https://speakerdeck.com/ericmann 2019-05-09 00:45:51 -0400 Regardless of reports to the contrary, PHP is a modern, scalable, secure programming language suitable for any number of applications. As with any other language or tool, PHP can only be used securely if the developers using it wield their tools safely. This training class will walk through best practices in: Password management (including hashing) Credentials management (API keys) Data encryption (both local and remote) Data integrity (i.e., signing and authentication) Server hardening Attendees will leave with a better understanding of PHP and how to use it in secure applications. Attendees should have an operable PHP environment before arriving. They will be given a code repo to use during the training class which will demonstrate the principles being discussed and allows them to practice from-scratch implementations in code. Regardless of reports to the contrary, PHP is a modern, scalable, secure programming language suitable for any number of applications. As with any other language or tool, PHP can only be used securely if the developers using it wield their tools safely. This training class will walk through best practices in: Password management (including hashing) Credentials management (API keys) Data encryption (both local and remote) Data integrity (i.e., signing and authentication) Server hardening Attendees will leave with a better understanding of PHP and how to use it in secure applications. Attendees should have an operable PHP environment before arriving. They will be given a code repo to use during the training class which will demonstrate the principles being discussed and allows them to practice from-scratch implementations in code. Sat, 26 Oct 2024 00:00:00 -0400 https://speakerdeck.com/ericmann/evolution-of-php-security-25aef7bb-a2f7-427f-971e-8461f5c42a36 https://speakerdeck.com/ericmann/evolution-of-php-security-25aef7bb-a2f7-427f-971e-8461f5c42a36 With new advances in machine learning, advanced integrations with AI platforms are now available to everyone! You can easily build AI into your application without a Ph.D. or advanced knowledge of linear algebra or the algorithms that make machine learning work. In this talk, we’ll cover some simple integrations with commonly available tools to make your application truly “smart.” No prior experience in machine learning is required, just come prepared to learn, ask questions, and get your hands dirty with state of the art tools. With new advances in machine learning, advanced integrations with AI platforms are now available to everyone! You can easily build AI into your application without a Ph.D. or advanced knowledge of linear algebra or the algorithms that make machine learning work. In this talk, we’ll cover some simple integrations with commonly available tools to make your application truly “smart.” No prior experience in machine learning is required, just come prepared to learn, ask questions, and get your hands dirty with state of the art tools. Mon, 14 Oct 2024 00:00:00 -0400 https://speakerdeck.com/ericmann/php-meet-ai https://speakerdeck.com/ericmann/php-meet-ai Sometimes, our use of PHP grows beyond the typical request/response cycle of dynamic page generation. Unfortunately, the threaded nature of PHP - and the stateless nature of the server - betrays any efforts to expand our utilization of the server. Image processing, video rendering, APNS (Apple Push Notification Service) integration - any of these can easily take longer than is reasonable for a simple page request. Enter tools like message and job queues that empower daemonized PHP workers to handle data processing in the background. Yet further tools enable long-running event loops and asynchronous Promise-driven operations. PHP isn’t multi-threaded, but that doesn’t mean you’re limited to a single-thread paradigm. I will demonstrate various use cases necessitating asynchronous operations, then delve into the code and the tools that make these systems work. Every attendee will leave armed with new ways to think about the management of large data jobs in PHP and an understanding of the tools they can use to make it happen. Sometimes, our use of PHP grows beyond the typical request/response cycle of dynamic page generation. Unfortunately, the threaded nature of PHP - and the stateless nature of the server - betrays any efforts to expand our utilization of the server. Image processing, video rendering, APNS (Apple Push Notification Service) integration - any of these can easily take longer than is reasonable for a simple page request. Enter tools like message and job queues that empower daemonized PHP workers to handle data processing in the background. Yet further tools enable long-running event loops and asynchronous Promise-driven operations. PHP isn’t multi-threaded, but that doesn’t mean you’re limited to a single-thread paradigm. I will demonstrate various use cases necessitating asynchronous operations, then delve into the code and the tools that make these systems work. Every attendee will leave armed with new ways to think about the management of large data jobs in PHP and an understanding of the tools they can use to make it happen. Wed, 17 May 