Auditing Symfony apps Lenard Palko

PHP Community Manager @ PITECH+PLUS Symfony Certified Developer Husband and full time dad Who is this guy ? lenard.palko@gmail.com @lenardpalko

No content

Software quality What is an audit ? How to ? Benefits

Lorem ipsum tempus STRUCTURAL FUNCTIONAL PROCESS Software quality

Functional quality Lorem ipsum tempus STRUCTURAL FUNCTIONAL PROCESS Meeting requirements Ease of use Few defects

Process quality Meeting deadlines Meeting budgets Repeatable process Lorem ipsum tempus STRUCTURAL FUNCTIONAL PROCESS

Structural quality Testability Maintainability Efficiency Security Lorem ipsum tempus STRUCTURAL FUNCTIONAL PROCESS

Increasing quality in one aspect can lower the quality on other aspects =TECHNICAL DEBT Software quality

What is an audit ?

“A software code audit is a comprehensive analysis of source code in a programming project with the intent of discovering bugs, security breaches or violations of programming conventions.” www.wikipedia.org

A useful step along the path to a better application

Why do you need an audit ?

No content

Taking over an application

Performance / Security issues

High cost of change

Types of audits

Performance audit Layer based Load testing

Process audit Requirements User stories Methodologies Planning

Penetration testing Security audit

Architecture Code analysis Code audit

The process

Preparing the audit Functional context System overview Project Analysis Report The process 1 2 3 4 5

Set clear expectations purpose access Preparing the audit 1 2 3 4 5

Preparing the audit Gather prerequisites functional/technical specs code git history wiki/confluence pages 1 2 3 4 5

Functional Context Understand the application Application flows 1 2 3 4 5

System overview Technical Stack High Level Architecture 1 2 3 4 5

System overview - sample 1 2 3 4 5

Project Analysis Hands on code analysis Static code analysis 1 2 3 4 5

Hands on code analysis What to look for ● project structure, version control ● OOP, design patterns ● mixture of layers ● logging, exception handling 1 2 3 4 5

“When I wrote this, only God and I understood what I was doing. Now, God only knows.” Comments comments to look for : “fix, xxx, wtf, todo, temporary” 1 2 3 4 5

phploc Static code analysis 1 2 3 4 5

Static code analysis phpqa 1 2 3 4 5

Static code analysis phpqa - phpdepend 1 2 3 4 5

Static code analysis phpqa - dependencies 1 2 3 4 5

Static code analysis SensioLabs Insights 1 2 3 4 5

Tests Test Coverage Test Quality 1 2 3 4 5

Security Dependency security Automated Security Scan 1 2 3 4 5

Automated Security Scan ZAP, Nikto2 1 2 3 4 5

Performance Database slow queries Blackfire Page speed JMeter 1 2 3 4 5

Deployment Continuous integration Release versioning Deployment tools Hardware infrastructure 1 2 3 4 5

The report

The report Analysis summary Recommendations Conclusions Annexes 1 2 3 4 5

The report Structure

The report 1 2 3 4 5

Reduce risks Identify low velocity factors Reduce cost of change Performance/security Benefits

Key points Impact on users Make a bridge to nontechnical people Audit -> Plan -> Implement -> Follow up Learn

Summary Prepare Understand Analyse Report Recommend

Questions

Thank you https://joind.in/talk/0b163

https://github.com/EdgedesignCZ/phpqa https://insight.sensiolabs.com https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project https://cirt.net/Nikto2 https://matthiasnoback.nl/2013/01/dependency-injection-smells/ Images : http://wiep.net/talk/wp-content/uploads/2010/05/why.jpg http://cdn.list25.com/wp-content/uploads/2013/10/711-610x360.jpg https://i1.wp.com/4kwallpapers.site/wp-content/uploads/2011/01/Red-And-Green-Apples.jpg https://www.shutterstock.com/image-photo/conceptual-image-businessman-looking-on-working-301775756 https://ak2.picdn.net/shutterstock/videos/31494802/thumb/1.jpg References