SlideShare a Scribd company logo

Implementing security routines with zf2

Download as ODP, PDF
Er Galvão Abbott
Er Galvão Abbott

The document discusses implementing security routines in Zend Framework 2, covering topics like authentication, brute force protection, password recovery, cryptography, authorization, and data filtering/validation. It provides code examples and best practices for each topic, such as using services for authentication and cryptography, logging authentication attempts as events, and using the Zend\Permission\Acl component for authorization.

1 of 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Implementing Security Routines with Zend Framework 2 by Er Galvão Abbott Authentication Filter & Validation Password Recovery Cryptography Authorization CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 1 / 34 Brute-Force
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Er Galvão Abbott is the President of ABRAPHP – Brazilian Association of PHP Professionals and Director of PHP Conference Brasil. Works for 20 years developing web interfaced systems and applications, being 15 of those with PHP and 7 with Zend Framework. Have worked with several companies, both local and off-shore. Talks at events, teaches both on-site and on-line courses and is the founder and leader of the PHPBR UG, a national User Group that counts with more than 1.200 registered users. Site: http://www.galvao.eti.br/ Twitter: @galvao Slides and Documents: http://slideshare.net/ergalvao https://speakerdeck.com/galvao Github: http://github.com/galvao Who?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 2 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Goal Discuss in both conceptual and technical detail about how to implement Security Routines with Zend Framework 2. I'll present the following topics: → Authentication → Brute-force protection → Password recovery → Cryptography → Authorization → Data Filtering and Validation CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 3 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Security != a piece of cake* Why? Because, for an example, I'm required to tell you this: CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 4 / 34 * Not the framework (Hilarious!) Before we begin
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Security != a piece of cake* Why? Because, for an example, I'm required to tell you this: Disclaimer (or the “Not my fault” part) !Perfect|Complete $this is... !Fool proof !The only|right way Found out an example why? Let me know! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 5 / 34 * Not the framework (Hilarious!) Before we begin
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 6 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication ZfcUser, right?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 7 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication ZfcUser, right?! YES! Well... CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 8 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Let's talk about wheels... Authentication If you don't [want to]know much about security... http://modules.zendframework.com/ZF-Commons/ZfcUser CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 9 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Let's talk about wheels... Authentication If you don't [want to]know much about security... http://modules.zendframework.com/ZF-Commons/ZfcUser if you do... Authentication Crypt Filter Form CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 10 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Now that we've put that aside... Authentication Authentication → Service* Cryptography → (Can also be a) Service* Authentication attempts → Event * Yes, yes, it could be done as a Module, Plugin, etc... -.-” CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 11 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 12 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Authentication & Cryptography << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 13 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Cryptography << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 14 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Authentication << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 15 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Authentication << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 16 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 17 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 18 / 34 Checklist 1. User doesn't “need to change pwd” already; 2. User is “active”; 3. Randomize a temporary pwd; 4. Randomize a temporary, short-life, token; 5. Send a tokenized link for the user to change his pwd; 6. He must correctly enter the temp pwd; 7. If the new pwd and/or token expires, inactivate, make him contact support; 8. Else, change the pwd, mark the user as “OK”. 9. If any step fails, see step 7! For your randomization needs: https://github.com/galvao/PHPToolkit* * Shameless advertising detected!
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery Key points Know what to do and what to avoid Lazyness and “user-comfortcentrism” are your enemies CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 19 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 20 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 21 / 34 It's all about TIME 1. Generate a timestamp; 2. Log the attempt; 3. Get previous attempt timestamp; 4. Interval = current - previous 5. If the interval is suspicious, lock the user out; 6. If x unsucessful attempts, lock the user out;
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 22 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Brute Force << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 23 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 24 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization The relation between roles and resources. Roles can inherit from other roles. Resources may be available to multiple roles. It's all about CAN & CAN'T A few not-so-obvious-things to consider: 1. Everyone has a role; 2. Static storage > Dynamic storage; 3. Ideally, role of the current user should be fetched dynamically... 4. … and a user's role should be “immutable”. CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 25 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization ZendPermissionAcl CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 26 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 27 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 28 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. (Keep It Simple, Stupid...) CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 29 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. (Keep It Simple, Stupid...ly beautiful people!) CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 30 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation Flexibility in ZF2 In the form Filter & Validation In the model Separated CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 31 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 32 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Filter & Validation << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 33 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Muchas gracias! ? Questions? ↓ Criticism? ↑ Complements?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 34 / 34

