Eric Mann
Eric is a seasoned web developer experienced with multiple languages and platforms. He’s been working with PHP for more than a decade and focuses his time on helping developers get started and learn new skills with their tech of choice. You can reach out to him directly via Twitter.
twitter: @EricMann
Articles
Watching The Clock
By Eric Mann
by Eric Mann
Published in Time For PHP, December 2024
Cybersecurity Awareness
By Eric Mann
Every October, the President of the United States and Congress declare Cybersecurity Awareness Month, which was just last month. The goal of this declaration is to remind professionals to set aside time to focus and brush up on their cybersecurity skills and knowledge. by Eric Mann
Published in Lounging Around with PHP, November 2024
Secure Remote Access
By Eric Mann
Every morning, my various server instances run security checks and automatically notify me of urgent pending updates. My mail server recently alerted me to an urgent update to patch a zero-day exploit in a spam filtering package. I was, (un)fortunately, on vacation out of state and did not have direct access to my usual machines to apply the patch. by Eric Mann
Published in The Symfony of PHP, October 2024
Secure Authentication
By Eric Mann
I’ve written at length in the past about the three dimensions of authentication and how they’re important. The first two are easy.Something you **are**, being your user ID or login, and something you **know**, your password.It’s the third dimension—something you **have** that becomes a bit more complicated. by Eric Mann
Published in PHP Is Listening, September 2024
Schrodinger’s Backup
By Eric Mann
“What!?” I shouted, half asleep into my phone. It was four in the morning, and I was *not* ready to get up. “The server is down. I know it is early … but can you come in and fix it?” by Eric Mann
Published in HaPHPy Developers, August 2024
PHP Under Attack
By Eric Mann
There are many things that need to happen just right for PHP to be vulnerable to a buffer overflow bug. Yet that won’t stop the sensationalized stories about PHP supposedly being insecure. Ironically, this isn’t even a bug in PHP itself but in an upstream library that PHP (and other tools) use. by Eric Mann
Published in Search For Good Code, July 2024
Security-minded Code Review
By Eric Mann
When reviewing documentation or code, I typically ask people to rate the level of pedantry they want me to provide in my commentary. This is mostly snarky, but it also covers a more legitimate set of questions based on the *goal* of the review. Is this merely a code quality edit? Are we trying to optimize the performance of some code? Do we need to assess the tone taken in documentation? by Eric Mann
Published in AI Llamas, June 2024
Rolling Credentials and Keys
By Eric Mann
I’m rarely the only contractor working for a client at any given time. Most of my colleagues are top-notch professionals with whom I love to collaborate. Occasionally, though, I end up paired with someone who has no business *using* a computer, let alone charging a company money to use one on their behalf. by Eric Mann
Published in PHP Reflections, May 2024
Security and Side Channels
By Eric Mann
Any modern film involving hacking will usually feature a scene of attackers breaking into a machine, system, or service in some glorious fashion. They race against a clock featuring animated characters to crack a password. CGI electrons race down a wire to illustrate malware compromising a system. An operative dives out of an overhead vent to insert a device into the mainframe. by Eric Mann
Published in Deep Diving PHP Security, April 2024
23andMe, and You, and Everyone Else
By Eric Mann
Remember this article you’re about to read the next time you’re asked for your birthdate and mother’s maiden name to prove your identity in a doctor’s office … by Eric Mann
Published in World Community, March 2024
Cheating is Encouraged
By Eric Mann
“Never memorize something you can look up.” – Albert Einstein. by Eric Mann
Published in The PHP Gambit: Winning Strategies in Code, February 2024
When Bug Bounties Go Bad
By Eric Mann
Bug bounty programs are critical to any operational product running in the cloud. Know what they are, how they can go wrong, and what you can do to embrace and enhance the practice of responsible disclosure. by Eric Mann
Published in Bad Bug Bounties, January 2024
Demystifying Cryptography
By Eric Mann
One of the more advanced topics handled by modern developers is cryptography. It’s the stuff of science fiction to many, but frankly, it doesn’t have to be a mystery to any of us. by Eric Mann
Published in Generating Efficient PHP, December 2023
PHP, Meet Passkeys
By Eric Mann
Something you know, something you are, something you have. How does the new technology of passkeys fit into the proven authentication pyramid? by Eric Mann
Published in Command Line Picasso, November 2023
The Meaning of “High Trust”
By Eric Mann
When many people think about security, they naturally think about entities attacking from the outside. This might be the outside of their application, network, or even organization. We often fail to realize that the most critical threat is often users already inside your system. by Eric Mann
Published in Software Archeology, October 2023
The Apocalypse is Now
By Eric Mann
The world’s leading experts on artificial intelligence have warned us of a coming “AI Apocalypse”. How real is this threat, and when will we see it?
