SlideShare uma empresa Scribd logo

Implementing security routines with zf2

Transferir como ODP, PDF
Er Galvão Abbott
Er Galvão Abbott

Implementing security routines with ZF2

Software
1 de 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Implementing Security Routines with Zend Framework 2 by Er Galvão Abbott Authentication Filter & Validation Password Recovery Cryptography Authorization CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 1 / 34 Brute-Force
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Er Galvão Abbott is the President of ABRAPHP – Brazilian Association of PHP Professionals and Director of PHP Conference Brasil. Works for 20 years developing web interfaced systems and applications, being 15 of those with PHP and 7 with Zend Framework. Have worked with several companies, both local and off-shore. Talks at events, teaches both on-site and on-line courses and is the founder and leader of the PHPBR UG, a national User Group that counts with more than 1.200 registered users. Site: http://www.galvao.eti.br/ Twitter: @galvao Slides and Documents: http://slideshare.net/ergalvao https://speakerdeck.com/galvao Github: http://github.com/galvao Who?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 2 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Goal Discuss in both conceptual and technical detail about how to implement Security Routines with Zend Framework 2. I'll present the following topics: → Authentication → Brute-force protection → Password recovery → Cryptography → Authorization → Data Filtering and Validation CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 3 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Security != a piece of cake* Why? Because, for an example, I'm required to tell you this: CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 4 / 34 * Not the framework (Hilarious!) Before we begin
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Security != a piece of cake* Why? Because, for an example, I'm required to tell you this: Disclaimer (or the “Not my fault” part) !Perfect|Complete $this is... !Fool proof !The only|right way Found out an example why? Let me know! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 5 / 34 * Not the framework (Hilarious!) Before we begin
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 6 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication ZfcUser, right?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 7 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication ZfcUser, right?! YES! Well... CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 8 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Let's talk about wheels... Authentication If you don't [want to]know much about security... http://modules.zendframework.com/ZF-Commons/ZfcUser CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 9 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Let's talk about wheels... Authentication If you don't [want to]know much about security... http://modules.zendframework.com/ZF-Commons/ZfcUser if you do... Authentication Crypt Filter Form CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 10 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Now that we've put that aside... Authentication Authentication → Service* Cryptography → (Can also be a) Service* Authentication attempts → Event * Yes, yes, it could be done as a Module, Plugin, etc... -.-” CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 11 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 12 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Authentication & Cryptography << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 13 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Cryptography << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 14 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Authentication << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 15 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Authentication << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 16 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 17 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 18 / 34 Checklist 1. User doesn't “need to change pwd” already; 2. User is “active”; 3. Randomize a temporary pwd; 4. Randomize a temporary, short-life, token; 5. Send a tokenized link for the user to change his pwd; 6. He must correctly enter the temp pwd; 7. If the new pwd and/or token expires, inactivate, make him contact support; 8. Else, change the pwd, mark the user as “OK”. 9. If any step fails, see step 7! For your randomization needs: https://github.com/galvao/PHPToolkit* * Shameless advertising detected!
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery Key points Know what to do and what to avoid Lazyness and “user-comfortcentrism” are your enemies CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 19 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 20 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 21 / 34 It's all about TIME 1. Generate a timestamp; 2. Log the attempt; 3. Get previous attempt timestamp; 4. Interval = current - previous 5. If the interval is suspicious, lock the user out; 6. If x unsucessful attempts, lock the user out;
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 22 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Brute Force << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 23 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 24 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization The relation between roles and resources. Roles can inherit from other roles. Resources may be available to multiple roles. It's all about CAN & CAN'T A few not-so-obvious-things to consider: 1. Everyone has a role; 2. Static storage > Dynamic storage; 3. Ideally, role of the current user should be fetched dynamically... 4. … and a user's role should be “immutable”. CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 25 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization ZendPermissionAcl CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 26 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 27 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 28 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. (Keep It Simple, Stupid...) CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 29 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. (Keep It Simple, Stupid...ly beautiful people!) CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 30 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation Flexibility in ZF2 In the form Filter & Validation In the model Separated CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 31 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 32 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Filter & Validation << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 33 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Muchas gracias! ? Questions? ↓ Criticism? ↑ Complements?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 34 / 34

