Er Galvão Abbott, profile picture
Uploaded byEr Galvão Abbott
ODP, PDF1,247 views

Implementing security routines with zf2

The document discusses implementing security routines in Zend Framework 2, covering topics like authentication, brute force protection, password recovery, cryptography, authorization, and data filtering/validation. It provides code examples and best practices for each topic, such as using services for authentication and cryptography, logging authentication attempts as events, and using the Zend\Permission\Acl component for authorization.

Embed presentation

Downloaded 19 times
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Implementing Security Routines with Zend Framework 2 by Er Galvão Abbott Authentication Filter & Validation Password Recovery Cryptography Authorization CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 1 / 34 Brute-Force
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Er Galvão Abbott is the President of ABRAPHP – Brazilian Association of PHP Professionals and Director of PHP Conference Brasil. Works for 20 years developing web interfaced systems and applications, being 15 of those with PHP and 7 with Zend Framework. Have worked with several companies, both local and off-shore. Talks at events, teaches both on-site and on-line courses and is the founder and leader of the PHPBR UG, a national User Group that counts with more than 1.200 registered users. Site: http://www.galvao.eti.br/ Twitter: @galvao Slides and Documents: http://slideshare.net/ergalvao https://speakerdeck.com/galvao Github: http://github.com/galvao Who?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 2 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Goal Discuss in both conceptual and technical detail about how to implement Security Routines with Zend Framework 2. I'll present the following topics: → Authentication → Brute-force protection → Password recovery → Cryptography → Authorization → Data Filtering and Validation CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 3 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Security != a piece of cake* Why? Because, for an example, I'm required to tell you this: CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 4 / 34 * Not the framework (Hilarious!) Before we begin
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Security != a piece of cake* Why? Because, for an example, I'm required to tell you this: Disclaimer (or the “Not my fault” part) !Perfect|Complete $this is... !Fool proof !The only|right way Found out an example why? Let me know! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 5 / 34 * Not the framework (Hilarious!) Before we begin
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 6 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication ZfcUser, right?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 7 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication ZfcUser, right?! YES! Well... CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 8 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Let's talk about wheels... Authentication If you don't [want to]know much about security... http://modules.zendframework.com/ZF-Commons/ZfcUser CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 9 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Let's talk about wheels... Authentication If you don't [want to]know much about security... http://modules.zendframework.com/ZF-Commons/ZfcUser if you do... Authentication Crypt Filter Form CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 10 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Now that we've put that aside... Authentication Authentication → Service* Cryptography → (Can also be a) Service* Authentication attempts → Event * Yes, yes, it could be done as a Module, Plugin, etc... -.-” CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 11 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 12 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Authentication & Cryptography << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 13 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Cryptography << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 14 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Authentication << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 15 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Authentication << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 16 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 17 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 18 / 34 Checklist 1. User doesn't “need to change pwd” already; 2. User is “active”; 3. Randomize a temporary pwd; 4. Randomize a temporary, short-life, token; 5. Send a tokenized link for the user to change his pwd; 6. He must correctly enter the temp pwd; 7. If the new pwd and/or token expires, inactivate, make him contact support; 8. Else, change the pwd, mark the user as “OK”. 9. If any step fails, see step 7! For your randomization needs: https://github.com/galvao/PHPToolkit* * Shameless advertising detected!
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery Key points Know what to do and what to avoid Lazyness and “user-comfortcentrism” are your enemies CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 19 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 20 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 21 / 34 It's all about TIME 1. Generate a timestamp; 2. Log the attempt; 3. Get previous attempt timestamp; 4. Interval = current - previous 5. If the interval is suspicious, lock the user out; 6. If x unsucessful attempts, lock the user out;
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 22 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Brute Force << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 23 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 24 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization The relation between roles and resources. Roles can inherit from other roles. Resources may be available to multiple roles. It's all about CAN & CAN'T A few not-so-obvious-things to consider: 1. Everyone has a role; 2. Static storage > Dynamic storage; 3. Ideally, role of the current user should be fetched dynamically... 4. … and a user's role should be “immutable”. CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 25 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization ZendPermissionAcl CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 26 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 27 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 28 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. (Keep It Simple, Stupid...) CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 29 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. (Keep It Simple, Stupid...ly beautiful people!) CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 30 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation Flexibility in ZF2 In the form Filter & Validation In the model Separated CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 31 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 32 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Filter & Validation << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 33 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Muchas gracias! ? Questions? ↓ Criticism? ↑ Complements?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 34 / 34