2023 00:00:00 -0400 https://speakerdeck.com/ericmann/asynchronous-awesome-2833c70f-2b6d-44be-8789-0b6192cff72b https://speakerdeck.com/ericmann/asynchronous-awesome-2833c70f-2b6d-44be-8789-0b6192cff72b With new advances in machine learning, advanced integrations with AI platforms are now available to everyone! You can easily build AI into your WordPress site without a Ph.D. or advanced knowledge of linear algebra or the algorithms that make machine learning work. In this talk, we’ll cover some simple integrations with commonly available tools to make your WordPress installation truly “smart.” No prior experience in machine learning is required, just come prepared to learn, ask questions, and get your hands dirty with tools like AWS Recognition. With new advances in machine learning, advanced integrations with AI platforms are now available to everyone! You can easily build AI into your WordPress site without a Ph.D. or advanced knowledge of linear algebra or the algorithms that make machine learning work. In this talk, we’ll cover some simple integrations with commonly available tools to make your WordPress installation truly “smart.” No prior experience in machine learning is required, just come prepared to learn, ask questions, and get your hands dirty with tools like AWS Recognition. Fri, 23 Apr 2021 00:00:00 -0400 https://speakerdeck.com/ericmann/wordpress-meet-ai https://speakerdeck.com/ericmann/wordpress-meet-ai There are many different ways to authenticate users to your application in PHP land. This talk will take a deep look into at least three different patterns for user authentication to keep your system secure. Everything we’ll be doing is password-focused, moving from the simplest methods to the most complex. We will only discuss actually-secure PHP authentication, but presenting multiple approaches will give you and your team superb flexibility when you move from theory to implementation. There are many different ways to authenticate users to your application in PHP land. This talk will take a deep look into at least three different patterns for user authentication to keep your system secure. Everything we’ll be doing is password-focused, moving from the simplest methods to the most complex. We will only discuss actually-secure PHP authentication, but presenting multiple approaches will give you and your team superb flexibility when you move from theory to implementation. Thu, 14 Jan 2021 00:00:00 -0500 https://speakerdeck.com/ericmann/cooking-with-credentials https://speakerdeck.com/ericmann/cooking-with-credentials Fri, 28 Aug 2020 00:00:00 -0400 https://speakerdeck.com/ericmann/owasp-top-ten-in-review https://speakerdeck.com/ericmann/owasp-top-ten-in-review Can a million monkeys given a million typewriters produce the collected works of Shakespeare? Considering the ethical concerns of forcing monkeys to write, paired with the sheer mess of that many mammals in one location, we might never know. Or will we? Thanks to the wonders of modern computing, it's possible to _simulate_ monkeys emulating the Bard. Leveraging techniques like genetic algorithms, we can build a system that approximates a monkey armed with a typewriter. Digitally. It's a fun exercise to prove a thought experiment, but also a powerful technical approach to leverage machine learning and rudimentary AI in various places. Together, we'll breed digital monkeys and show both how they can be used to answer the aforementioned Shakespearean question as well as produce generative results to more _practical_ problems. Can a million monkeys given a million typewriters produce the collected works of Shakespeare? Considering the ethical concerns of forcing monkeys to write, paired with the sheer mess of that many mammals in one location, we might never know. Or will we? Thanks to the wonders of modern computing, it's possible to _simulate_ monkeys emulating the Bard. Leveraging techniques like genetic algorithms, we can build a system that approximates a monkey armed with a typewriter. Digitally. It's a fun exercise to prove a thought experiment, but also a powerful technical approach to leverage machine learning and rudimentary AI in various places. Together, we'll breed digital monkeys and show both how they can be used to answer the aforementioned Shakespearean question as well as produce generative results to more _practical_ problems. Tue, 17 Mar 2020 00:00:00 -0400 https://speakerdeck.com/ericmann/monkeys-in-the-machine https://speakerdeck.com/ericmann/monkeys-in-the-machine Sometimes, our use of PHP grows beyond the typical request/response cycle of dynamic page generation. Unfortunately, the threaded nature of PHP - and the stateless nature of the server - betrays any efforts to expand our utilization of the server. Image processing, video rendering, APNS (Apple Push Notification Service) integration - any of these can easily take longer than is reasonable for a simple page request. Enter tools like message and job queues that empower daemonized PHP workers to handle data processing in the background. Yet further tools enable long-running event loops and asynchronous Promise-driven operations. PHP isn't multi-threaded, but that doesn't mean you're limited to a single-thread