Recommended

Authentication with zend framework
Authentication with zend frameworkAuthentication with zend framework
Authentication with zend framework
George Mihailov
 
Instant ACLs with Zend Framework 2
Instant ACLs with Zend Framework 2Instant ACLs with Zend Framework 2
Instant ACLs with Zend Framework 2
Stefano Valle
 
OAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapeOAuth 2.0 Threat Landscape
OAuth 2.0 Threat Landscape
Prabath Siriwardena
 
TangoWithDjango - ch8
TangoWithDjango - ch8TangoWithDjango - ch8
TangoWithDjango - ch8
Asika Kuo
 
Php web app security (eng)
Php web app security (eng)Php web app security (eng)
Php web app security (eng)
Anatoliy Okhotnikov
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)
Anatoliy Okhotnikov
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 

Recommended

Authentication with zend framework
Authentication with zend frameworkAuthentication with zend framework
Authentication with zend framework
George Mihailov
 
Instant ACLs with Zend Framework 2
Instant ACLs with Zend Framework 2Instant ACLs with Zend Framework 2
Instant ACLs with Zend Framework 2
Stefano Valle
 
OAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapeOAuth 2.0 Threat Landscape
OAuth 2.0 Threat Landscape
Prabath Siriwardena
 
TangoWithDjango - ch8
TangoWithDjango - ch8TangoWithDjango - ch8
TangoWithDjango - ch8
Asika Kuo
 
Php web app security (eng)
Php web app security (eng)Php web app security (eng)
Php web app security (eng)
Anatoliy Okhotnikov
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)
Anatoliy Okhotnikov
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
Matt Raible
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
Andrey Devyatkin
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
Matt Raible
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
robwinch
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
 
Testing untestable code - oscon 2012
Testing untestable code - oscon 2012Testing untestable code - oscon 2012
Testing untestable code - oscon 2012
Stephan Hochdörfer
 
Real World Dependency Injection - IPC11 Spring Edition
Real World Dependency Injection - IPC11 Spring EditionReal World Dependency Injection - IPC11 Spring Edition
Real World Dependency Injection - IPC11 Spring Edition
Stephan Hochdörfer
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
Alvaro Sanchez-Mariscal
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
Marakana Inc.
 
Real World Dependency Injection - PFCongres 2010
Real World Dependency Injection - PFCongres 2010Real World Dependency Injection - PFCongres 2010
Real World Dependency Injection - PFCongres 2010
Stephan Hochdörfer
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
Micron Technology
 
Hacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 PluginHacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 Plugin
Burt Beckwith
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
How to Implement Token Authentication Using the Django REST Framework
How to Implement Token Authentication Using the Django REST FrameworkHow to Implement Token Authentication Using the Django REST Framework
How to Implement Token Authentication Using the Django REST Framework
Katy Slemon
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
Antonio Sanso
 
Numbers in the Hidden: A Pragmatic View of 'Nirvana'
Numbers in the Hidden: A Pragmatic View of 'Nirvana'Numbers in the Hidden: A Pragmatic View of 'Nirvana'
Numbers in the Hidden: A Pragmatic View of 'Nirvana'
VMware Tanzu
 
20160221 va interconnect_pub
20160221 va interconnect_pub20160221 va interconnect_pub
20160221 va interconnect_pub
Canturk Isci
 

More Related Content

What's hot

JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
Matt Raible
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
Andrey Devyatkin
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
Matt Raible
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
robwinch
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
 
Testing untestable code - oscon 2012
Testing untestable code - oscon 2012Testing untestable code - oscon 2012
Testing untestable code - oscon 2012
Stephan Hochdörfer
 
Real World Dependency Injection - IPC11 Spring Edition
Real World Dependency Injection - IPC11 Spring EditionReal World Dependency Injection - IPC11 Spring Edition
Real World Dependency Injection - IPC11 Spring Edition
Stephan Hochdörfer
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
Alvaro Sanchez-Mariscal
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
Marakana Inc.
 