More Related Content

ODP
TangoWithDjango - ch8
byAsika Kuo
 
PDF
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
byAlvaro Sanchez-Mariscal
 
PPTX
OAuth 2.0 Threat Landscape
byPrabath Siriwardena
 
PPTX
REST Service Authetication with TLS & JWTs
byJon Todd
 
PDF
Instant ACLs with Zend Framework 2
byStefano Valle
 
PDF
Php web app security (eng)
byAnatoliy Okhotnikov
 
PPS
Authentication with zend framework
byGeorge Mihailov
 
PDF
Web application security (eng)
byAnatoliy Okhotnikov
 
TangoWithDjango - ch8
byAsika Kuo
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
byAlvaro Sanchez-Mariscal
 
OAuth 2.0 Threat Landscape
byPrabath Siriwardena
 
REST Service Authetication with TLS & JWTs
byJon Todd
 
Instant ACLs with Zend Framework 2
byStefano Valle
 
Php web app security (eng)
byAnatoliy Okhotnikov
 
Authentication with zend framework
byGeorge Mihailov
 
Web application security (eng)
byAnatoliy Okhotnikov
 

What's hot

PPS
Hacking Client Side Insecurities
byamiable_indian
 
PDF
How to Implement Token Authentication Using the Django REST Framework
byKaty Slemon
 
PDF
Hacking the Grails Spring Security 2.0 Plugin
byBurt Beckwith
 
PDF
Stateless authentication for microservices
byAlvaro Sanchez-Mariscal
 
PPTX
JWT Authentication with AngularJS
byrobertjd
 
PDF
What the Heck is OAuth and OpenID Connect - DOSUG 2018
byMatt Raible
 
PDF
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
byAndrey Devyatkin
 
PDF
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
byNaoki Nagazumi
 
PPTX
Single-Page-Application & REST security
byIgor Bossenko
 
PDF
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
byMatt Raible
 
PDF
Super simple application security with Apache Shiro
byMarakana Inc.
 
PDF
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
byJava User Group Latvia
 
PDF
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
byAntonio Sanso
 
PPTX
W3 conf hill-html5-security-realities
byBrad Hill
 
PDF
Testing untestable code - oscon 2012
byStephan Hochdörfer
 
PDF
Real World Dependency Injection - IPC11 Spring Edition
byStephan Hochdörfer
 
PDF
2016 pycontw web api authentication
byMicron Technology
 
PPTX
Securing RESTful APIs using OAuth 2 and OpenID Connect
byJonathan LeBlanc
 
PDF
Real World Dependency Injection - PFCongres 2010
byStephan Hochdörfer
 
PDF
From 0 to Spring Security 4.0
byrobwinch
 
Hacking Client Side Insecurities
byamiable_indian
 
How to Implement Token Authentication Using the Django REST Framework
byKaty Slemon
 
Hacking the Grails Spring Security 2.0 Plugin
byBurt Beckwith
 
Stateless authentication for microservices
byAlvaro Sanchez-Mariscal
 
JWT Authentication with AngularJS
byrobertjd
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
byMatt Raible
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
byAndrey Devyatkin
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
byNaoki Nagazumi
 
Single-Page-Application & REST security
byIgor Bossenko
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
byMatt Raible
 
Super simple application security with Apache Shiro
byMarakana Inc.
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
byJava User Group Latvia
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
byAntonio Sanso
 
