Slide 1
Slide 1 text
Secure your application data using Symfony
— Evgeny Smirnov, CEO of 4xxi (https://4xxi.com),
[email protected], FB: @smirik
Slide 2
Slide 2 text
Constant Vigilance!
Slide 3
Slide 3 text
Why should we care?
Slide 4
Slide 4 text
Who should care?
Slide 5
Slide 5 text
FinTech
MedTech
PII
EdTech
Social …
…
…
…
Passwords,
SSN,
transactions,
portfolios,
statements…
Passwords,
SSN,
transactions,
portfolios,
statements…
Slide 6
Slide 6 text
The «Onion» Pattern
Slide 7
Slide 7 text
3 levels of security
Slide 8
Slide 8 text
Physical
Administrative
Technical
Slide 9
Slide 9 text
The easiest way
to hack you
Source
Slide 10
Slide 10 text
Even here
Slide 11
Slide 11 text
1. Lock your computer
2. Encrypt your computer
3. Check the workaround
Slide 12
Slide 12 text
The security policies
should be established
& should be clear for
the team
Slide 13
Slide 13 text
The principle
of minimal privilege
must be used
Slide 14
Slide 14 text
Security Basics
Slide 15
Slide 15 text
Store your passwords
securely
Slide 16
Slide 16 text
Never transfer
a non-encrypted PII
https://github.com/4xxi/caesarapp-server
https://github.com/johnelm/PasteVault
Slide 17
Slide 17 text
Do not store the passwords
in the code
Slide 18
Slide 18 text
Don’t use public snippet repositories
From blogs: How a bug in Visual Studio 2015 exposed my
source code on GitHub and cost me $6,500 in a few hours
Slide 19
Slide 19 text
Don’t use public screenshot storages
Configure your own AWS S3 or
Dropbox instance to store the media
Slide 20
Slide 20 text
Technology
Slide 21
Slide 21 text
Use data obfuscation,
e.g. gem data-anomymization (ruby)
or neuralyzer (PHP)
Slide 22
Slide 22 text
require 'data-anonymization'
database 'DatabaseName' do
strategy DataAnon::Strategy::Blacklist # whitelist (default) or blacklist
... # configuration
# User -> table name (case sensitive)
table 'User' do
# id, DateOfBirth, Name, UserName, Password -> table column names
primary_key 'id' # composite key is also supported
anonymize 'DateOfBirth','Name' # default anon.
anonymize('UserName').using FieldStrategy::StringTemplate.new('user#{row_number}')
anonymize('Password') { |field| "password" }
end
...
end
data-anonymization:
Slide 23
Slide 23 text
require 'data-anonymization'
database 'DatabaseName' do
strategy DataAnon::Strategy::Blacklist # whitelist (default) or blacklist
... # configuration
# User -> table name (case sensitive)
table 'User' do
# id, DateOfBirth, Name, UserName, Password -> table column names
primary_key 'id' # composite key is also supported
anonymize 'DateOfBirth','Name' # default anon.
anonymize('UserName').using FieldStrategy::StringTemplate.new('user#{row_number}')
anonymize('Password') { |field| "password" }
end
...
end
data-anonymization:
EASY!
Slide 24
Slide 24 text
pro & cons
The data are almost real,
not test.
Easy to reproduce
the production issues.
The developers have
no access to PII.
PII worldwide
compliance
Some database changes
require additional work.
It is difficult to manage
denormalised data.
The realtime data are not
available.
Some issues might be
PII-specific.
Slide 25
Slide 25 text
Use automatic tool
to exclude simple issues
https://portswigger.net/burp
https://www.owasp.org
Slide 26
Slide 26 text
An example
Slide 27
Slide 27 text
Where to store the credentials?
Slide 28
Slide 28 text
In the files or ENV vars?
Slide 29
Slide 29 text
HashiCorp Vault
https://www.vaultproject.io
Slide 30
Slide 30 text
pros
1. Dynamic secrets
2. Audit logs
3. Integrations
Slide 31
Slide 31 text
Encrypt the data
Slide 32
Slide 32 text
What to encrypt?
1. The instance of DB
(use some built-in tools, e.g. in AWS nor TDE)
2. Encrypt PII:
(pgcrypto, DoctrineEncryptBundle, custom-built …)
3. ??
Slide 33
Slide 33 text
Constant Vigilance!
Secure your application data using Symfony
— Evgeny Smirnov, CEO of 4xxi (https://4xxi.com),
[email protected], FB: @smirik