paradigm. I will demonstrate various use cases necessitating asynchronous operations, then delve into the code and the tools that make these systems work. Every attendee will leave armed with new ways to think about the management of large data jobs in PHP and an understanding of the tools they can use to make it happen. Sometimes, our use of PHP grows beyond the typical request/response cycle of dynamic page generation. Unfortunately, the threaded nature of PHP - and the stateless nature of the server - betrays any efforts to expand our utilization of the server. Image processing, video rendering, APNS (Apple Push Notification Service) integration - any of these can easily take longer than is reasonable for a simple page request. Enter tools like message and job queues that empower daemonized PHP workers to handle data processing in the background. Yet further tools enable long-running event loops and asynchronous Promise-driven operations. PHP isn't multi-threaded, but that doesn't mean you're limited to a single-thread paradigm. I will demonstrate various use cases necessitating asynchronous operations, then delve into the code and the tools that make these systems work. Every attendee will leave armed with new ways to think about the management of large data jobs in PHP and an understanding of the tools they can use to make it happen. Fri, 07 Feb 2020 00:00:00 -0500 https://speakerdeck.com/ericmann/asynchronous-awesome-1b7a5c08-f10c-4c80-b60c-554a7c3481e8 https://speakerdeck.com/ericmann/asynchronous-awesome-1b7a5c08-f10c-4c80-b60c-554a7c3481e8 Regardless of reports to the contrary, PHP is a modern, scalable, secure programming language suitable for any number of applications. As with any other language or tool, PHP can only be used securely if the developers using it wield their tools safely. This training class will walk through best practices in: * Password management (including hashing) * Credentials management (API keys) * Data encryption (both local and remote) * Data integrity (i.e., signing and authentication) * Server hardening Attendees will leave with a better understanding of PHP and how to use it in secure applications. Attendees should have an operable PHP environment before arriving. They will be given a code repo to use during the training class which will demonstrate the principles being discussed and allows them to practice from-scratch implementations in code. Regardless of reports to the contrary, PHP is a modern, scalable, secure programming language suitable for any number of applications. As with any other language or tool, PHP can only be used securely if the developers using it wield their tools safely. This training class will walk through best practices in: * Password management (including hashing) * Credentials management (API keys) * Data encryption (both local and remote) * Data integrity (i.e., signing and authentication) * Server hardening Attendees will leave with a better understanding of PHP and how to use it in secure applications. Attendees should have an operable PHP environment before arriving. They will be given a code repo to use during the training class which will demonstrate the principles being discussed and allows them to practice from-scratch implementations in code. Thu, 06 Feb 2020 00:00:00 -0500 https://speakerdeck.com/ericmann/evolution-of-php-security-4eb56c08-9eff-4aec-b4a4-3d803f151437 https://speakerdeck.com/ericmann/evolution-of-php-security-4eb56c08-9eff-4aec-b4a4-3d803f151437 The Open Web Application Security Project (OWASP) curates a list of the top ten security risks for web applications and how to mitigate them. The ever-changing world of web development created a challenge for the 2017 list, which needs to combine both existing approaches and modern trends in web development. This Talk will have a look at each item in the list from a PHP perspective, demonstrate what can go wrong, and make sure that this won’t happen in our web sites. The Open Web Application Security Project (OWASP) curates a list of the top ten application security risks for web applications. It is a great place to start when developing a strong security stance for your application and team. Security is an ever-changing world and it's important to keep up to date with modern trends in mitigating vulnerabilities. With the attendees, we will look at each item in the list, and show: - How to detect the risk in your own code - How to patch or prevent the risk - Practical resources for taking further actions to protect your stack The Open Web Application Security Project (OWASP) curates a list of the top ten security risks for web applications and how to mitigate them. The ever-changing world of web development created a challenge for the 2017 list, which needs to combine both existing approaches and modern trends in web development. This Talk will have a look at each item in the list from a PHP perspective, demonstrate what can go wrong, and make sure that this won’t happen in our web sites. The Open Web Application Security Project (OWASP) curates a list of the top ten application security risks for web applications. It is a great place to start when developing a strong security stance for your application and