Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Composer Security

Avatar for Simon Simon
August 02, 2018
Technology
0
41

Composer Security

In this presentation I highlighted the increasing risk that comes from using more and more third-party code in your applications and some steps you can take to mitigate that risk.

I finish by introducing Ensemble, a tool to help automate that security and more.

Avatar for Simon

Simon

August 02, 2018
Tweet

Other Decks in Technology

See All in Technology
AIコードアシスタントとiOS開発
Avatar for jollyjoester jollyjoester
1
230
スプリントゴール未達症候群に送る処方箋
Avatar for KAKEHASHI kakehashi
PRO
1
200
AI エンジニアの立場からみた、AI コーディング時代の開発の品質向上の取り組みと妄想
Avatar for Soh Ohara soh9834
6
350
ML Pipelineの開発と運用を OpenTelemetryで繋ぐ @ OpenTelemetry Meetup 2025-07
Avatar for Yoshimura Naoya getty708
0
270
MCPと認可まわりの話 / mcp_and_authorization
Avatar for convto convto
1
150
From Live Coding to Vibe Coding with Firebase Studio
Avatar for Firebase Thailand firebasethailand
1
150
激動の時代、新卒エンジニアはAIツールにどう向き合うか。 [LayerX Bet AI Day Countdown LT Day1 ツールの選択]
Avatar for tak tak848
0
550
PHPからはじめるコンピュータアーキテクチャ / From Scripts to Silicon: A Journey Through the Layers of Computing
Avatar for HASEGAWA Tomoki tomzoh
2
390
AI Ready API ─ AI時代に求められるAPI設計とは?/ AI-Ready API - Designing MCP and APIs in the AI Era
Avatar for Yoichi Kawasaki yokawasa
21
5.8k
DATA+AI SummitとSnowflake Summit: ユーザから見た共通点と相違点 / DATA+AI Summit and Snowflake Summit
Avatar for NTT docomo Business nttcom
0
220
AWS Well-Architected から考えるオブザーバビリティの勘所 / Considering the Essentials of Observability from AWS Well-Architected
Avatar for SMS tech sms_tech
1
850
AI工学特論: MLOps・継続的評価
Avatar for Asei Sugiyama asei
10
1.6k

Featured

See All Featured
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
331
22k
Gamification - CAS2011
Avatar for David Bonilla davidbonilla
81
5.4k
The Art of Delivering Value - GDevCon NA Keynote
Avatar for David Neal reverentgeek
15
1.6k
Save Time (by Creating Custom Rails Generators)
Avatar for Garrett Dimon garrettdimon
PRO
31
1.3k
Balancing Empowerment & Direction
Avatar for Lara Hogan lara
1
490
Fashionably flexible responsive web design (full day workshop)
Avatar for Andy Clarke malarkey
407
66k
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
267
13k
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
248
1.3M
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
Avatar for Eileen M. Uchitelle eileencodes
138
34k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
37
2.8k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
Avatar for Eileen M. Uchitelle eileencodes
26
2.9k
Java REST API Framework Comparison - PWX 2021
Avatar for Matt Raible mraible
31
8.7k

Transcript

  1. Composer Security Harsh truths about your favourite package manager

  2. Package managers are great But they’re making us lazy

  3. Composer isn’t safe!

  4. So… it’s all doom and gloom, then?

  5. Top safety tips • Make sure your vendor folder isn’t

    publicly accessible (especially vendor/bin!) • Use/require the SensioLabs Security Advisories Checker https://security.sensiolabs.org/check • Require the roave/security-advisories meta package • Consider using static analysis tools (e.g. RIPS Tech) and ethical hacking services

  6. Use Ensemble! • It automates (almost) all of the above

    • It works in production - no complex CI configuration • It never sees any of your code and doesn’t need access to your repository • It’s secure - even for non-HTTPS sites/apps • It does some other stuff too! • (It doesn’t perform package updates for you) • It’s FREE during the beta ens.emble.app/register

  7. You have been watching... Simon Hamp Senior dev @ Elvie

    [email protected] @simonhamp simonhamp.me Pug pics courtesy of: unsplash.com/@charlesdeluvio