Overview
Syllabus
Intro
Security Theatre @thomas_shone
Denial
Internet of Things
SAMSUNG
Most popular software It's not what you think
OpenX Backdoored for almost a year
Versioning Projects with bad versioning also have some of the worst security issues
Automatic Patching If your software comes with automatic upgrading, people will use it
Plugins and Templates If an update needs manual changes for plugins or template, no one updates
The hardest part of security is not writing secure code
without vulnerability Vulnerability research and security updates
I trust that the network is configured properly and secure Good system administrators
I trust you are who you say you are TLS Certificate Peer Verification or Authentication
I trust your computer is not compromised ????
I trust that the user won't be the weak link Training and procedures
Weakening Compromising encryption or hashing is about reducing time to crack
Implementation A bad implementation helps reduce the time to crack
2 Factor Authentication composer require pragmarx/google2fa
Avoid old tutorials on encryption scott/e9319254c8ecbad4f227
One way encoding Comparisons / Integrity Checks
Timing Attacks Brute forcing cryptographic functions via time taken to execute
is critical in encryption Used for key generation and nonces
Weak password reset processes Can you Google the answer? How do you handle customer support reset?
Patching Strategy If a dependency prevents updating, resolve it now
Don't become comfortable Comfort breeds contempt
Training Strategy Have a process for dealing with account locks and resets
Compromise Strategy Have a plan before you need it
Information
Decouple roles Databases, servers, domains, roles, ...
Get behind PSR-9 & 10
Group Performance
Taught by
PHP UK Conference