by Eric Mann
Published in The Spectrum of PHP, September 2023
Vulnerability Management 101
By Eric Mann
Every piece of published code will eventually suffer a vulnerability. Recognizing this truth is the first step to establishing a vulnerability management program.
by Eric Mann
Published in Packing Up PHP, August 2023
Security Corner: Prisoner’s Dilemma
By Eric Mann
Every application must be designed, and the ethical consideration of
that tool’s use (or misuse) must be key to the technical design. by
Eric Mann
Published in Be Barrier Free, July 2023
Security Corner: Types of Tokens
By Eric Mann
Terminology in security can be a finicky thing. When talking about either security-related or adjacent topics, it’s best to be precise in what each term you choose actually means.by Eric Mann
Published in Evolving PHP, June 2023
Security Corner: Tabletop: Planning for Disaster
By Eric Mann
Roughly twice a year, I take time to play a game with my team. To
those who play Dungeons & Dragons, this might sound familiar. I
spend time planning a particular campaign, then each team member picks a
role and plays through it. > >Except we’re not fighting monsters
or casting spells. Instead, I take the role of Dungeon Master for a
simulated cybersecurity incident. To those in the industry, this is
commonly referred to as a tabletop exercise. by Eric Mann
Published in HTTP Burritos, May 2023
Security Corner: The Risks of Free Conference Internet
By Eric Mann
Now that the snow is melting, we’re beginning to see the first signs
of Spring. With Spring comes the rain, wildflowers and honeybees,
bouncing bunnies in the park, and conference season. Traveling for
conferences and other events can be exciting for many. But what most
don’t realize is just how risky it can be. by Eric Mann
Published in Getting TEKnical, April 2023
Security Corner: InfoSec 102: Phishing
By Eric Mann
Continuing on last month’s trend, we want to spend some time defining and explaining some of the terms and jargon frequently used by practitioners in the security community. Fortunately, this month’s term is likely one you’ve already come across in business: phishing. by Eric Mann
Published in Box of PHP, March 2023
Security Corner: Infosec 101: The Confused Deputy
By Eric Mann
When two InfoSec practitioners get together, they often resort to a sort of short-hand in conversation to make things easier. This leverages slang, jargon, or other insider references that are opaque or confusing to those outside our community. Rather than coming up with new terms, it’s often easiest to spend that time disambiguating the jargon already in use. This month we’ll dive deep into a concept that seems to come up frequently – particularly among less technical stakeholders. This is the “confused deputy”. by Eric Mann
Published in Knowledge Crunching, February 2023
Security Corner: PCI-DSS: A Beginners Guide
By Eric Mann
Every developer should strive to not only build a quality application but also to ensure that security is baked in at every phase of development. Applications handling customer payment information are even more critical to secure. Firstly, it’s just the right thing to do to ensure that you handle customer payment data appropriately. But if you want to work with credit cards, you’re explicitly required to follow a set of standardized guidelines: PCI-DSS. by Eric Mann
Published in PHP is Standing Tall, January 2023
Security Corner: Debt Management
By Eric Mann
Every successful development team has two things in common: They’ve shipped a product and accepted compromises to make that shipment possible. by Eric Mann
Published in Owning The Web, December 2022
Security Corner: Direct Object References
By Eric Mann
Building APIs in PHP often exposes us to the potential of obscure bugs that can otherwise compromise the security of our application. Building too pure of an API – and relying on clients to provide too much information about the objects they’re referencing – is one such risk. by Eric Mann
Published in The Value of the AST, November 2022
Security Corner: Cybersecurity Checkup
By Eric Mann
October is recognized as Cybersecurity Awareness Month in the United States. It’s a great opportunity to stop, take stock of your current security stance, and make incremental improvements where possible. by Eric Mann
Published in The State of PHP, October 2022
Security Corner: Surviving Cybersecurity
By Eric Mann
Engineers don’t often last as long in a cybersecurity focus as they do in other disciplines. If this is your path, you should understand why and how to beat the odds. by Eric Mann
Published in Making Code, September 2022
Security Corner: Broken Authentication
By Eric Mann
One of the most foundational elements of security is clear communication. If we fail to use the correct language to communicate, we risk being misunderstood and making critical software mistakes. by Eric Mann
Published in PHP Blueprint, August 2022
Security Corner: Demystifying Multifactor Authentication
By Eric Mann
Authentication by way of a username and password is well understood. Adding an extra authentication factor—like a smartphone—to the mix helps strengthen a login flow. But what exactly is an authentication factor, and what are the trade-offs between each one? by Eric Mann
Published in Database Freedom, July 2022
Security Corner: Assessing Cybersecurity Risks
By Eric Mann
Every application will, one day, be exposed to a cybersecurity risk. Learning how to categorize and rate those risks is critical to keeping your team focused on the things that matter most.