Recomendados

Authentication with zend framework
Authentication with zend frameworkAuthentication with zend framework
Authentication with zend frameworkGeorge Mihailov
 
Instant ACLs with Zend Framework 2
Instant ACLs with Zend Framework 2Instant ACLs with Zend Framework 2
Instant ACLs with Zend Framework 2Stefano Valle
 
OAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapeOAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapePrabath Siriwardena
 
TangoWithDjango - ch8
TangoWithDjango - ch8TangoWithDjango - ch8
TangoWithDjango - ch8Asika Kuo
 
Php web app security (eng)
Php web app security (eng)Php web app security (eng)
Php web app security (eng)Anatoliy Okhotnikov
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)Anatoliy Okhotnikov
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 

Recomendados

Authentication with zend framework
Authentication with zend frameworkAuthentication with zend framework
Authentication with zend frameworkGeorge Mihailov
 
Instant ACLs with Zend Framework 2
Instant ACLs with Zend Framework 2Instant ACLs with Zend Framework 2
Instant ACLs with Zend Framework 2Stefano Valle
 
OAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapeOAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapePrabath Siriwardena
 
TangoWithDjango - ch8
TangoWithDjango - ch8TangoWithDjango - ch8
TangoWithDjango - ch8Asika Kuo
 
Php web app security (eng)
Php web app security (eng)Php web app security (eng)
Php web app security (eng)Anatoliy Okhotnikov
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)Anatoliy Okhotnikov
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...Andrey Devyatkin
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018Matt Raible
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
Testing untestable code - oscon 2012
Testing untestable code - oscon 2012Testing untestable code - oscon 2012
Testing untestable code - oscon 2012Stephan Hochdörfer
 
Real World Dependency Injection - IPC11 Spring Edition
Real World Dependency Injection - IPC11 Spring EditionReal World Dependency Injection - IPC11 Spring Edition
Real World Dependency Injection - IPC11 Spring EditionStephan Hochdörfer
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservicesAlvaro Sanchez-Mariscal
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Real World Dependency Injection - PFCongres 2010
Real World Dependency Injection - PFCongres 2010Real World Dependency Injection - PFCongres 2010
Real World Dependency Injection - PFCongres 2010Stephan Hochdörfer
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Hacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 PluginHacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 PluginBurt Beckwith
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
How to Implement Token Authentication Using the Django REST Framework
How to Implement Token Authentication Using the Django REST FrameworkHow to Implement Token Authentication Using the Django REST Framework
How to Implement Token Authentication Using the Django REST FrameworkKaty Slemon
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
Numbers in the Hidden: A Pragmatic View of 'Nirvana'
Numbers in the Hidden: A Pragmatic View of 'Nirvana'Numbers in the Hidden: A Pragmatic View of 'Nirvana'
Numbers in the Hidden: A Pragmatic View of 'Nirvana'VMware Tanzu
 
20160221 va interconnect_pub
20160221 va interconnect_pub20160221 va interconnect_pub
20160221 va interconnect_pubCanturk Isci
 

Mais conteúdo relacionado

Mais procurados

JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...Andrey Devyatkin
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018Matt Raible
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
Testing untestable code - oscon 2012
Testing untestable code - oscon 2012Testing untestable code - oscon 2012
Testing untestable code - oscon 2012Stephan Hochdörfer
 
