cloudflare • Incapsula
$ ./07_double_test_acl.sh All security is not enough when your application
has flaws In other words: NEVER Keep any Backdoor
$ ./08_shields_up.sh On almost any Server Hosting, “Private Networking” only
Means INTERNAL Networks. You’re still not safe.
$ ./09_add_ci_and_code_review.sh Drop Team privileges by implementing a CI/CD No
obscure code should go live without at least 1 other person review! Trust No One
$ ./10_keep_it_up_to_date.sh OLD != STABLE OLD != SECURE
$ ./00_update_security_policy.sh Create, Keep, Improve, Review, Colaborate, on a Security
Policy