Published in Another Bright Idea, June 2022
Security Corner: Classifying Ransomware
By Eric Mann
One of the terrifying new developments in technology is the high prevalence of ransomware—criminals using software to hold your data or information systems hostage. by Eric Mann
Published in One Last Slice, May 2022
Security Corner: Operational Security
By Eric Mann
It is remarkably easy to grow complacent in the digital world, but a lapse in security best practices inevitably leads to a lapse in security itself.
Published in Testing The Core, April 2022
Security Corner: Understanding Supply Chain Security
By Eric Mann
In the physical world, it’s relatively easy to understand what a supply chain looks like—the security of physical goods in transit is a straightforward concept. This kind of security in the digital world can be harder to recognize but is just as critical.
Published in World Backup Day, March 2022
Security Corner: Getting Started with Cybersecurity
By Eric Mann
Every career track starts somewhere. Cybersecurity doesn’t always begin where you’d expect. by Eric Mann
Published in Parallelize Your Code, February 2022
Security Corner: The Terrifying Scale of a Security Bug
By Eric Mann
A remote code execution vulnerability discovered in the widely used Log4J library exposed billions of machines to malicious actors in December. Unfortunately, fixing this bug was not straightforward and left much of the Internet exposed to bad actors for over a week. by Eric Mann
Published in Domain-Driven Resolutions, January 2022
Security Corner: Vulnerable and Outdated Components
By Eric Mann
One of the updated risks enumerated by the OWASP Top Ten is using an older component with a known vulnerability. Engineers need to remember that this extends to ancillary systems, not just PHP. by Eric Mann
Published in The Zen of Mindful Programming, December 2021
Security Corner: No Bug Too Small
By Eric Mann
Every bug report, even the innocuous-looking ones, could be evidence of a fatal flaw in your application. You owe it to yourself and your customers to vet and audit any report, even if it lacks proof-of-concept, exploits code, or feels like an extremely hypothetical edge case. by Eric Mann
Published in The Art of Data, November 2021
Security Corner: Updating the OWASP Top Ten
By Eric Mann
The Open Web Application Security Project (OWASP) is a non-profit that focuses on web security research, training, and documentation to help developers make the world a safer place. They regularly collate application security risks seen in the wild and publish a list of the most frequently encountered issues. This list, the OWASP Top Ten, is a common tool used by developers and security auditors alike to gauge the level of security maturity of a project or the team maintaining it.
Published in Decrypting Cryptography, October 2021 —Available for Free
Security Corner: The Pit of Success
By Eric Mann
Security is often difficult to get right, even for those who are experts in the field. Mistakes are easy to make and result in our users falling into a pit. All developers should practice a stance of “security by default.” Doing so means ensuring that any mistakes land users in a pit of success rather than despair.
Published in It’s Really an Upgrade, September 2021
Security Corner: Multifactor Authentication
By Eric Mann
A modern security best practice is to both implement and require a form of authentication beyond a simple password. This practice is known as “multifactor” authentication, as users will have a primary factor—their password—and a secondary factor to successfully authenticate to an application. Proper implementation of a multifactor authentication scheme keeps your application and its users safe and secure by making it more difficult for attackers to get past your authentication.