Real World Dependency Injection - IPC11 Spring Edition
Real World Dependency Injection - IPC11 Spring EditionReal World Dependency Injection - IPC11 Spring Edition
Real World Dependency Injection - IPC11 Spring EditionStephan Hochdörfer
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservicesAlvaro Sanchez-Mariscal
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Real World Dependency Injection - PFCongres 2010
Real World Dependency Injection - PFCongres 2010Real World Dependency Injection - PFCongres 2010
Real World Dependency Injection - PFCongres 2010Stephan Hochdörfer
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Hacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 PluginHacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 PluginBurt Beckwith
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
How to Implement Token Authentication Using the Django REST Framework
How to Implement Token Authentication Using the Django REST FrameworkHow to Implement Token Authentication Using the Django REST Framework
How to Implement Token Authentication Using the Django REST FrameworkKaty Slemon
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 

Mais procurados (20)

JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
Testing untestable code - oscon 2012
Testing untestable code - oscon 2012Testing untestable code - oscon 2012
Testing untestable code - oscon 2012
 
Real World Dependency Injection - IPC11 Spring Edition
Real World Dependency Injection - IPC11 Spring EditionReal World Dependency Injection - IPC11 Spring Edition
Real World Dependency Injection - IPC11 Spring Edition
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
Real World Dependency Injection - PFCongres 2010
Real World Dependency Injection - PFCongres 2010Real World Dependency Injection - PFCongres 2010
Real World Dependency Injection - PFCongres 2010
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
Hacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 PluginHacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 Plugin
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
How to Implement Token Authentication Using the Django REST Framework
How to Implement Token Authentication Using the Django REST FrameworkHow to Implement Token Authentication Using the Django REST Framework
How to Implement Token Authentication Using the Django REST Framework
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
 

Semelhante a Implementing security routines with zf2

Numbers in the Hidden: A Pragmatic View of 'Nirvana'
Numbers in the Hidden: A Pragmatic View of 'Nirvana'Numbers in the Hidden: A Pragmatic View of 'Nirvana'
Numbers in the Hidden: A Pragmatic View of 'Nirvana'VMware Tanzu
 
20160221 va interconnect_pub
20160221 va interconnect_pub20160221 va interconnect_pub
20160221 va interconnect_pubCanturk Isci
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Escape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceEscape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceRobert Munteanu
 
Blockcerts: The Open Standard for Blockchain Credentials
Blockcerts: The Open Standard for Blockchain CredentialsBlockcerts: The Open Standard for Blockchain Credentials
Blockcerts: The Open Standard for Blockchain CredentialsSSIMeetup
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in ProductionGianluca Arbezzano
 
Building Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in RailsBuilding Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in RailsJim Jeffers
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
 
OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07Shane Coughlan
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
 
Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxC4Media
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
Brst – Border Router Security Tool
Brst – Border Router Security ToolBrst – Border Router Security Tool
Brst – Border Router Security Tooltleroy0928
 
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9Nuno Godinho
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceSaumil Shah
 

Semelhante a Implementing security routines with zf2 (20)

Numbers in the Hidden: A Pragmatic View of 'Nirvana'
Numbers in the Hidden: A Pragmatic View of 'Nirvana'Numbers in the Hidden: A Pragmatic View of 'Nirvana'
Numbers in the Hidden: A Pragmatic View of 'Nirvana'
 
20160221 va interconnect_pub
20160221 va interconnect_pub20160221 va interconnect_pub
20160221 va interconnect_pub
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Escape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceEscape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud Service
 
Blockcerts: The Open Standard for Blockchain Credentials
Blockcerts: The Open Standard for Blockchain CredentialsBlockcerts: The Open Standard for Blockchain Credentials
Blockcerts: The Open Standard for Blockchain Credentials
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
 
Backtrack Manual Part5
Backtrack Manual Part5Backtrack Manual Part5
Backtrack Manual Part5
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
 
Building Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in RailsBuilding Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in Rails
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
 
OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a Fox
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Brst – Border Router Security Tool
Brst – Border Router Security ToolBrst – Border Router Security Tool
Brst – Border Router Security Tool
 
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
 

Mais de Er Galvão Abbott

Tudo o que você precisa saber sobre o php7
Tudo o que você precisa saber sobre o php7Tudo o que você precisa saber sobre o php7
Tudo o que você precisa saber sobre o php7Er Galvão Abbott
 