W3 conf hill-html5-security-realities
byBrad Hill
 
Testing untestable code - oscon 2012
byStephan Hochdörfer
 
Real World Dependency Injection - IPC11 Spring Edition
byStephan Hochdörfer
 
2016 pycontw web api authentication
byMicron Technology
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
byJonathan LeBlanc
 
Real World Dependency Injection - PFCongres 2010
byStephan Hochdörfer
 
From 0 to Spring Security 4.0
byrobwinch
 

Similar to Implementing security routines with zf2

PDF
The Security Code Review Guide
byNicola Pietroluongo
 
PPTX
Ebu class edgescan-2017
byEoin Keary
 
ODP
User Credential handling in Web Applications done right
bytladesignz
 
PPTX
My first zf presentation part two
byisaaczfoster
 
PPT
3 secure design principles
bydrewz lin
 
PDF
Cryptography in PHP: Some Use Cases
byZend by Rogue Wave Software
 
PDF
Cryptography with Zend Framework
byEnrico Zimuel
 
PDF
Security 202 - Are you sure your site is secure?
byConFoo
 
PPTX
Php security common 2011
by10n Software, LLC
 
PDF
Dip Your Toes in the Sea of Security (PHP UK 2016)
byJames Titcumb
 
PDF
Zend
byMohamed Ramadan
 
PDF
Zend Framework 2 Patterns
byZend by Rogue Wave Software
 
PPS
Implementing access control with zend framework
byGeorge Mihailov
 
PDF
Dip Your Toes in the Sea of Security
byJames Titcumb
 
PDF
Dip Your Toes in the Sea of Security (CoderCruise 2017)
byJames Titcumb
 
PDF
Dip Your Toes In The Sea Of Security (PHPNW16)
byJames Titcumb
 
PDF
Dip Your Toes in the Sea of Security (PHP South Africa 2017)
byJames Titcumb
 
PPT
Smolen Alex Securing The Mvc Architecture Part One
byalsmola
 
PDF
Dip Your Toes in the Sea of Security (IPC Fall 2017)
byJames Titcumb
 
PDF
Dip Your Toes in the Sea of Security (ConFoo YVR 2017)
byJames Titcumb
 
The Security Code Review Guide
byNicola Pietroluongo
 
Ebu class edgescan-2017
byEoin Keary
 
User Credential handling in Web Applications done right
bytladesignz
 
My first zf presentation part two
byisaaczfoster
 
3 secure design principles
bydrewz lin
 
Cryptography in PHP: Some Use Cases
byZend by Rogue Wave Software
 
Cryptography with Zend Framework
byEnrico Zimuel
 
Security 202 - Are you sure your site is secure?
byConFoo
 
Php security common 2011
by10n Software, LLC
 
Dip Your Toes in the Sea of Security (PHP UK 2016)
byJames Titcumb
 
Zend
byMohamed Ramadan
 
Zend Framework 2 Patterns
byZend by Rogue Wave Software
 
Implementing access control with zend framework
byGeorge Mihailov
 
Dip Your Toes in the Sea of Security
byJames Titcumb
 
Dip Your Toes in the Sea of Security (CoderCruise 2017)
byJames Titcumb
 
Dip Your Toes In The Sea Of Security (PHPNW16)
byJames Titcumb
 
Dip Your Toes in the Sea of Security (PHP South Africa 2017)
byJames Titcumb
 
Smolen Alex Securing The Mvc Architecture Part One
byalsmola
 
Dip Your Toes in the Sea of Security (IPC Fall 2017)
byJames Titcumb
 
Dip Your Toes in the Sea of Security (ConFoo YVR 2017)
byJames Titcumb
 

More from Er Galvão Abbott

PDF
Proposta de Boas Práticas e Padrões de Desenvolvimento Web
byEr Galvão Abbott
 
PDF
Desenvolvendo aplicações com ZF2
byEr Galvão Abbott
 
PDF
DRYing the Skeleton: Reducing code repetition in ZF2
byEr Galvão Abbott
 
PDF
Unbreakeable php
byEr Galvão Abbott
 
PDF
Apresentacao frameworks
byEr Galvão Abbott
 
ODP
OSS, Comunidade, Eventos e como sua empresa ganha com isso
byEr Galvão Abbott
 