Published in Trimming One’s Sails, August 2021
Security Corner: Evaluating Password Strength
By Eric Mann
An application is only as strong as the authentication systems used to gate entry and protect the data it contains. So long as your users leverage passwords, the weakest link in your security stance is the strength of those passwords. This month we take a deeper look at the strength of passwords and guidance to keep your users’ data secure.
Published in Deep Dive Into Search, July 2021
Security Corner: Responsible Disclosure
By Eric Mann
Despite our best efforts, security bugs will creep into deployed production code. When this happens, members of the community might reach out to report these bugs to you. Your team needs to be prepared to both receive and encourage these forms of responsible disclosure.
Published in Debug, Rinse, Repeat, June 2021
Security Corner: Radical Transparency
By Eric Mann
Last month, news broke of a breach of the PHP community’s development Git server. This breach included the addition of two malicious commits to the language’s source code. The malicious code was immediately identified and removed; the team is taking further steps to ensure this kind of situation never occurs again.
Published in Testing Assumptions, May 2021
Security Corner: Basics of Password Hashing
By Eric Mann
Every web application that allows users to authenticate needs to ensure their users’ credentials are afforded the best protection possible. Conventionally, this is done by storing only the hash of a password rather than the password itself. Luckily, password hashing in PHP is secure, safe, and remarkably straightforward to implement.
Published in Busy Worker Bees, April 2021 —Available for Free
Security Corner: Cooking with Credentials
By Eric Mann
There are many ways to store user credentials for verification on the application side. Only a few of those ways—namely hashing—are considered secure. While an “older” topic, let’s look at how you should store passwords and why it’s vital for every developer to know how to handle sensitive data securely.
Published in Lambda PHP, March 2021
Security Corner: Supply Chain Security
By Eric Mann
The recent security breach of SolarWinds was one of the worst the community has seen in recent years. It isn’t due to the used hack’s severity but the impact on almost all of SolarWinds’ downstream customers. Let’s look at if something like this could happen in the PHP ecosystem and what we could do to guard against it.
Published in Dealing with Data, February 2021
Security Corner: Enforcing Subresource Integrity
By Eric Mann
Any scripts or styles you include into your web application are called “subresources.” As these files can impact your application’s overall operation, it is critical for writing secure software that you ensure the integrity of any subresource loaded into the page. Otherwise, an untrusted party might inject malware, cryptocurrency miners, or another malicious payload into user users’ browsers.
Published in Newfangled Views, January 2021
Security Corner: Circuit Breakers
By Eric Mann
If your application’s stability depends on the availability of a third-party system, the reliability of that external system becomes critical to the smooth operation of your own. The circuit breaker pattern is a proven way to protect against an unstable system causing problems with yours. Use it, and you won’t be surprised by an unplanned outage at a service you rely on, provoking an outage for your service as well.
Published in PHP 8 Bits and Git, December 2020
Security Corner: Self-obfuscating Value Objects—A Design Pattern for PII
By Eric Mann
Leveraging commonly used and well-defined design patterns is paramount in ensuring your application is stable and maintainable over time. Extending those design patterns to focus on security-first is an effective way of ensuring your application and its data are reliably secure. One such pattern is a Value Object, which can be customized to automatically and transparently obfuscate the value it contains. We can use such an object to protect PII, availing it still for use within your business logic while preventing accidental leaks or disclosing the sensitive data with which you work.
Published in SOLID Foundations, November 2020
Security Corner: Configurable Security
By Eric Mann
Having a tool like Mozilla’s Observatory scan the health of your site is useless if you lack the tools to properly secure it and pass the inspections in the first place. You can set most of the required settings directly in the source of your application.
Published in Running Parallel, October 2020
Security Corner: Observable Security
By Eric Mann
Among the easiest ways to ensure your website or web application is behaving security is to subject it to objective, third-party security scans. The Mozilla Observatory is one such tool that helps ensure strong security for any system operating on the public Internet. The Observatory automatically scans your website to make sure you correctly configure common security settings to protect you and your users best.
