Segurança com PHP: Indo Além do Código

Slide 1

Slide 1 text

Segurança com PHP Indo além do Código

Slide 2

Slide 2 text

$ whoami Diego Hernandes (@hernandev) – CTO @ Kino Contabilidade – CO-Founder @ CODECASTS

Slide 3

Slide 3 text

Lets Deploy!

Slide 4

Slide 4 text

$ ./security_check_list.sh • Exception Handling • Input Handling • Routing • 3rd Party Audit • DB Related Vulnerabilities • Injections • Forgeries • ... https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet

Slide 5

Slide 5 text

$ ./01_go_passwordless.sh • SSH Key Auth • Certificate Based VPN • Access Gateways

Slide 6

Slide 6 text

$ ./02_provision_vpn.sh • Expose Only What needs to be exposed

Slide 7

Slide 7 text

$ ./03_add_little_obscurity.sh • Expose Only What needs to be exposed

Slide 8

Slide 8 text

$ ./04_lower_privileges.sh • Not everyone needs to be root! Disclaimer: Valid in all Layers

Slide 9

Slide 9 text

$ ./05_secure_transmission.sh • Secure HTTPS (I mean TLS, not SSL) • Drop FTP support at all cost

Slide 10

Slide 10 text

$ ./06_add_protection_layer.sh • Cloudflare • Incapsula

Slide 11

Slide 11 text

$ ./07_double_test_acl.sh All security is not enough when your application has flaws In other words: NEVER Keep any Backdoor

Slide 12

Slide 12 text

$ ./08_shields_up.sh On almost any Server Hosting, “Private Networking” only Means INTERNAL Networks. You’re still not safe.

Slide 13

Slide 13 text

$ ./09_add_ci_and_code_review.sh Drop Team privileges by implementing a CI/CD No obscure code should go live without at least 1 other person review! Trust No One

Slide 14

Slide 14 text

$ ./10_keep_it_up_to_date.sh OLD != STABLE OLD != SECURE

Slide 15

Slide 15 text

$ ./00_update_security_policy.sh Create, Keep, Improve, Review, Colaborate, on a Security Policy