The first step to protecting your system is to understand the actions, behaviors, and motivations of those who would potentially breach and damage that system. Learning to think like an attacker is excellent. Mastering the tools attackers are likely to use on your platform is even better. The question isn’t that they’ll get in, it’s what exactly they’ll do once they’ve breached your system.

Working with Elasticsearch, defensive coding practices, Maura Teal on her WordPress talks, preventing burn out, and more in Episode 22.

How are you going to find that? You don’t want to implement a search engine on your own as your content grows or integrate with real-world places and addresses. Instead, leverage the rich feature set of an established solution like ElasticSearch. This month we look at how to integrate it with your PHP application and use it to provide location-based search results.

When many people think about security, they naturally think about attacks from external threats and entities. They may originate outside of the application, network, or even organization. What we often fail to realize is the most critical threat is often users already inside your system.

Ensuring software reliability, resiliency, and recoverability is best achieved by practicing effective defensive coding. Take a crash course in defensive coding with PHP as we cover attack surfaces, input validation, canonicalization, secure type checking, external library vetting, cryptographic agility, exception management, automatic code analysis, peer code reviews, and automated testing. Learn some helpful tips and […]

Eric, John, and Oscar are back post-php[tek] to discuss the June 2019 issue.

Managing passwords in userland is complicated. Luckily, consumer tools like 1Password and LastPass make it easier than ever to protect user credentials. Unfortunately, this doesn’t help with the credentials used by our servers or code. The ways developers manage application credentials are legion; some are right, others fatally flawed.

Proving the identity of a user isn’t the end of an application’s responsibilities: you must also verify the user is allowed to perform the actions they’re attempting. Conflating authentication (the act of identifying users) with authorization (the act of verifying their level of access within the system) is one of the most common ways applications have been breached in the recent past.

We’ve re-imagined the format of php[tek] this year in response to feedback from past attendees. We kept hearing a desire for a more cohesive, curated conference schedule which allows speakers to dig deeper into a topic than a general 50-minute talk permits. So we’re organizing the talks into eight focused tracks, where one talk builds […]

The OWASP Top Ten is required reading for anyone in software development, regardless of whether or not your role focuses on security. It’s a useful guide to get you started thinking from a strong security mindset. Be careful, however, to avoid thinking the list is exhaustive or provides comprehensive security for your application or system.