Real World Dependency Injection - PFCongres 2010
Real World Dependency Injection - PFCongres 2010Real World Dependency Injection - PFCongres 2010
Real World Dependency Injection - PFCongres 2010
Stephan Hochdörfer
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
Micron Technology
 
Hacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 PluginHacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 Plugin
Burt Beckwith
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
How to Implement Token Authentication Using the Django REST Framework
How to Implement Token Authentication Using the Django REST FrameworkHow to Implement Token Authentication Using the Django REST Framework
How to Implement Token Authentication Using the Django REST Framework
Katy Slemon
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
Antonio Sanso
 

What's hot (20)

JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
Testing untestable code - oscon 2012
Testing untestable code - oscon 2012Testing untestable code - oscon 2012
Testing untestable code - oscon 2012
 
Real World Dependency Injection - IPC11 Spring Edition
Real World Dependency Injection - IPC11 Spring EditionReal World Dependency Injection - IPC11 Spring Edition
Real World Dependency Injection - IPC11 Spring Edition
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
Real World Dependency Injection - PFCongres 2010
Real World Dependency Injection - PFCongres 2010Real World Dependency Injection - PFCongres 2010
Real World Dependency Injection - PFCongres 2010
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
Hacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 PluginHacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 Plugin
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
How to Implement Token Authentication Using the Django REST Framework
How to Implement Token Authentication Using the Django REST FrameworkHow to Implement Token Authentication Using the Django REST Framework
How to Implement Token Authentication Using the Django REST Framework
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
 

Similar to Implementing security routines with zf2

Numbers in the Hidden: A Pragmatic View of 'Nirvana'
Numbers in the Hidden: A Pragmatic View of 'Nirvana'Numbers in the Hidden: A Pragmatic View of 'Nirvana'
Numbers in the Hidden: A Pragmatic View of 'Nirvana'
VMware Tanzu
 
20160221 va interconnect_pub
20160221 va interconnect_pub20160221 va interconnect_pub
20160221 va interconnect_pub
Canturk Isci
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
Herman Duarte
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
James Wickett
 
Escape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceEscape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud Service
Robert Munteanu
 
Blockcerts: The Open Standard for Blockchain Credentials
Blockcerts: The Open Standard for Blockchain CredentialsBlockcerts: The Open Standard for Blockchain Credentials
Blockcerts: The Open Standard for Blockchain Credentials
SSIMeetup
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
Gianluca Arbezzano
 
Backtrack Manual Part5
Backtrack Manual Part5Backtrack Manual Part5
Backtrack Manual Part5
Nutan Kumar Panda
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Sebastián Guerrero Selma
 
Building Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in RailsBuilding Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in Rails
Jim Jeffers
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
fangjiafu
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
JPCERT Coordination Center
 
OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07
Shane Coughlan
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a Fox
C4Media
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
Brst – Border Router Security Tool
Brst – Border Router Security ToolBrst – Border Router Security Tool
Brst – Border Router Security Tool
tleroy0928
 
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
Nuno Godinho
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Saumil Shah
 

Similar to Implementing security routines with zf2 (20)

Numbers in the Hidden: A Pragmatic View of 'Nirvana'
Numbers in the Hidden: A Pragmatic View of 'Nirvana'Numbers in the Hidden: A Pragmatic View of 'Nirvana'
Numbers in the Hidden: A Pragmatic View of 'Nirvana'
 
20160221 va interconnect_pub
20160221 va interconnect_pub20160221 va interconnect_pub
20160221 va interconnect_pub
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Escape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceEscape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud Service
 
Blockcerts: The Open Standard for Blockchain Credentials
Blockcerts: The Open Standard for Blockchain CredentialsBlockcerts: The Open Standard for Blockchain Credentials
Blockcerts: The Open Standard for Blockchain Credentials
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
 
Backtrack Manual Part5
Backtrack Manual Part5Backtrack Manual Part5
Backtrack Manual Part5
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
 
Building Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in RailsBuilding Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in Rails
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
 
OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a Fox
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Brst – Border Router Security Tool
Brst – Border Router Security ToolBrst – Border Router Security Tool
Brst – Border Router Security Tool
 
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
 

More from Er Galvão Abbott

Segurança PHP em 2016
Segurança PHP em 2016Segurança PHP em 2016
Segurança PHP em 2016
Er Galvão Abbott
 
Tudo o que você precisa saber sobre o php7
Tudo o que você precisa saber sobre o php7Tudo o que você precisa saber sobre o php7
Tudo o que você precisa saber sobre o php7
Er Galvão Abbott
 
DRYing the Skeleton: Reducing code repetition in ZF2
DRYing the Skeleton: Reducing code repetition in ZF2DRYing the Skeleton: Reducing code repetition in ZF2
DRYing the Skeleton: Reducing code repetition in ZF2
Er Galvão Abbott
 
