SymfonyCon2017 - Auditing Symfony Apps

1c628500046eda855fd44285019aa588?s=47 lenardpalko
November 17, 2017

SymfonyCon2017 - Auditing Symfony Apps

Often clients already have a working product that they want to improve. In these cases starting to work on the project right away may turn into a development nightmare. Therefore assessing the technical status of the product is very important. Depending on the needs of the client this can be done from several points of view : technical standards, maintainability, performance, security, etc.

This talk is going to cover how can you prepare an audit of a Symfony application, what should you look out for and how can the result of the audit impact further development on the project. I will talk also about what I found to be the best tools for the job and how can you get clients to see the benefits of it.

1c628500046eda855fd44285019aa588?s=128

lenardpalko

November 17, 2017
Tweet

Transcript

  1. Auditing Symfony apps Lenard Palko

  2. PHP Community Manager @ PITECH+PLUS Symfony Certified Developer Husband and

    full time dad Who is this guy ? lenard.palko@gmail.com @lenardpalko
  3. None
  4. Software quality What is an audit ? How to ?

    Benefits
  5. Lorem ipsum tempus STRUCTURAL FUNCTIONAL PROCESS Software quality

  6. Functional quality Lorem ipsum tempus STRUCTURAL FUNCTIONAL PROCESS Meeting requirements

    Ease of use Few defects
  7. Process quality Meeting deadlines Meeting budgets Repeatable process Lorem ipsum

    tempus STRUCTURAL FUNCTIONAL PROCESS
  8. Structural quality Testability Maintainability Efficiency Security Lorem ipsum tempus STRUCTURAL

    FUNCTIONAL PROCESS
  9. Increasing quality in one aspect can lower the quality on

    other aspects =TECHNICAL DEBT Software quality
  10. What is an audit ?

  11. “A software code audit is a comprehensive analysis of source

    code in a programming project with the intent of discovering bugs, security breaches or violations of programming conventions.” www.wikipedia.org
  12. A useful step along the path to a better application

  13. Why do you need an audit ?

  14. None
  15. Taking over an application

  16. Performance / Security issues

  17. High cost of change

  18. Types of audits

  19. Performance audit Layer based Load testing

  20. Process audit Requirements User stories Methodologies Planning

  21. Penetration testing Security audit

  22. Architecture Code analysis Code audit

  23. The process

  24. Preparing the audit Functional context System overview Project Analysis Report

    The process 1 2 3 4 5
  25. Set clear expectations purpose access Preparing the audit 1 2

    3 4 5
  26. Preparing the audit Gather prerequisites functional/technical specs code git history

    wiki/confluence pages 1 2 3 4 5
  27. Functional Context Understand the application Application flows 1 2 3

    4 5
  28. System overview Technical Stack High Level Architecture 1 2 3

    4 5
  29. System overview - sample 1 2 3 4 5

  30. Project Analysis Hands on code analysis Static code analysis 1

    2 3 4 5
  31. Hands on code analysis What to look for • project

    structure, version control • OOP, design patterns • mixture of layers • logging, exception handling 1 2 3 4 5
  32. “When I wrote this, only God and I understood what

    I was doing. Now, God only knows.” Comments comments to look for : “fix, xxx, wtf, todo, temporary” 1 2 3 4 5
  33. phploc Static code analysis 1 2 3 4 5

  34. Static code analysis phpqa 1 2 3 4 5

  35. Static code analysis phpqa - phpdepend 1 2 3 4

    5
  36. Static code analysis phpqa - dependencies 1 2 3 4

    5
  37. Static code analysis SensioLabs Insights 1 2 3 4 5

  38. Tests Test Coverage Test Quality 1 2 3 4 5

  39. Security Dependency security Automated Security Scan 1 2 3 4

    5
  40. Automated Security Scan ZAP, Nikto2 1 2 3 4 5

  41. Performance Database slow queries Blackfire Page speed JMeter 1 2

    3 4 5
  42. Deployment Continuous integration Release versioning Deployment tools Hardware infrastructure 1

    2 3 4 5
  43. The report

  44. The report Analysis summary Recommendations Conclusions Annexes 1 2 3

    4 5
  45. The report Structure

  46. The report 1 2 3 4 5

  47. Reduce risks Identify low velocity factors Reduce cost of change

    Performance/security Benefits
  48. Key points Impact on users Make a bridge to nontechnical

    people Audit -> Plan -> Implement -> Follow up Learn
  49. Summary Prepare Understand Analyse Report Recommend

  50. Questions

  51. Thank you https://joind.in/talk/0b163

  52. https://github.com/EdgedesignCZ/phpqa https://insight.sensiolabs.com https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project https://cirt.net/Nikto2 https://matthiasnoback.nl/2013/01/dependency-injection-smells/ Images : http://wiep.net/talk/wp-content/uploads/2010/05/why.jpg http://cdn.list25.com/wp-content/uploads/2013/10/711-610x360.jpg https://i1.wp.com/4kwallpapers.site/wp-content/uploads/2011/01/Red-And-Green-Apples.jpg

    https://www.shutterstock.com/image-photo/conceptual-image-businessman-looking-on-working-301775756 https://ak2.picdn.net/shutterstock/videos/31494802/thumb/1.jpg References