DRYing the Skeleton: Reducing code repetition in ZF2
DRYing the Skeleton: Reducing code repetition in ZF2DRYing the Skeleton: Reducing code repetition in ZF2
DRYing the Skeleton: Reducing code repetition in ZF2Er Galvão Abbott
 
Php7 esta chgando! O que você precisa saber
Php7 esta chgando! O que você precisa saberPhp7 esta chgando! O que você precisa saber
Php7 esta chgando! O que você precisa saberEr Galvão Abbott
 
ABRAPHP: Conquistas e Realizações - 2012-2014
ABRAPHP: Conquistas e Realizações - 2012-2014ABRAPHP: Conquistas e Realizações - 2012-2014
ABRAPHP: Conquistas e Realizações - 2012-2014Er Galvão Abbott
 
Desenvolvendo aplicações com ZF2
Desenvolvendo aplicações com ZF2Desenvolvendo aplicações com ZF2
Desenvolvendo aplicações com ZF2Er Galvão Abbott
 
Web: funcionamento, evolução e mercado
Web: funcionamento, evolução e mercadoWeb: funcionamento, evolução e mercado
Web: funcionamento, evolução e mercadoEr Galvão Abbott
 
Otimizando a execução de código-fonte PHP
Otimizando a execução de código-fonte PHPOtimizando a execução de código-fonte PHP
Otimizando a execução de código-fonte PHPEr Galvão Abbott
 
ZF2 Menor, melhor e mais poderoso
ZF2 Menor, melhor e mais poderosoZF2 Menor, melhor e mais poderoso
ZF2 Menor, melhor e mais poderosoEr Galvão Abbott
 
Implementando rotinas de geolocalização
Implementando rotinas de geolocalizaçãoImplementando rotinas de geolocalização
Implementando rotinas de geolocalizaçãoEr Galvão Abbott
 
OSS, Comunidade, Eventos e como sua empresa ganha com isso
OSS, Comunidade, Eventos e como sua empresa ganha com issoOSS, Comunidade, Eventos e como sua empresa ganha com isso
OSS, Comunidade, Eventos e como sua empresa ganha com issoEr Galvão Abbott
 
OWASP: O que, Por que e Como
OWASP: O que, Por que e ComoOWASP: O que, Por que e Como
OWASP: O que, Por que e ComoEr Galvão Abbott
 
Além da autenticação: Permissões de acesso com Zend Framework
Além da autenticação: Permissões de acesso com Zend FrameworkAlém da autenticação: Permissões de acesso com Zend Framework
Além da autenticação: Permissões de acesso com Zend FrameworkEr Galvão Abbott
 
Proposta de Boas Práticas e Padrões de Desenvolvimento Web
Proposta de Boas Práticas e Padrões de Desenvolvimento WebProposta de Boas Práticas e Padrões de Desenvolvimento Web
Proposta de Boas Práticas e Padrões de Desenvolvimento WebEr Galvão Abbott
 
Preto, Branco e as Sombras de Cinza
Preto, Branco e as Sombras de CinzaPreto, Branco e as Sombras de Cinza
Preto, Branco e as Sombras de CinzaEr Galvão Abbott
 

Mais de Er Galvão Abbott (20)

Segurança PHP em 2016
Segurança PHP em 2016Segurança PHP em 2016
Segurança PHP em 2016
 
Tudo o que você precisa saber sobre o php7
Tudo o que você precisa saber sobre o php7Tudo o que você precisa saber sobre o php7
Tudo o que você precisa saber sobre o php7
 
DRYing the Skeleton: Reducing code repetition in ZF2
DRYing the Skeleton: Reducing code repetition in ZF2DRYing the Skeleton: Reducing code repetition in ZF2
DRYing the Skeleton: Reducing code repetition in ZF2
 