ODP
Php7 esta chgando! O que você precisa saber
byEr Galvão Abbott
 
ODP
Otimizando a execução de código-fonte PHP
byEr Galvão Abbott
 
ODP
Web: funcionamento, evolução e mercado
byEr Galvão Abbott
 
PDF
Tudo o que você precisa saber sobre o php7
byEr Galvão Abbott
 
PDF
ZF2 Menor, melhor e mais poderoso
byEr Galvão Abbott
 
PDF
PHP: Evolução
byEr Galvão Abbott
 
ODP
Implementando rotinas de geolocalização
byEr Galvão Abbott
 
ODP
PHP e Open Source
byEr Galvão Abbott
 
PDF
Segurança PHP em 2016
byEr Galvão Abbott
 
PDF
Preto, Branco e as Sombras de Cinza
byEr Galvão Abbott
 
PDF
PHPBR TestFest
byEr Galvão Abbott
 
ODP
OWASP: O que, Por que e Como
byEr Galvão Abbott
 
PDF
Além da autenticação: Permissões de acesso com Zend Framework
byEr Galvão Abbott
 
PDF
ABRAPHP: Conquistas e Realizações - 2012-2014
byEr Galvão Abbott
 
Proposta de Boas Práticas e Padrões de Desenvolvimento Web
byEr Galvão Abbott
 
Desenvolvendo aplicações com ZF2
byEr Galvão Abbott
 
DRYing the Skeleton: Reducing code repetition in ZF2
byEr Galvão Abbott
 
Unbreakeable php
byEr Galvão Abbott
 
Apresentacao frameworks
byEr Galvão Abbott
 
OSS, Comunidade, Eventos e como sua empresa ganha com isso
byEr Galvão Abbott
 
Php7 esta chgando! O que você precisa saber
byEr Galvão Abbott
 
Otimizando a execução de código-fonte PHP
byEr Galvão Abbott
 
Web: funcionamento, evolução e mercado
byEr Galvão Abbott
 
Tudo o que você precisa saber sobre o php7
byEr Galvão Abbott
 
ZF2 Menor, melhor e mais poderoso
byEr Galvão Abbott
 
PHP: Evolução
byEr Galvão Abbott
 
Implementando rotinas de geolocalização
byEr Galvão Abbott
 
PHP e Open Source
byEr Galvão Abbott
 
Segurança PHP em 2016
byEr Galvão Abbott
 
Preto, Branco e as Sombras de Cinza
byEr Galvão Abbott
 
PHPBR TestFest
byEr Galvão Abbott
 
OWASP: O que, Por que e Como
byEr Galvão Abbott
 
Além da autenticação: Permissões de acesso com Zend Framework
byEr Galvão Abbott
 
ABRAPHP: Conquistas e Realizações - 2012-2014
byEr Galvão Abbott
 

Recently uploaded

PDF
Princeton 2026: Tools That Help You
 Write Better Code
byHenry Schreiner
 
PDF
Princeton RSE: What's new in Python π (3.14)
byHenry Schreiner
 
PDF
A Complete Guide to Progressive Web App and Their Development
byMaxtra Technologies
 
PPTX
apidays Australia 2025 | Hey man, which one will deploy much faster, API or kid?
byapidays
 
PDF
Shaping Your 2026 Testing Strategy | Applitools Product Pulse - January 2026
byApplitools
 
PDF
Gojek Clone Business Strategy: From Launch to Scale
byV3CUBE TECHNOLABS
 
PDF
Princeton RSE: Python Histograms as objects
byHenry Schreiner
 
PPTX
Orion Context Broker introduction 20260114
byFermin Galan
 
PPTX
Instrumentation.Instrumentation.Instrumentation.pptx
byDavid Kurtz
 
PDF
What-Every-Tech-Leader-Needs-to-Know-About-AI-in-2025.pdf
byrishabhxbohra
 
PDF
828275126-INTUNE-Instructor-Handout-Part2.pdf
byamdusias67
 
PDF
How Fireworks AI Achieves 1TB_s+ Throughput for Model Deployment Across Multi...
byAlluxio, Inc.
 