Php7 esta chgando! O que você precisa saber
Php7 esta chgando! O que você precisa saberPhp7 esta chgando! O que você precisa saber
Php7 esta chgando! O que você precisa saber
Er Galvão Abbott
 
PHP e Open Source
PHP e Open SourcePHP e Open Source
PHP e Open Source
Er Galvão Abbott
 
ABRAPHP: Conquistas e Realizações - 2012-2014
ABRAPHP: Conquistas e Realizações - 2012-2014ABRAPHP: Conquistas e Realizações - 2012-2014
ABRAPHP: Conquistas e Realizações - 2012-2014
Er Galvão Abbott
 
Desenvolvendo aplicações com ZF2
Desenvolvendo aplicações com ZF2Desenvolvendo aplicações com ZF2
Desenvolvendo aplicações com ZF2
Er Galvão Abbott
 
Apresentacao frameworks
Apresentacao frameworksApresentacao frameworks
Apresentacao frameworks
Er Galvão Abbott
 
Web: funcionamento, evolução e mercado
Web: funcionamento, evolução e mercadoWeb: funcionamento, evolução e mercado
Web: funcionamento, evolução e mercado
Er Galvão Abbott
 
Otimizando a execução de código-fonte PHP
Otimizando a execução de código-fonte PHPOtimizando a execução de código-fonte PHP
Otimizando a execução de código-fonte PHP
Er Galvão Abbott
 
Unbreakeable php
Unbreakeable phpUnbreakeable php
Unbreakeable php
Er Galvão Abbott
 
PHP: Evolução
PHP: EvoluçãoPHP: Evolução
PHP: Evolução
Er Galvão Abbott
 
ZF2 Menor, melhor e mais poderoso
ZF2 Menor, melhor e mais poderosoZF2 Menor, melhor e mais poderoso
ZF2 Menor, melhor e mais poderoso
Er Galvão Abbott
 
Implementando rotinas de geolocalização
Implementando rotinas de geolocalizaçãoImplementando rotinas de geolocalização
Implementando rotinas de geolocalização
Er Galvão Abbott
 
OSS, Comunidade, Eventos e como sua empresa ganha com isso
OSS, Comunidade, Eventos e como sua empresa ganha com issoOSS, Comunidade, Eventos e como sua empresa ganha com isso
OSS, Comunidade, Eventos e como sua empresa ganha com isso
Er Galvão Abbott
 
OWASP: O que, Por que e Como
OWASP: O que, Por que e ComoOWASP: O que, Por que e Como
OWASP: O que, Por que e Como
Er Galvão Abbott
 
Além da autenticação: Permissões de acesso com Zend Framework
Além da autenticação: Permissões de acesso com Zend FrameworkAlém da autenticação: Permissões de acesso com Zend Framework
Além da autenticação: Permissões de acesso com Zend Framework
Er Galvão Abbott
 
Proposta de Boas Práticas e Padrões de Desenvolvimento Web
Proposta de Boas Práticas e Padrões de Desenvolvimento WebProposta de Boas Práticas e Padrões de Desenvolvimento Web
Proposta de Boas Práticas e Padrões de Desenvolvimento Web
Er Galvão Abbott
 
PHPBR TestFest
PHPBR TestFestPHPBR TestFest
PHPBR TestFest
Er Galvão Abbott
 
Preto, Branco e as Sombras de Cinza
Preto, Branco e as Sombras de CinzaPreto, Branco e as Sombras de Cinza
Preto, Branco e as Sombras de Cinza
Er Galvão Abbott
 

More from Er Galvão Abbott (20)

Segurança PHP em 2016
Segurança PHP em 2016Segurança PHP em 2016
Segurança PHP em 2016
 
Tudo o que você precisa saber sobre o php7
Tudo o que você precisa saber sobre o php7Tudo o que você precisa saber sobre o php7
Tudo o que você precisa saber sobre o php7
 
DRYing the Skeleton: Reducing code repetition in ZF2
DRYing the Skeleton: Reducing code repetition in ZF2DRYing the Skeleton: Reducing code repetition in ZF2
DRYing the Skeleton: Reducing code repetition in ZF2
 
Php7 esta chgando! O que você precisa saber
Php7 esta chgando! O que você precisa saberPhp7 esta chgando! O que você precisa saber
Php7 esta chgando! O que você precisa saber
 