team. Security is an ever-changing world and it's important to keep up to date with modern trends in mitigating vulnerabilities. With the attendees, we will look at each item in the list, and show: - How to detect the risk in your own code - How to patch or prevent the risk - Practical resources for taking further actions to protect your stack Thu, 24 Oct 2019 00:00:00 -0400 https://speakerdeck.com/ericmann/web-application-security-update-top-vulnerabilities https://speakerdeck.com/ericmann/web-application-security-update-top-vulnerabilities Sometimes, our use of PHP grows beyond the typical request/response cycle of dynamic page generation. Unfortunately, the threaded nature of PHP - and the stateless nature of the server - betrays any efforts to expand our utilization of the server. Image processing, video rendering, APNS (Apple Push Notification Service) integration - any of these can easily take longer than is reasonable for a simple page request. Enter tools like message and job queues that empower daemonized PHP workers to handle data processing in the background. Yet further tools enable long-running event loops and asynchronous Promise-driven operations. PHP isn’t multi-threaded, but that doesn’t mean you’re limited to a single-thread paradigm. I will demonstrate various use cases necessitating asynchronous operations, then delve into the code and the tools that make these systems work. Every attendee will leave armed with new ways to think about the management of large data jobs in PHP and an understanding of the tools they can use to make it happen. Sometimes, our use of PHP grows beyond the typical request/response cycle of dynamic page generation. Unfortunately, the threaded nature of PHP - and the stateless nature of the server - betrays any efforts to expand our utilization of the server. Image processing, video rendering, APNS (Apple Push Notification Service) integration - any of these can easily take longer than is reasonable for a simple page request. Enter tools like message and job queues that empower daemonized PHP workers to handle data processing in the background. Yet further tools enable long-running event loops and asynchronous Promise-driven operations. PHP isn’t multi-threaded, but that doesn’t mean you’re limited to a single-thread paradigm. I will demonstrate various use cases necessitating asynchronous operations, then delve into the code and the tools that make these systems work. Every attendee will leave armed with new ways to think about the management of large data jobs in PHP and an understanding of the tools they can use to make it happen. Wed, 23 Oct 2019 00:00:00 -0400 https://speakerdeck.com/ericmann/asynchronous-awesome https://speakerdeck.com/ericmann/asynchronous-awesome This session will cover use cases, user groups, and a few proposed techniques for making both content and publishing tools available to those without high-speed Internet, 3G/4G connectivity, or traditional desktop publishing tools. It will also delve into some of the emerging technologies that make content more accessible to those with limited access (and the controversy surrounding them). Attendees will achieve a deeper understanding of potential, unreached user demographics and the tools/techniques they can use to reach these groups. This session will cover use cases, user groups, and a few proposed techniques for making both content and publishing tools available to those without high-speed Internet, 3G/4G connectivity, or traditional desktop publishing tools. It will also delve into some of the emerging technologies that make content more accessible to those with limited access (and the controversy surrounding them). Attendees will achieve a deeper understanding of potential, unreached user demographics and the tools/techniques they can use to reach these groups. Thu, 22 Aug 2019 00:00:00 -0400 https://speakerdeck.com/ericmann/the-future-of-the-web-is-low-tech https://speakerdeck.com/ericmann/the-future-of-the-web-is-low-tech Some of the trickier application security risks (ASRs) covered by the OWASP Top ten are focused on infrastructure and application configuration. As these risks are deeper within the production stack, they can be harder to find and address. Together, we’ll walk through each of these risks, examine how to identify them in an application or production environment, and cover actionable steps you can take today to address them with your application. Some of the trickier application security risks (ASRs) covered by the OWASP Top ten are focused on infrastructure and application configuration. As these risks are deeper within the production stack, they can be harder to find and address. Together, we’ll walk through each of these risks, examine how to identify them in an application or production environment, and cover actionable steps you can take today to address them with your application. Wed, 22 May 2019 00:00:00 -0400 https://speakerdeck.com/ericmann/owasp-301-infrastructure-based-security https://speakerdeck.com/ericmann/owasp-301-infrastructure-based-security Half of the application security risks (ASRs) covered by the OWASP Top Ten list address requests made by visitors or third parties against your web application. Learn