Published in Under the Scope, September 2020
Security Corner: Usable Security
By Eric Mann
An oft-overlooked aspect of any security practice or policy is its usability. Do the checks and controls added for the sake of security make the system harder for end-users to do their jobs? An unusable system will never be fully implemented and will fail to secure even the simplest of platforms.
Published in Data Discipline, August 2020
Security Corner: Information Tokenization
By Eric Mann
Any system dealing with human users collects some information about those users. That information is private and needs to be kept secure. The most effective way to do so is to avoid its storage in the first place, i.e., by tokenizing the data.
Published in Warp Driven Development, July 2020
Security Corner: Cross Site Request Forgery
By Eric Mann
Cross-site request forgery (CSRF) is a security risk where an attacker tricks a visitor into making a malicious request to your site from another, entirely unrelated site in their control. This particular vulnerability seemingly disappeared from most teams’ radars a few years ago but is beginning to reappear in the wild.
Published in Advanced Design & Development, June 2020
Security Corner: Request Replay Protection
By Eric Mann
One of the most overused terms of security is “token.” It’s used in many different, often unrelated contexts to mean very different things. This month we’re going to discuss one form of tokens—replay prevention nonces—and how to use them.
Published in Unsupervised Learning, May 2020
Security Corner: Buzzword Bingo
By Eric Mann
Buzzwords permeate security. It’s vital for everyone working in application development to have a solid understanding of what the most common buzzwords are—partly so they can protect against misusing them.
Published in Machine Learning and OpenAPI, April 2020
Security Corner: Mutual TLS
By Eric Mann
Certificates issued to protect transport layer security (TLS) help identify servers and protect data in transit through encryption. They can also be used to identify clients making the connection. Let’s look at ways to handle TLS configuration and usage correctly in a PHP application.
Published in How Magento is Evolving, March 2020
Security Corner: A Reintroduction to TLS
By Eric Mann
A mid-January warning from the US National Security Agency about a critical security flaw in how the Windows operating system validates cryptographic certificates. As these certificates underpin how TLS (transport layer security) protects the internet at large, it’s essential to understand both what happened and how your development team can avoid similar mistakes.
Published in Cultivating the Developer Experience, February 2020
Security Corner: Seven Deadly Sins of Security
By Eric Mann
While no list regarding security, risks, or best practices can ever be exhaustive, they often serve as decent starting points. Understanding some of the most common classes of security mistakes is a great way to begin a conversation about total application security. The following seven security risks are critical to any application development team; they’re easy mistakes to make but are equally easy to avoid if you keep your eyes open
Published in New Habits, January 2020
Security Corner: Crypto Streams
By Eric Mann
The goal of any encryption operation is to scramble the patterns in the plaintext source data and otherwise protect its contents by rendering a specific message indistinguishable from random noise. A cryptographically-secure algorithm or implementation is one that can be mathematically proven to render data in such a state—there is no mathematical way to analyze or extract information from a securely encrypted payload. The most important feature of an encryption system, though, is we can revert such a scrambled message to a readable format via a known operation and a specific piece of private information—the decryption key.
Published in Expedition PHP, December 2019
Security Corner: Responsible Encryption
By Eric Mann
As early as 2018, many governments began calling for the tech community to create so-called “responsible encryption.” Their goal is for tech companies to provide blessed “back doors” for law enforcement to decrypt and otherwise inspect messages and data created by citizens within their borders. These calls and the arguments made to support them, however, are horribly misguided and do incredible harm to our overall security and privacy.
Published in Object Orientation, November 2019
Security Corner: Crossing the Streams
By Eric Mann
While not commonly seen in the wild, PHP exposes powerful interfaces empowering applications to manipulate large streams of data directly. Both stream wrappers and filters allow developers to interact with objects too large to fit in memory or which might be ephemeral in nature. Combining these stream interfaces opens up even more possibilities for the savvy developer.
Published in Coding Without Fear, October 2019
Security Corner: Twist and Shout
By Eric Mann
Most self-taught developers in our industry learn to leverage an API long before they spend time learning lower-level coding patterns. This experience isn’t necessarily a bad thing. All the same, it’s important to take some time to dig deeper and better understand the tools and technologies at the core of our trade. Computers are deterministic by nature, so we need to leverage purpose-built random number generators to introduce unpredictability into the system.