PHP e Open Source
PHP e Open SourcePHP e Open Source
PHP e Open Source
 
ABRAPHP: Conquistas e Realizações - 2012-2014
ABRAPHP: Conquistas e Realizações - 2012-2014ABRAPHP: Conquistas e Realizações - 2012-2014
ABRAPHP: Conquistas e Realizações - 2012-2014
 
Desenvolvendo aplicações com ZF2
Desenvolvendo aplicações com ZF2Desenvolvendo aplicações com ZF2
Desenvolvendo aplicações com ZF2
 
Apresentacao frameworks
Apresentacao frameworksApresentacao frameworks
Apresentacao frameworks
 
Web: funcionamento, evolução e mercado
Web: funcionamento, evolução e mercadoWeb: funcionamento, evolução e mercado
Web: funcionamento, evolução e mercado
 
Otimizando a execução de código-fonte PHP
Otimizando a execução de código-fonte PHPOtimizando a execução de código-fonte PHP
Otimizando a execução de código-fonte PHP
 
Unbreakeable php
Unbreakeable phpUnbreakeable php
Unbreakeable php
 
PHP: Evolução
PHP: EvoluçãoPHP: Evolução
PHP: Evolução
 
ZF2 Menor, melhor e mais poderoso
ZF2 Menor, melhor e mais poderosoZF2 Menor, melhor e mais poderoso
ZF2 Menor, melhor e mais poderoso
 
Implementando rotinas de geolocalização
Implementando rotinas de geolocalizaçãoImplementando rotinas de geolocalização
Implementando rotinas de geolocalização
 
OSS, Comunidade, Eventos e como sua empresa ganha com isso
OSS, Comunidade, Eventos e como sua empresa ganha com issoOSS, Comunidade, Eventos e como sua empresa ganha com isso
OSS, Comunidade, Eventos e como sua empresa ganha com isso
 
OWASP: O que, Por que e Como
OWASP: O que, Por que e ComoOWASP: O que, Por que e Como
OWASP: O que, Por que e Como
 
Além da autenticação: Permissões de acesso com Zend Framework
Além da autenticação: Permissões de acesso com Zend FrameworkAlém da autenticação: Permissões de acesso com Zend Framework
Além da autenticação: Permissões de acesso com Zend Framework
 
Proposta de Boas Práticas e Padrões de Desenvolvimento Web
Proposta de Boas Práticas e Padrões de Desenvolvimento WebProposta de Boas Práticas e Padrões de Desenvolvimento Web
Proposta de Boas Práticas e Padrões de Desenvolvimento Web
 
PHPBR TestFest
PHPBR TestFestPHPBR TestFest
PHPBR TestFest
 
Preto, Branco e as Sombras de Cinza
Preto, Branco e as Sombras de CinzaPreto, Branco e as Sombras de Cinza
Preto, Branco e as Sombras de Cinza
 

Recently uploaded

Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
Remote DBA Services
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
Ayan Halder
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
Aftab Hussain
 
What is Augmented Reality Image Tracking
What is Augmented Reality Image TrackingWhat is Augmented Reality Image Tracking
What is Augmented Reality Image Tracking
pavan998932
 
What is Master Data Management by PiLog Group
What is Master Data Management by PiLog GroupWhat is Master Data Management by PiLog Group
What is Master Data Management by PiLog Group
aymanquadri279
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
Hornet Dynamics
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
Green Software Development
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Julian Hyde
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
Peter Muessig
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
Philip Schwarz
 
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesE-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
Quickdice ERP
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
Shane Coughlan
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
Sven Peters
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
brainerhub1
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
Aftab Hussain
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 

Recently uploaded (20)

Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
 
What is Augmented Reality Image Tracking
What is Augmented Reality Image TrackingWhat is Augmented Reality Image Tracking
What is Augmented Reality Image Tracking
 
What is Master Data Management by PiLog Group
What is Master Data Management by PiLog GroupWhat is Master Data Management by PiLog Group
What is Master Data Management by PiLog Group
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
 
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesE-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 

