$30 off During Our Annual Pro Sale. View Details »

Secure your application data using Symfony

Evgeny Smirnov
September 22, 2017

Secure your application data using Symfony

The work on the application that deals with FinTech, MedTech or other kinds of sensitive PII (personal identifying information) requires high attention to security. There are different kinds of threats: risk of internal data leakage, a risk of infrastructure hacking, a risk of vulnerabilities inside the app e.t.c. This becomes even more complicated if the development or QA are outsourced.

In this talk I will cover the following topics:
— Protecting PII using data obfuscation during development and QA.
— Secure alternatives for storing the credentials in the config files or environment variables.
— Various techniques of encrypting data inside your app.

Evgeny Smirnov

September 22, 2017
Tweet

More Decks by Evgeny Smirnov

Other Decks in Technology

Transcript

  1. Secure your application data using Symfony
    — Evgeny Smirnov, CEO of 4xxi (https://4xxi.com),
    [email protected], FB: @smirik

    View Slide

  2. Constant Vigilance!

    View Slide

  3. Why should we care?

    View Slide

  4. Who should care?

    View Slide

  5. FinTech
    MedTech
    PII
    EdTech
    Social …



    Passwords,
    SSN,
    transactions,
    portfolios,
    statements…
    Passwords,
    SSN,
    transactions,
    portfolios,
    statements…

    View Slide

  6. The «Onion» Pattern

    View Slide

  7. 3 levels of security

    View Slide

  8. Physical
    Administrative
    Technical

    View Slide

  9. The easiest way
    to hack you
    Source

    View Slide

  10. Even here

    View Slide

  11. 1. Lock your computer
    2. Encrypt your computer
    3. Check the workaround

    View Slide

  12. The security policies
    should be established
    & should be clear for
    the team

    View Slide

  13. The principle 

    of minimal privilege
    must be used

    View Slide

  14. Security Basics

    View Slide

  15. Store your passwords
    securely

    View Slide

  16. Never transfer 

    a non-encrypted PII
    https://github.com/4xxi/caesarapp-server
    https://github.com/johnelm/PasteVault

    View Slide

  17. Do not store the passwords
    in the code

    View Slide

  18. Don’t use public snippet repositories
    From blogs: How a bug in Visual Studio 2015 exposed my
    source code on GitHub and cost me $6,500 in a few hours

    View Slide

  19. Don’t use public screenshot storages
    Configure your own AWS S3 or
    Dropbox instance to store the media

    View Slide

  20. Technology

    View Slide

  21. Use data obfuscation,
    e.g. gem data-anomymization (ruby)
    or neuralyzer (PHP)

    View Slide

  22. require 'data-anonymization'
    database 'DatabaseName' do
    strategy DataAnon::Strategy::Blacklist # whitelist (default) or blacklist
    ... # configuration
    # User -> table name (case sensitive)
    table 'User' do
    # id, DateOfBirth, Name, UserName, Password -> table column names
    primary_key 'id' # composite key is also supported
    anonymize 'DateOfBirth','Name' # default anon.
    anonymize('UserName').using FieldStrategy::StringTemplate.new('user#{row_number}')
    anonymize('Password') { |field| "password" }
    end
    ...
    end
    data-anonymization:

    View Slide

  23. require 'data-anonymization'
    database 'DatabaseName' do
    strategy DataAnon::Strategy::Blacklist # whitelist (default) or blacklist
    ... # configuration
    # User -> table name (case sensitive)
    table 'User' do
    # id, DateOfBirth, Name, UserName, Password -> table column names
    primary_key 'id' # composite key is also supported
    anonymize 'DateOfBirth','Name' # default anon.
    anonymize('UserName').using FieldStrategy::StringTemplate.new('user#{row_number}')
    anonymize('Password') { |field| "password" }
    end
    ...
    end
    data-anonymization:
    EASY!

    View Slide

  24. pro & cons
    The data are almost real,
    not test.

    Easy to reproduce 

    the production issues.

    The developers have 

    no access to PII.

    PII worldwide 

    compliance
    Some database changes
    require additional work.

    It is difficult to manage
    denormalised data.

    The realtime data are not
    available.

    Some issues might be
    PII-specific.

    View Slide

  25. Use automatic tool 

    to exclude simple issues
    https://portswigger.net/burp
    https://www.owasp.org

    View Slide

  26. An example

    View Slide

  27. Where to store the credentials?

    View Slide

  28. In the files or ENV vars?

    View Slide

  29. HashiCorp Vault
    https://www.vaultproject.io

    View Slide

  30. pros
    1. Dynamic secrets
    2. Audit logs
    3. Integrations

    View Slide

  31. Encrypt the data

    View Slide

  32. What to encrypt?
    1. The instance of DB 

    (use some built-in tools, e.g. in AWS nor TDE)
    2. Encrypt PII: 

    (pgcrypto, DoctrineEncryptBundle, custom-built …)
    3. ??

    View Slide

  33. Constant Vigilance!
    Secure your application data using Symfony
    — Evgeny Smirnov, CEO of 4xxi (https://4xxi.com),
    [email protected], FB: @smirik

    View Slide