PDF
Cloud Automotive Software: Cost, Speed & Scalability
byShiv Technolabs Pvt. Ltd.
 
PDF
Salesforce Careers in 2026_ Trends, Certifications, and Must-Have Skills
byDele Amefo
 
PPTX
NetworkMediaWireless (1).pptxunsnsndjdjdjjdnd
byre7022
 
PDF
Projectlify: Everything You Need to Get Things Done
byRafal Ksiazek
 
PPTX
Performance Engineering: New and Conflicting Trends
byAlexander Podelko
 
PDF
The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...
byOnePlan Solutions
 
PDF
Postmates Clone App Delivery Service Business Solution.pdf
byV3CUBE TECHNOLABS
 
PDF
Cybernetic Global Intelligence Securing Businesses in a Digital-First World.pdf
byCybernetic Global Intelligence
 
Princeton 2026: Tools That Help You
 Write Better Code
byHenry Schreiner
 
Princeton RSE: What's new in Python π (3.14)
byHenry Schreiner
 
A Complete Guide to Progressive Web App and Their Development
byMaxtra Technologies
 
apidays Australia 2025 | Hey man, which one will deploy much faster, API or kid?
byapidays
 
Shaping Your 2026 Testing Strategy | Applitools Product Pulse - January 2026
byApplitools
 
Gojek Clone Business Strategy: From Launch to Scale
byV3CUBE TECHNOLABS
 
Princeton RSE: Python Histograms as objects
byHenry Schreiner
 
Orion Context Broker introduction 20260114
byFermin Galan
 
Instrumentation.Instrumentation.Instrumentation.pptx
byDavid Kurtz
 
What-Every-Tech-Leader-Needs-to-Know-About-AI-in-2025.pdf
byrishabhxbohra
 
828275126-INTUNE-Instructor-Handout-Part2.pdf
byamdusias67
 
How Fireworks AI Achieves 1TB_s+ Throughput for Model Deployment Across Multi...
byAlluxio, Inc.
 
Cloud Automotive Software: Cost, Speed & Scalability
byShiv Technolabs Pvt. Ltd.
 
Salesforce Careers in 2026_ Trends, Certifications, and Must-Have Skills
byDele Amefo
 
NetworkMediaWireless (1).pptxunsnsndjdjdjjdnd
byre7022
 
Projectlify: Everything You Need to Get Things Done
byRafal Ksiazek
 
Performance Engineering: New and Conflicting Trends
byAlexander Podelko
 
The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...
byOnePlan Solutions
 
Postmates Clone App Delivery Service Business Solution.pdf
byV3CUBE TECHNOLABS
 
Cybernetic Global Intelligence Securing Businesses in a Digital-First World.pdf
byCybernetic Global Intelligence
 

