$30 off During Our Annual Pro Sale. View Details »

Secure your application data using Symfony

Evgeny Smirnov
September 22, 2017
Technology
0
3.2k

Secure your application data using Symfony

The work on the application that deals with FinTech, MedTech or other kinds of sensitive PII (personal identifying information) requires high attention to security. There are different kinds of threats: risk of internal data leakage, a risk of infrastructure hacking, a risk of vulnerabilities inside the app e.t.c. This becomes even more complicated if the development or QA are outsourced.

In this talk I will cover the following topics:
— Protecting PII using data obfuscation during development and QA.
— Secure alternatives for storing the credentials in the config files or environment variables.
— Various techniques of encrypting data inside your app.

Evgeny Smirnov

September 22, 2017
Tweet

More Decks by Evgeny Smirnov

See All by Evgeny Smirnov
API platform and how to use it
smirik
0
78
An overview of the self-determination theory in psychology
smirik
0
13
A machine learning approach in the dynamics of asteroids
smirik
0
11
Mean motion resonances in the main belt
smirik
0
8

Other Decks in Technology

See All in Technology
Go Getでのchecksum不一致に遭遇した話とその対応
replu
0
280
AWS re:Invent 2023 わざわざ現地まで行く意味あるの?→ありました
minorun365
PRO
5
960
Parsing case study in Go / Go Conference mini 2023 Winter IN KYOTO
k1low
2
340
ココナラでエンジニアマネージャーをやってみた!
coconala_engineer
1
130
kintone テクニカルライター採用ピッチ資料
cybozuinsideout
PRO
0
860
AWS re:Invent 2023に参加してきた ~Amazon Inspectorのアップデートを添えて~ / AWS re:Invent 2023 Participation Bulletin with Amazon Inspector Updates
yuj1osm
0
250
AWS re:Invent 2023の期間中に出たコンテナアップデート集
yoshiitaka
3
320
AWS Security Hubを有効化したけど見てない人に向けたDevSecOpsの実現方法 / #kayac_andpad_event
muziyoshiz
0
210
技術広報経験0のEMがエンジニアブランディングをはじめてみた
coconala_engineer
1
130
10分でわかる株式会社ログラス − エンジニア向け会社説明資料 / Loglass in 10 min for Engineers
loglass2019
2
850
LLMを活用した爆速アウトプットのすゝめ / bakusoku-outputs-with-llm
yuya4
8
4.2k
ライブラリとの上手な付き合い方
sekido
PRO
0
160

Featured

See All Featured
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
20k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.4k
For a Future-Friendly Web
brad_frost
168
8.5k
What the flash - Photography Introduction
edds
64
11k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
113
17k
The Invisible Customer
myddelton
113
12k
Building Adaptive Systems
keathley
29
1.6k
Making Projects Easy
brettharned
105
5.2k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
352
21k
Faster Mobile Websites
deanohume
296
29k
Unsuck your backbone
ammeep
660
56k
StorybookのUI Testing Handbookを読んだ
zakiyama
9
4.1k

Transcript

  1. Secure your application data using Symfony
    — Evgeny Smirnov, CEO of 4xxi (https://4xxi.com),
    [email protected], FB: @smirik

    View Slide

  2. Constant Vigilance!

    View Slide

  3. Why should we care?

    View Slide

  4. Who should care?

    View Slide

  5. FinTech
    MedTech
    PII
    EdTech
    Social …



    Passwords,
    SSN,
    transactions,
    portfolios,
    statements…
    Passwords,
    SSN,
    transactions,
    portfolios,
    statements…

    View Slide

  6. The «Onion» Pattern

    View Slide

  7. 3 levels of security

    View Slide

  8. Physical
    Administrative
    Technical

    View Slide

  9. The easiest way
    to hack you
    Source

    View Slide

  10. Even here

    View Slide

  11. 1. Lock your computer
    2. Encrypt your computer
    3. Check the workaround

    View Slide

  12. The security policies
    should be established
    & should be clear for
    the team

    View Slide

  13. The principle 

    of minimal privilege
    must be used

    View Slide

  14. Security Basics

    View Slide

  15. Store your passwords
    securely

    View Slide

  16. Never transfer 

    a non-encrypted PII
    https://github.com/4xxi/caesarapp-server
    https://github.com/johnelm/PasteVault

    View Slide

  17. Do not store the passwords
    in the code

    View Slide

  18. Don’t use public snippet repositories
    From blogs: How a bug in Visual Studio 2015 exposed my
    source code on GitHub and cost me $6,500 in a few hours

    View Slide

  19. Don’t use public screenshot storages
    Configure your own AWS S3 or
    Dropbox instance to store the media

    View Slide

  20. Technology

    View Slide

  21. Use data obfuscation,
    e.g. gem data-anomymization (ruby)
    or neuralyzer (PHP)

    View Slide

  22. require 'data-anonymization'
    database 'DatabaseName' do
    strategy DataAnon::Strategy::Blacklist # whitelist (default) or blacklist
    ... # configuration
    # User -> table name (case sensitive)
    table 'User' do
    # id, DateOfBirth, Name, UserName, Password -> table column names
    primary_key 'id' # composite key is also supported
    anonymize 'DateOfBirth','Name' # default anon.
    anonymize('UserName').using FieldStrategy::StringTemplate.new('user#{row_number}')
    anonymize('Password') { |field| "password" }
    end
    ...
    end
    data-anonymization:

    View Slide

  23. require 'data-anonymization'
    database 'DatabaseName' do
    strategy DataAnon::Strategy::Blacklist # whitelist (default) or blacklist
    ... # configuration
    # User -> table name (case sensitive)
    table 'User' do
    # id, DateOfBirth, Name, UserName, Password -> table column names
    primary_key 'id' # composite key is also supported
    anonymize 'DateOfBirth','Name' # default anon.
    anonymize('UserName').using FieldStrategy::StringTemplate.new('user#{row_number}')
    anonymize('Password') { |field| "password" }
    end
    ...
    end
    data-anonymization:
    EASY!

    View Slide

  24. pro & cons
    The data are almost real,
    not test.

    Easy to reproduce 

    the production issues.

    The developers have 

    no access to PII.

    PII worldwide 

    compliance
    Some database changes
    require additional work.

    It is difficult to manage
    denormalised data.

    The realtime data are not
    available.

    Some issues might be
    PII-specific.

    View Slide

  25. Use automatic tool 

    to exclude simple issues
    https://portswigger.net/burp
    https://www.owasp.org

    View Slide

  26. An example

    View Slide

  27. Where to store the credentials?

    View Slide

  28. In the files or ENV vars?

    View Slide

  29. HashiCorp Vault
    https://www.vaultproject.io

    View Slide

  30. pros
    1. Dynamic secrets
    2. Audit logs
    3. Integrations

    View Slide

  31. Encrypt the data

    View Slide

  32. What to encrypt?
    1. The instance of DB 

    (use some built-in tools, e.g. in AWS nor TDE)
    2. Encrypt PII: 

    (pgcrypto, DoctrineEncryptBundle, custom-built …)
    3. ??

    View Slide

  33. Constant Vigilance!
    Secure your application data using Symfony
    — Evgeny Smirnov, CEO of 4xxi (https://4xxi.com),
    [email protected], FB: @smirik

    View Slide