Implementing security routines with zf2

  • 1. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Implementing Security Routines with Zend Framework 2 by Er Galvão Abbott Authentication Filter & Validation Password Recovery Cryptography Authorization CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 1 / 34 Brute-Force
  • 2. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Er Galvão Abbott is the President of ABRAPHP – Brazilian Association of PHP Professionals and Director of PHP Conference Brasil. Works for 20 years developing web interfaced systems and applications, being 15 of those with PHP and 7 with Zend Framework. Have worked with several companies, both local and off-shore. Talks at events, teaches both on-site and on-line courses and is the founder and leader of the PHPBR UG, a national User Group that counts with more than 1.200 registered users. Site: http://www.galvao.eti.br/ Twitter: @galvao Slides and Documents: http://slideshare.net/ergalvao https://speakerdeck.com/galvao Github: http://github.com/galvao Who?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 2 / 34
  • 3. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Goal Discuss in both conceptual and technical detail about how to implement Security Routines with Zend Framework 2. I'll present the following topics: → Authentication → Brute-force protection → Password recovery → Cryptography → Authorization → Data Filtering and Validation CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 3 / 34
  • 4. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Security != a piece of cake* Why? Because, for an example, I'm required to tell you this: CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 4 / 34 * Not the framework (Hilarious!) Before we begin
  • 5. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Security != a piece of cake* Why? Because, for an example, I'm required to tell you this: Disclaimer (or the “Not my fault” part) !Perfect|Complete $this is... !Fool proof !The only|right way Found out an example why? Let me know! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 5 / 34 * Not the framework (Hilarious!) Before we begin
  • 6. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 6 / 34
  • 7. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication ZfcUser, right?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 7 / 34
  • 8. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication ZfcUser, right?! YES! Well... CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 8 / 34
  • 9. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Let's talk about wheels... Authentication If you don't [want to]know much about security... http://modules.zendframework.com/ZF-Commons/ZfcUser CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 9 / 34
  • 10. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Let's talk about wheels... Authentication If you don't [want to]know much about security... http://modules.zendframework.com/ZF-Commons/ZfcUser if you do... Authentication Crypt Filter Form CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 10 / 34
  • 11. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Now that we've put that aside... Authentication Authentication → Service* Cryptography → (Can also be a) Service* Authentication attempts → Event * Yes, yes, it could be done as a Module, Plugin, etc... -.-” CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 11 / 34
  • 12. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 12 / 34
  • 13. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Authentication & Cryptography << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 13 / 34
  • 14. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Cryptography << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 14 / 34
  • 15. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Authentication << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 15 / 34
  • 16. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Authentication << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 16 / 34
  • 17. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 17 / 34
  • 18. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 18 / 34 Checklist 1. User doesn't “need to change pwd” already; 2. User is “active”; 3. Randomize a temporary pwd; 4. Randomize a temporary, short-life, token; 5. Send a tokenized link for the user to change his pwd; 6. He must correctly enter the temp pwd; 7. If the new pwd and/or token expires, inactivate, make him contact support; 8. Else, change the pwd, mark the user as “OK”. 9. If any step fails, see step 7! For your randomization needs: https://github.com/galvao/PHPToolkit* * Shameless advertising detected!
  • 19. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery Key points Know what to do and what to avoid Lazyness and “user-comfortcentrism” are your enemies CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 19 / 34
  • 20. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 20 / 34
  • 21. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 21 / 34 It's all about TIME 1. Generate a timestamp; 2. Log the attempt; 3. Get previous attempt timestamp; 4. Interval = current - previous 5. If the interval is suspicious, lock the user out; 6. If x unsucessful attempts, lock the user out;
  • 22. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 22 / 34
  • 23. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Brute Force << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 23 / 34
  • 24. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 24 / 34
  • 25. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization The relation between roles and resources. Roles can inherit from other roles. Resources may be available to multiple roles. It's all about CAN & CAN'T A few not-so-obvious-things to consider: 1. Everyone has a role; 2. Static storage > Dynamic storage; 3. Ideally, role of the current user should be fetched dynamically... 4. … and a user's role should be “immutable”. CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 25 / 34
  • 26. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization ZendPermissionAcl CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 26 / 34
  • 27. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 27 / 34
  • 28. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 28 / 34
  • 29. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. (Keep It Simple, Stupid...) CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 29 / 34
  • 30. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. (Keep It Simple, Stupid...ly beautiful people!) CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 30 / 34
  • 31. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation Flexibility in ZF2 In the form Filter & Validation In the model Separated CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 31 / 34
  • 32. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 32 / 34
  • 33. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Filter & Validation << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 33 / 34
  • 34. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Muchas gracias! ? Questions? ↓ Criticism? ↑ Complements?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 34 / 34