Published in Master of Puppets, September 2019 —Available for Free
Security Corner: System Enumeration
By Eric Mann
The first step to protecting your system is to understand the actions, behaviors, and motivations of those who would potentially breach and damage that system. Learning to think like an attacker is excellent. Mastering the tools attackers are likely to use on your platform is even better. The question isn’t that they’ll get in, it’s what exactly they’ll do once they’ve breached your system.
Published in Renovating Applications with Symfony, August 2019
Security Corner: Defending Against Insider Threats
By Eric Mann
When many people think about security, they naturally think about attacks from external threats and entities. They may originate outside of the application, network, or even organization. What we often fail to realize is the most critical threat is often users already inside your system.
Published in Find the Way With Elasticsearch, July 2019
Security Corner: Credentials and Secrets Management
By Eric Mann
Managing passwords in userland is complicated. Luckily, consumer tools like 1Password and LastPass make it easier than ever to protect user credentials. Unfortunately, this doesn’t help with the credentials used by our servers or code. The ways developers manage application credentials are legion; some are right, others fatally flawed.
Published in How to Tame Your Data, June 2019
Security Corner: Access Control and Authorization
By Eric Mann
Proving the identity of a user isn’t the end of an application’s responsibilities: you must also verify the user is allowed to perform the actions they’re attempting. Conflating authentication (the act of identifying users) with authorization (the act of verifying their level of access within the system) is one of the most common ways applications have been breached in the recent past.
Published in Serverless, ReactPHP, and Expanding Frontiers, May 2019
Security Corner: The Risk of Lists
By Eric Mann
The OWASP Top Ten is required reading for anyone in software development, regardless of whether or not your role focuses on security. It’s a useful guide to get you started thinking from a strong security mindset. Be careful, however, to avoid thinking the list is exhaustive or provides comprehensive security for your application or system.
Published in The New Frontend Fundamentals, April 2019
Security Corner: Intrusion Detection
By Eric Mann
Home security systems are an early warning to potential theft or abuse of our personal property. They’re useful because they alert us (and the police) to a problem before the theft happens. Logging and monitoring of our applications and digital systems can similarly help protect our customers and their data. By leveraging an automated intrusion detection system, our application can catch threats before they have a chance to impact our business.
Published in Building Bridges, March 2019
Security Corner: Egress Lockdown
By Eric Mann
Engineers working on the web are usually well-versed in firewalls. It’s a good practice to limit the potential sources of incoming web traffic; not many engineers focus on limiting approved destinations for outgoing traffic. Locking down a list of approved egress destinations is a strong security stance which limits the potential impact of a breach.
Published in Out on a Limb – February 2019, February 2019
Security Corner: Strong Security Stance in the New Year
By Eric Mann
January is a month all about setting resolutions for the new year. A new diet. A new budget. A new FOSS contribution goal. In 2019, let’s intentionally focus on keeping our projects safe and taking a strong stance on security.
Published in DevOps Depths – January 2019, January 2019
Security Corner: Adventures in Hashing
By Eric Mann
Last month, the PHP community had the opportunity to come together for the excellent php[world] conference in Washington, D.C. As part of the event, we held a hackathon to work through some of the challenges posed by Cryptopals. Some of the cryptographic primitives we discussed were hashes, and it’s useful to take a more in-depth look at what they are and how to use them in PHP.
Published in Better Practice – December 2018, December 2018
Security Corner: Five Risks to Look for In a Code Review
By Eric Mann
Development teams use code review as a way to keep track of one another’s progress on issues and tasks in the work queue. Code reviews are also a stellar way to proactively detect and address security concerns before they become critical to the success of the project.
Published in Generics and Project Success – November 2018, November 2018
Security Corner: Subdomain Takeover
By Eric Mann
In a previous issue, we discussed technical debt—the small compromises made by a development team to ship a product. Over time, every team should try to “pay down” this debt by investing time in refactoring, shoring up unit/integration tests, and conducting deeper code audits. Not every form of technical debt is code-related, though. Infrastructure-related debt can accrue as well and be an enticing target for would-be attackers. This month, we take a look at one such exploit: subdomain takeovers.