what each ASR is, how to identify it in your application, and how to protect against potential abuse. Half of the application security risks (ASRs) covered by the OWASP Top Ten list address requests made by visitors or third parties against your web application. Learn what each ASR is, how to identify it in your application, and how to protect against potential abuse. Wed, 22 May 2019 00:00:00 -0400 https://speakerdeck.com/ericmann/owasp-201-request-based-security https://speakerdeck.com/ericmann/owasp-201-request-based-security Properly securing your applications and data require an understanding of the threats facing them. Threat modeling is the methodology for identifying and quantifying the threats your application can and will face. There are a number of resources available for performing a threat model but this session will get you started building a strategy from nothing. Properly securing your applications and data require an understanding of the threats facing them. Threat modeling is the methodology for identifying and quantifying the threats your application can and will face. There are a number of resources available for performing a threat model but this session will get you started building a strategy from nothing. Tue, 21 May 2019 00:00:00 -0400 https://speakerdeck.com/ericmann/fortifying-your-defenses-with-threat-modeling https://speakerdeck.com/ericmann/fortifying-your-defenses-with-threat-modeling Full-stack development requires a full understanding of all elements of your stack – not just backend and frontend software, but the server and lower-level tools upon which your application is built. The most secure coding in the world won’t protect against a misconfigured or vulnerable server. Together we’ll walk through all elements of the stack, from the application itself through the utilities it interacts with to the server upon which everything runs – all from the perspective of security and keeping your customers and their data secure. Full-stack development requires a full understanding of all elements of your stack – not just backend and frontend software, but the server and lower-level tools upon which your application is built. The most secure coding in the world won’t protect against a misconfigured or vulnerable server. Together we’ll walk through all elements of the stack, from the application itself through the utilities it interacts with to the server upon which everything runs – all from the perspective of security and keeping your customers and their data secure. Tue, 21 May 2019 00:00:00 -0400 https://speakerdeck.com/ericmann/servers-configure-harden-and-manage https://speakerdeck.com/ericmann/servers-configure-harden-and-manage Proving the identity of a user isn’t the end of an application’s responsibilities: you must also verify the user is allowed to perform the actions they’re attempting. Conflating authentication (the act of identifying users) with authorization (the act of verifying their level of access within the system) is one of the most common ways applications have been breached in the recent past. Don’t fall victim to simple oversights and instead keep your application – and your users – safe. Proving the identity of a user isn’t the end of an application’s responsibilities: you must also verify the user is allowed to perform the actions they’re attempting. Conflating authentication (the act of identifying users) with authorization (the act of verifying their level of access within the system) is one of the most common ways applications have been breached in the recent past. Don’t fall victim to simple oversights and instead keep your application – and your users – safe. Tue, 21 May 2019 00:00:00 -0400 https://speakerdeck.com/ericmann/access-control-and-authorization https://speakerdeck.com/ericmann/access-control-and-authorization The first point of contact most users have with your application is the login screen. It’s a ubiquitous interface, and approaches for handling authentication are legion. A plethora of options for authentication doesn’t mean it’s an easy practice, though. Together, we’ll review authentication from first principles, starting with password-based systems and diving deeper into defensive hashing techniques and the edge cases developers need to consider when protecting user data. We’ll also go deep into the secure remote password flow, leveraging the technique both from native PHP and a JavaScript client-side implementation. The first point of contact most users have with your application is the login screen. It’s a ubiquitous interface, and approaches for handling authentication are legion. A plethora of options for authentication doesn’t mean it’s an easy practice, though. Together, we’ll review authentication from first principles, starting with password-based systems and diving deeper into defensive hashing techniques and the edge cases developers need to consider when protecting user data. We’ll also go deep into the secure remote password flow, leveraging the technique both from native PHP and a JavaScript client-side implementation. Tue, 21 May 2019 00:00:00 -0400 https://speakerdeck.com/ericmann/you-shall-maybe-pass https://speakerdeck.com/ericmann/you-shall-maybe-pass