Security
Developer's perspective
Why to write secure code?
To protect the data and people
- Business Critical Data
- Personal Identifiable Data
- User Identities
So, do we have to focus on data protection and that's it?
Yes!*
*if you can agree with every hacker in the world to do not ever try to hack your projects
Security is never ending exercise
- New code
- New tools
- New vulnerabilities
- New exploits
There are always
Is it the right time to get into Panic Mode?
How to handle security then?
- Write secure code
- Mitigate Vulnerability Consequences
- Limit vector of potential attack
- Secure access to databases on all levels
Writing secure code
- Follow best practises
- Think critical
Writing secure code
Writing secure code
Who knows what it stands for?
Open Web Application Security Project
OWASP
Mitigate Consequences
Think like you're hacked and the data has leaked
Mitigate Consequences
Oh, probably we should not have stored credit card details in the database....
Actually, we should not have captured passport details on the app to order pizza...
Think like you're hacked and the data has leaked
GET RID OF THE DATA YOU DON'T NEED
Limit vector of attack
- Secure browser headers (i.e. https://securityheaders.com)
- Make sure file system is not writable by PHP user*
- Run Penetration Testing tools (i.e. https://detectify.com)
- And so on
Secure Access to Database
- Server(s)
- Backups (!!)
- Production site
- Web-accessible dev envs
- Local dev envs
How hard is to get to
?
Secure Access to Databases
for the Production site
Every user with access to some private data is potential source of data leak
Secure Access to Databases
for the Production site
- Two Factor Auth
- Login Alerts
- Password policies
- Accounts expiration for staff