Php7 esta chgando! O que você precisa saber
Php7 esta chgando! O que você precisa saberPhp7 esta chgando! O que você precisa saber
Php7 esta chgando! O que você precisa saber
 
PHP e Open Source
PHP e Open SourcePHP e Open Source
PHP e Open Source
 
ABRAPHP: Conquistas e Realizações - 2012-2014
ABRAPHP: Conquistas e Realizações - 2012-2014ABRAPHP: Conquistas e Realizações - 2012-2014
ABRAPHP: Conquistas e Realizações - 2012-2014
 
Desenvolvendo aplicações com ZF2
Desenvolvendo aplicações com ZF2Desenvolvendo aplicações com ZF2
Desenvolvendo aplicações com ZF2
 
Apresentacao frameworks
Apresentacao frameworksApresentacao frameworks
Apresentacao frameworks
 
Web: funcionamento, evolução e mercado
Web: funcionamento, evolução e mercadoWeb: funcionamento, evolução e mercado
Web: funcionamento, evolução e mercado
 
Otimizando a execução de código-fonte PHP
Otimizando a execução de código-fonte PHPOtimizando a execução de código-fonte PHP
Otimizando a execução de código-fonte PHP
 
Unbreakeable php
Unbreakeable phpUnbreakeable php
Unbreakeable php
 
PHP: Evolução
PHP: EvoluçãoPHP: Evolução
PHP: Evolução
 
ZF2 Menor, melhor e mais poderoso
ZF2 Menor, melhor e mais poderosoZF2 Menor, melhor e mais poderoso
ZF2 Menor, melhor e mais poderoso
 
Implementando rotinas de geolocalização
Implementando rotinas de geolocalizaçãoImplementando rotinas de geolocalização
Implementando rotinas de geolocalização
 
OSS, Comunidade, Eventos e como sua empresa ganha com isso
OSS, Comunidade, Eventos e como sua empresa ganha com issoOSS, Comunidade, Eventos e como sua empresa ganha com isso
OSS, Comunidade, Eventos e como sua empresa ganha com isso
 
OWASP: O que, Por que e Como
OWASP: O que, Por que e ComoOWASP: O que, Por que e Como
OWASP: O que, Por que e Como
 
Além da autenticação: Permissões de acesso com Zend Framework
Além da autenticação: Permissões de acesso com Zend FrameworkAlém da autenticação: Permissões de acesso com Zend Framework
Além da autenticação: Permissões de acesso com Zend Framework
 
Proposta de Boas Práticas e Padrões de Desenvolvimento Web
Proposta de Boas Práticas e Padrões de Desenvolvimento WebProposta de Boas Práticas e Padrões de Desenvolvimento Web
Proposta de Boas Práticas e Padrões de Desenvolvimento Web
 
PHPBR TestFest
PHPBR TestFestPHPBR TestFest
PHPBR TestFest
 
Preto, Branco e as Sombras de Cinza
Preto, Branco e as Sombras de CinzaPreto, Branco e as Sombras de Cinza
Preto, Branco e as Sombras de Cinza
 

Último

Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfYashikaSharma391629
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROmotivationalword821
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 

Último (20)

Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTRO
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 

