2. Faces of the regulatory
coin
Security
"Security as a condition is the degree of
resistance to, or protection from, harm."
http://en.wikipedia.org/wiki/Security
How does Zend Server help me maintain a
secure development and production
environment?
Compliance
"compliance means conforming to a rule, such as a
specification, policy, standard or law."
http://en.wikipedia.org/wiki/Regulatory_compliance
What tools does Zend Server provide me with in
order to comply with software standards?
3. GUI User Authentication
• Authentication accepts user credentials for
validation
o This process which can be customised
• Does not provide any tools for password
recovery through the UI
o Overriding the password is possible from the
server's command line
• Passwords are hashed and tested in the
server-side
• https access is possible
4. WebAPI authentication
• WebAPI requests are signed per-request
o Header dependent
o Signed requests are good for a limited time only
o Signature is a cryptographic-strength hash
• https access is possible
o Request payload and headers are otherwise not
encrypted in either direction
• Keys pre-shared between client and server
• Individual keys are assigned to users and
their associated role
5. Demo: WebAPI Auth'
• Webapi responses
o Webapi test script that sets
user/key
o Headers and their structure
o Valid response
o Show an invalid response
• Signature generation code
o Show SignatureGenerator class
o Show generator usage in a
script
• Keys' management
6. Customized
Authentication
The authentication system may be customised:
• Add users to simple authentication
o Added users' passwords are managed through the
UI
• Extended authentication has more options
o Connect to ldap for enterprise sign-on
o Limit information viewed by the user by groups
• Custom authentication adapters
o Custom-tailored authentication for your needs
o Implement your own groups and no-groups adapter
7. Demo: custom auth'
• Demo ldap extended authentication usage
o Use wizard to change authentication to ldap
o Logout & Login using my own user
o Set a group for a single application
• Demo custom authentication adapter
o Extend custom authentication
adapter
o Return group for single application
o Change configuration to use the
adapter
o Login & Check application-specific
8. Access Control
• All actions (UI & WebAPI) are filtered by
ACL
• ACL queries are composed of both the
user's role and the license edition
Golden rule: System changes are only
available to Administrators
9. UI, WebAPI design
Things we kept in mind
• Actions to be performed in the WebAPI
o Actions that modify the system are POST http actions
• Minimal request parameters, default values
• Extensive output filtering and input filtering
• Actions are offloaded asynchronous
execution
• UI is a separate application, may be deployed
outside the actual production environment
11. Session clustering
security
In a nutshell: Distributed high-availability
session management platform
• Assumes a secure network environment
o Does not encrypt communications
o Onboard data is not encrypted
o Chap based handshake between members
• Allows communications based on an
"allowed hosts" filter list
• Managed automatically by Zend Server
12. Debugger security
In a nutshell: Real-time debug and profile
extension for use with Zend Studio
• Allows encryption of communications
between server and debugging client
• Supports both directions of debug session
initialization
o Server init: Can specify a client and target ip
address
o Client init: Supports Allow/Deny lists of IP addresses
that are allowed to start debug operations
13. Demo: debugger config
• Debugger specifies explicit browser ip
• Debugger allow/deny hosts list
14. Debug Mode for debugger
In a nutshell: initiate a debugger session for
any request that matches a pattern
• Relies on debugger allow/deny lists
• Supports encrypted communications
• Can be restricted to specific pages or paths
15. Audit trail
Audit journal of user activities in the system
• User login, password change
• Configuration changes, Restart requests
• Application deployment
• Monitor rules and events' changes
and more...
16. Demo: Audit trail
• Demo log-in in simple authentication
o Login to the UI
o Show audit entry
o Fail login, the login correctly
o Show audit entry
17. Logs and more logs
Zend Server and php logs are accessible
through the UI
• Allows viewing and searching by text pattern
• May export logs from the server
• Individual logs' access may be disabled
• Custom logs may be added as needed to
grant easy access to user generated logs