Segurança com PHP: Indo Além do Código

Transcript

1. Segurança com PHP Indo além do Código

2. $ whoami Diego Hernandes (@hernandev) – CTO @ Kino Contabilidade

   – CO-Founder @ CODECASTS

3. Lets Deploy!

4. $ ./security_check_list.sh • Exception Handling • Input Handling • Routing

   • 3rd Party Audit • DB Related Vulnerabilities • Injections • Forgeries • ... https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet

5. $ ./01_go_passwordless.sh • SSH Key Auth • Certificate Based VPN

   • Access Gateways

6. $ ./02_provision_vpn.sh • Expose Only What needs to be exposed

7. $ ./03_add_little_obscurity.sh • Expose Only What needs to be exposed

8. $ ./04_lower_privileges.sh • Not everyone needs to be root! Disclaimer:

   Valid in all Layers

9. $ ./05_secure_transmission.sh • Secure HTTPS (I mean TLS, not SSL)

   • Drop FTP support at all cost

10. $ ./06_add_protection_layer.sh • Cloudflare • Incapsula

11. $ ./07_double_test_acl.sh All security is not enough when your application

    has flaws In other words: NEVER Keep any Backdoor

12. $ ./08_shields_up.sh On almost any Server Hosting, “Private Networking” only

    Means INTERNAL Networks. You’re still not safe.

13. $ ./09_add_ci_and_code_review.sh Drop Team privileges by implementing a CI/CD No

    obscure code should go live without at least 1 other person review! Trust No One

14. $ ./10_keep_it_up_to_date.sh OLD != STABLE OLD != SECURE

15. $ ./00_update_security_policy.sh Create, Keep, Improve, Review, Colaborate, on a Security

    Policy