Implementing security routines with zf2

  • 1. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Implementing Security Routines with Zend Framework 2 by Er Galvão Abbott Authentication Filter & Validation Password Recovery Cryptography Authorization CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 1 / 34 Brute-Force
  • 2. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Er Galvão Abbott is the President of ABRAPHP – Brazilian Association of PHP Professionals and Director of PHP Conference Brasil. Works for 20 years developing web interfaced systems and applications, being 15 of those with PHP and 7 with Zend Framework. Have worked with several companies, both local and off-shore. Talks at events, teaches both on-site and on-line courses and is the founder and leader of the PHPBR UG, a national User Group that counts with more than 1.200 registered users. Site: http://www.galvao.eti.br/ Twitter: @galvao Slides and Documents: http://slideshare.net/ergalvao https://speakerdeck.com/galvao Github: http://github.com/galvao Who?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 2 / 34
  • 3. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Goal Discuss in both conceptual and technical detail about how to implement Security Routines with Zend Framework 2. I'll present the following topics: → Authentication → Brute-force protection → Password recovery → Cryptography → Authorization → Data Filtering and Validation CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 3 / 34
  • 4. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Security != a piece of cake* Why? Because, for an example, I'm required to tell you this: CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 4 / 34 * Not the framework (Hilarious!) Before we begin
  • 5. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Security != a piece of cake* Why? Because, for an example, I'm required to tell you this: Disclaimer (or the “Not my fault” part) !Perfect|Complete $this is... !Fool proof !The only|right way Found out an example why? Let me know! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 5 / 34 * Not the framework (Hilarious!) Before we begin
  • 6. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 6 / 34
  • 7. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication ZfcUser, right?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 7 / 34
  • 8. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication ZfcUser, right?! YES! Well... CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 8 / 34
  • 9. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Let's talk about wheels... Authentication If you don't [want to]know much about security... http://modules.zendframework.com/ZF-Commons/ZfcUser CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 9 / 34
  • 10. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Let's talk about wheels... Authentication If you don't [want to]know much about security... http://modules.zendframework.com/ZF-Commons/ZfcUser if you do... Authentication Crypt Filter Form CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 10 / 34
  • 11. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Now that we've put that aside... Authentication Authentication → Service* Cryptography → (Can also be a) Service* Authentication attempts → Event * Yes, yes, it could be done as a Module, Plugin, etc... -.-” CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 11 / 34
  • 12. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 12 / 34
  • 13. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Authentication & Cryptography << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 13 / 34
  • 14. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Cryptography << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 14 / 34
  • 15. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Authentication << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 15 / 34
  • 16. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Authentication << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 16 / 34
  • 17. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 17 / 34
  • 18. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 18 / 34 Checklist 1. User doesn't “need to change pwd” already; 2. User is “active”; 3. Randomize a temporary pwd; 4. Randomize a temporary, short-life, token; 5. Send a tokenized link for the user to change his pwd; 6. He must correctly enter the temp pwd; 7. If the new pwd and/or token expires, inactivate, make him contact support; 8. Else, change the pwd, mark the user as “OK”. 9. If any step fails, see step 7! For your randomization needs: https://github.com/galvao/PHPToolkit* * Shameless advertising detected!
  • 19. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery Key points Know what to do and what to avoid Lazyness and “user-comfortcentrism” are your enemies CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 19 / 34
  • 20. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 20 / 34
  • 21. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 21 / 34 It's all about TIME 1. Generate a timestamp; 2. Log the attempt; 3. Get previous attempt timestamp; 4. Interval = current - previous 5. If the interval is suspicious, lock the user out; 6. If x unsucessful attempts, lock the user out;
  • 22. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 22 / 34
  • 23. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Brute Force << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 23 / 34
  • 24. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 24 / 34
  • 25. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization The relation between roles and resources. Roles can inherit from other roles. Resources may be available to multiple roles. It's all about CAN & CAN'T A few not-so-obvious-things to consider: 1. Everyone has a role; 2. Static storage > Dynamic storage; 3. Ideally, role of the current user should be fetched dynamically... 4. … and a user's role should be “immutable”. CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 25 / 34
  • 26. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization ZendPermissionAcl CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 26 / 34
  • 27. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 27 / 34
  • 28. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 28 / 34
  • 29. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. (Keep It Simple, Stupid...) CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 29 / 34
  • 30. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. (Keep It Simple, Stupid...ly beautiful people!) CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 30 / 34
  • 31. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation Flexibility in ZF2 In the form Filter & Validation In the model Separated CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 31 / 34
  • 32. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 32 / 34
  • 33. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Filter & Validation << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 33 / 34
  • 34. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Muchas gracias! ? Questions? ↓ Criticism? ↑ Complements?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 34 / 34