Published in Internal Journeys – October 2018, October 2018
Security Corner: Professional Paranoia: Thinking Like an Attacker
By Eric Mann
One thing security professionals in every field have is a cultivated sense of “professional paranoia.” They invest time in understanding and thinking like a potential attacker. As a result, there are fewer ways an attack can surprise—or successfully breach—an application.
Published in Magniphpicent 7.3 – September 2018, September 2018
Security Corner: Secure Tokens
By Eric Mann
Any application aimed at presenting users with a premium, seamless UX must take account of the times when user authentication fails. What happens when a user forgets their password? What can we do to confirm sensitive operations using email or other out-of-band communication? How can we make an application easy to use while also keeping it secure? One mechanism, which protects both password reset links and other secure actions taken by way of an out-of-band confirmation is that of secure tokens.
Published in Masterful Code Management – August 2018, August 2018
Security Corner: Secure Remote Password Authentication
By Eric Mann
A solid practice in protecting user credentials is to never store passwords in plaintext on the server. Modern content management systems and PHP frameworks leverage strong one-way functions to store only hashes of passwords. This technique protects your users should your database ever be breached by an attacker. An even stronger mechanism, however, would never send a plaintext password to the server in the first place.
Published in Navigating State – July 2018, July 2018
Security Corner: Composing Application Security
By Eric Mann
Package managers like Composer make it quick and easy to add third-party libraries to an application. Unfortunately, they can also make it easy to import code that’s not meant to run in production—and might intentionally expose certain vulnerabilities—if your development team isn’t careful.
Published in Command and Control – June 2018, June 2018
Security Corner: Paying Off Technical Debt
By Eric Mann
Every successful development team has two things in common: they’ve shipped a product, and they accepted compromises to make that shipment possible. Every team and every project has technical debt. It comes with the territory when you start building software. Usually, the term “technical debt” is seen as a negative, but that’s not always true.
Published in Treasure, Old & New – May 2018, May 2018
Security Corner: PHP Isolation in Production
By Eric Mann
Developers the world over were in shock this past May as thousands of computers in the UK’s National Health System were rendered inoperable due to a malware attack. Thanks to a previously leaked vulnerability in Windows’ operating system, and the notoriously slow rate at which large enterprises apply system patches, hackers were able to infiltrate and infect these systems with specific viruses.
Published in Testing in Practice – April 2018, April 2018
Signed Commits With Git
By Eric Mann
Many developers confuse platforms like GitHub with tools like Git. On the one hand, this is a bit confusing for those trying to learn the terminology we use on a daily basis. On the other hand, the visibility of GitHub—and its fantastic community features—make it easier for developers to get a handle on critical elements of the underlying utility. In recent years, one of the most visible features developers have discovered is commit signing.
Published in Long Running PHP, March 2018
Security Corner: Application-level Data Security
By Eric Mann
Developers often conflate two different modes of data encryption when protecting the systems on which their applications run. One is encryption at rest—actually encrypting the files the database engine uses to persist state to the hard drive. The other is application-level encryption—where the application itself knows the encryption key and protects data directly. These approaches are similar, but they are not the same. It behooves the savvy developer to understand the difference between them and how to leverage both to secure application data fully.
Published in Know Your Tools, February 2018
Security Corner: Updates to the OWASP Top Ten—Logging
By Eric Mann
Last November, the Open Web Application Security Project (OWASP) published a new list of their “top ten” application security risks (ASRs). These are the most commonly encountered coding and security issues on the web according to an industry survey and the opinion of leading developers in the field. One of the newer ASRs to make the list is Insufficient Logging and Monitoring, something every PHP application can easily avoid.
Published in Setting Up to Succeed, January 2018
Security Corner: PHP, meet Libsodium
By Eric Mann
By the time you read this, the PHP community should have introduced the world to the newest version of our favorite language. This latest version adds better support for type annotations, allows trailing commas in lists (just like JavaScript and other dynamic languages) and introduced several security improvements. The most notable security addition, however, is the introduction of the Sodium cryptographic library as a core extension.
Published in Talking Code, December 2017 —Available for Free