Implementing security routines with zf2

  • 1.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Implementing Security Routines with Zend Framework 2 by Er Galvão Abbott Authentication Filter & Validation Password Recovery Cryptography Authorization CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 1 / 34 Brute-Force
  • 2.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Er Galvão Abbott is the President of ABRAPHP – Brazilian Association of PHP Professionals and Director of PHP Conference Brasil. Works for 20 years developing web interfaced systems and applications, being 15 of those with PHP and 7 with Zend Framework. Have worked with several companies, both local and off-shore. Talks at events, teaches both on-site and on-line courses and is the founder and leader of the PHPBR UG, a national User Group that counts with more than 1.200 registered users. Site: http://www.galvao.eti.br/ Twitter: @galvao Slides and Documents: http://slideshare.net/ergalvao https://speakerdeck.com/galvao Github: http://github.com/galvao Who?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 2 / 34
  • 3.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Goal Discuss in both conceptual and technical detail about how to implement Security Routines with Zend Framework 2. I'll present the following topics: → Authentication → Brute-force protection → Password recovery → Cryptography → Authorization → Data Filtering and Validation CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 3 / 34
  • 4.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Security != a piece of cake* Why? Because, for an example, I'm required to tell you this: CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 4 / 34 * Not the framework (Hilarious!) Before we begin
  • 5.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Security != a piece of cake* Why? Because, for an example, I'm required to tell you this: Disclaimer (or the “Not my fault” part) !Perfect|Complete $this is... !Fool proof !The only|right way Found out an example why? Let me know! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 5 / 34 * Not the framework (Hilarious!) Before we begin
  • 6.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Authentication CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 6 / 34
  • 7.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Authentication ZfcUser, right?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 7 / 34
  • 8.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Authentication ZfcUser, right?! YES! Well... CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 8 / 34
  • 9.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Let's talk about wheels... Authentication If you don't [want to]know much about security... http://modules.zendframework.com/ZF-Commons/ZfcUser CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 9 / 34
  • 10.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Let's talk about wheels... Authentication If you don't [want to]know much about security... http://modules.zendframework.com/ZF-Commons/ZfcUser if you do... Authentication Crypt Filter Form CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 10 / 34
  • 11.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Now that we've put that aside... Authentication Authentication → Service* Cryptography → (Can also be a) Service* Authentication attempts → Event * Yes, yes, it could be done as a Module, Plugin, etc... -.-” CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 11 / 34
  • 12.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Authentication Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 12 / 34
  • 13.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br code Authentication & Cryptography << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 13 / 34
  • 14.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br code Cryptography << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 14 / 34
  • 15.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br code Authentication << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 15 / 34
  • 16.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br code Authentication << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 16 / 34
  • 17.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Password Recovery CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 17 / 34
  • 18.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Password Recovery CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 18 / 34 Checklist 1. User doesn't “need to change pwd” already; 2. User is “active”; 3. Randomize a temporary pwd; 4. Randomize a temporary, short-life, token; 5. Send a tokenized link for the user to change his pwd; 6. He must correctly enter the temp pwd; 7. If the new pwd and/or token expires, inactivate, make him contact support; 8. Else, change the pwd, mark the user as “OK”. 9. If any step fails, see step 7! For your randomization needs: https://github.com/galvao/PHPToolkit* * Shameless advertising detected!
  • 19.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Password Recovery Key points Know what to do and what to avoid Lazyness and “user-comfortcentrism” are your enemies CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 19 / 34
  • 20.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Brute Force CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 20 / 34
  • 21.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Brute Force CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 21 / 34 It's all about TIME 1. Generate a timestamp; 2. Log the attempt; 3. Get previous attempt timestamp; 4. Interval = current - previous 5. If the interval is suspicious, lock the user out; 6. If x unsucessful attempts, lock the user out;
  • 22.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Brute Force Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 22 / 34
  • 23.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br code Brute Force << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 23 / 34
  • 24.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Authorization CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 24 / 34
  • 25.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Authorization The relation between roles and resources. Roles can inherit from other roles. Resources may be available to multiple roles. It's all about CAN & CAN'T A few not-so-obvious-things to consider: 1. Everyone has a role; 2. Static storage > Dynamic storage; 3. Ideally, role of the current user should be fetched dynamically... 4. … and a user's role should be “immutable”. CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 25 / 34
  • 26.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Authorization ZendPermissionAcl CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 26 / 34
  • 27.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Filter / Validation CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 27 / 34
  • 28.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 28 / 34
  • 29.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. (Keep It Simple, Stupid...) CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 29 / 34
  • 30.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. (Keep It Simple, Stupid...ly beautiful people!) CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 30 / 34
  • 31.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Filter / Validation Flexibility in ZF2 In the form Filter & Validation In the model Separated CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 31 / 34
  • 32.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Filter / Validation Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 32 / 34
  • 33.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br code Filter & Validation << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 33 / 34
  • 34.
    Implementing Security Routineswith Zend Framework 2 www.galvao.eti.br Muchas gracias! ? Questions? ↓ Criticism? ↑ Complements?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 34 / 34