SymfonyCon2017 - Auditing Symfony Apps

Transcript

1. Auditing Symfony apps Lenard Palko

2. PHP Community Manager @ PITECH+PLUS Symfony Certified Developer Husband and

   full time dad Who is this guy ? [email protected] @lenardpalko
3. None

4. Software quality What is an audit ? How to ?

   Benefits

5. Lorem ipsum tempus STRUCTURAL FUNCTIONAL PROCESS Software quality

6. Functional quality Lorem ipsum tempus STRUCTURAL FUNCTIONAL PROCESS Meeting requirements

   Ease of use Few defects

7. Process quality Meeting deadlines Meeting budgets Repeatable process Lorem ipsum

   tempus STRUCTURAL FUNCTIONAL PROCESS

8. Structural quality Testability Maintainability Efficiency Security Lorem ipsum tempus STRUCTURAL

   FUNCTIONAL PROCESS

9. Increasing quality in one aspect can lower the quality on

   other aspects =TECHNICAL DEBT Software quality

10. What is an audit ?

11. “A software code audit is a comprehensive analysis of source

    code in a programming project with the intent of discovering bugs, security breaches or violations of programming conventions.” www.wikipedia.org

12. A useful step along the path to a better application

13. Why do you need an audit ?

14. None

15. Taking over an application

16. Performance / Security issues

17. High cost of change

18. Types of audits

19. Performance audit Layer based Load testing

20. Process audit Requirements User stories Methodologies Planning

21. Penetration testing Security audit

22. Architecture Code analysis Code audit

23. The process

24. Preparing the audit Functional context System overview Project Analysis Report

    The process 1 2 3 4 5

25. Set clear expectations purpose access Preparing the audit 1 2

    3 4 5

26. Preparing the audit Gather prerequisites functional/technical specs code git history

    wiki/confluence pages 1 2 3 4 5

27. Functional Context Understand the application Application flows 1 2 3

    4 5

28. System overview Technical Stack High Level Architecture 1 2 3

    4 5

29. System overview - sample 1 2 3 4 5

30. Project Analysis Hands on code analysis Static code analysis 1

    2 3 4 5

31. Hands on code analysis What to look for • project

    structure, version control • OOP, design patterns • mixture of layers • logging, exception handling 1 2 3 4 5

32. “When I wrote this, only God and I understood what

    I was doing. Now, God only knows.” Comments comments to look for : “fix, xxx, wtf, todo, temporary” 1 2 3 4 5

33. phploc Static code analysis 1 2 3 4 5

34. Static code analysis phpqa 1 2 3 4 5

35. Static code analysis phpqa - phpdepend 1 2 3 4

    5

36. Static code analysis phpqa - dependencies 1 2 3 4

    5

37. Static code analysis SensioLabs Insights 1 2 3 4 5

38. Tests Test Coverage Test Quality 1 2 3 4 5

39. Security Dependency security Automated Security Scan 1 2 3 4

    5

40. Automated Security Scan ZAP, Nikto2 1 2 3 4 5

41. Performance Database slow queries Blackfire Page speed JMeter 1 2

    3 4 5

42. Deployment Continuous integration Release versioning Deployment tools Hardware infrastructure 1

    2 3 4 5

43. The report

44. The report Analysis summary Recommendations Conclusions Annexes 1 2 3

    4 5

45. The report Structure

46. The report 1 2 3 4 5

47. Reduce risks Identify low velocity factors Reduce cost of change

    Performance/security Benefits

48. Key points Impact on users Make a bridge to nontechnical

    people Audit -> Plan -> Implement -> Follow up Learn

49. Summary Prepare Understand Analyse Report Recommend

50. Questions

51. Thank you https://joind.in/talk/0b163

52. https://github.com/EdgedesignCZ/phpqa https://insight.sensiolabs.com https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project https://cirt.net/Nikto2 https://matthiasnoback.nl/2013/01/dependency-injection-smells/ Images : http://wiep.net/talk/wp-content/uploads/2010/05/why.jpg http://cdn.list25.com/wp-content/uploads/2013/10/711-610x360.jpg https://i1.wp.com/4kwallpapers.site/wp-content/uploads/2011/01/Red-And-Green-Apples.jpg

    https://www.shutterstock.com/image-photo/conceptual-image-businessman-looking-on-working-301775756 https://ak2.picdn.net/shutterstock/videos/31494802/thumb/1.jpg References