SlideShare une entreprise Scribd logo

Implementing security routines with zf2

Télécharger en tant que ODP, PDF
Er Galvão Abbott
Er Galvão Abbott

Implementing security routines with ZF2

Logiciels
1  sur  34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Implementing Security Routines with Zend Framework 2 by Er Galvão Abbott Authentication Filter & Validation Password Recovery Cryptography Authorization CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 1 / 34 Brute-Force
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Er Galvão Abbott is the President of ABRAPHP – Brazilian Association of PHP Professionals and Director of PHP Conference Brasil. Works for 20 years developing web interfaced systems and applications, being 15 of those with PHP and 7 with Zend Framework. Have worked with several companies, both local and off-shore. Talks at events, teaches both on-site and on-line courses and is the founder and leader of the PHPBR UG, a national User Group that counts with more than 1.200 registered users. Site: http://www.galvao.eti.br/ Twitter: @galvao Slides and Documents: http://slideshare.net/ergalvao https://speakerdeck.com/galvao Github: http://github.com/galvao Who?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 2 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Goal Discuss in both conceptual and technical detail about how to implement Security Routines with Zend Framework 2. I'll present the following topics: → Authentication → Brute-force protection → Password recovery → Cryptography → Authorization → Data Filtering and Validation CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 3 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Security != a piece of cake* Why? Because, for an example, I'm required to tell you this: CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 4 / 34 * Not the framework (Hilarious!) Before we begin
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Security != a piece of cake* Why? Because, for an example, I'm required to tell you this: Disclaimer (or the “Not my fault” part) !Perfect|Complete $this is... !Fool proof !The only|right way Found out an example why? Let me know! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 5 / 34 * Not the framework (Hilarious!) Before we begin
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 6 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication ZfcUser, right?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 7 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication ZfcUser, right?! YES! Well... CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 8 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Let's talk about wheels... Authentication If you don't [want to]know much about security... http://modules.zendframework.com/ZF-Commons/ZfcUser CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 9 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Let's talk about wheels... Authentication If you don't [want to]know much about security... http://modules.zendframework.com/ZF-Commons/ZfcUser if you do... Authentication Crypt Filter Form CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 10 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Now that we've put that aside... Authentication Authentication → Service* Cryptography → (Can also be a) Service* Authentication attempts → Event * Yes, yes, it could be done as a Module, Plugin, etc... -.-” CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 11 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 12 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Authentication & Cryptography << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 13 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Cryptography << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 14 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Authentication << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 15 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Authentication << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 16 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 17 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 18 / 34 Checklist 1. User doesn't “need to change pwd” already; 2. User is “active”; 3. Randomize a temporary pwd; 4. Randomize a temporary, short-life, token; 5. Send a tokenized link for the user to change his pwd; 6. He must correctly enter the temp pwd; 7. If the new pwd and/or token expires, inactivate, make him contact support; 8. Else, change the pwd, mark the user as “OK”. 9. If any step fails, see step 7! For your randomization needs: https://github.com/galvao/PHPToolkit* * Shameless advertising detected!
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery Key points Know what to do and what to avoid Lazyness and “user-comfortcentrism” are your enemies CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 19 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 20 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 21 / 34 It's all about TIME 1. Generate a timestamp; 2. Log the attempt; 3. Get previous attempt timestamp; 4. Interval = current - previous 5. If the interval is suspicious, lock the user out; 6. If x unsucessful attempts, lock the user out;
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 22 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Brute Force << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 23 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 24 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization The relation between roles and resources. Roles can inherit from other roles. Resources may be available to multiple roles. It's all about CAN & CAN'T A few not-so-obvious-things to consider: 1. Everyone has a role; 2. Static storage > Dynamic storage; 3. Ideally, role of the current user should be fetched dynamically... 4. … and a user's role should be “immutable”. CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 25 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization ZendPermissionAcl CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 26 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 27 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 28 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. (Keep It Simple, Stupid...) CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 29 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. (Keep It Simple, Stupid...ly beautiful people!) CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 30 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation Flexibility in ZF2 In the form Filter & Validation In the model Separated CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 31 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 32 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Filter & Validation << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 33 / 34
Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Muchas gracias! ? Questions? ↓ Criticism? ↑ Complements?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 34 / 34

Recommandé

Authentication with zend framework
Authentication with zend frameworkAuthentication with zend framework
Authentication with zend framework
George Mihailov
 
Instant ACLs with Zend Framework 2
Instant ACLs with Zend Framework 2Instant ACLs with Zend Framework 2
Instant ACLs with Zend Framework 2
Stefano Valle
 
OAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapeOAuth 2.0 Threat Landscape
OAuth 2.0 Threat Landscape
Prabath Siriwardena
 
TangoWithDjango - ch8
TangoWithDjango - ch8TangoWithDjango - ch8
TangoWithDjango - ch8
Asika Kuo
 
Php web app security (eng)
Php web app security (eng)Php web app security (eng)
Php web app security (eng)
Anatoliy Okhotnikov
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)
Anatoliy Okhotnikov
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 

Recommandé

Authentication with zend framework
Authentication with zend frameworkAuthentication with zend framework
Authentication with zend framework
George Mihailov
 
Instant ACLs with Zend Framework 2
Instant ACLs with Zend Framework 2Instant ACLs with Zend Framework 2
Instant ACLs with Zend Framework 2
Stefano Valle
 
OAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapeOAuth 2.0 Threat Landscape
OAuth 2.0 Threat Landscape
Prabath Siriwardena
 
TangoWithDjango - ch8
TangoWithDjango - ch8TangoWithDjango - ch8
TangoWithDjango - ch8
Asika Kuo
 
Php web app security (eng)
Php web app security (eng)Php web app security (eng)
Php web app security (eng)
Anatoliy Okhotnikov
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)
Anatoliy Okhotnikov
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
Matt Raible
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
Andrey Devyatkin
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
Matt Raible
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
robwinch
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
 
Testing untestable code - oscon 2012
Testing untestable code - oscon 2012Testing untestable code - oscon 2012
Testing untestable code - oscon 2012
Stephan Hochdörfer
 
Real World Dependency Injection - IPC11 Spring Edition
Real World Dependency Injection - IPC11 Spring EditionReal World Dependency Injection - IPC11 Spring Edition
Real World Dependency Injection - IPC11 Spring Edition
Stephan Hochdörfer
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
Alvaro Sanchez-Mariscal
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
Marakana Inc.
 
Real World Dependency Injection - PFCongres 2010
Real World Dependency Injection - PFCongres 2010Real World Dependency Injection - PFCongres 2010
Real World Dependency Injection - PFCongres 2010
Stephan Hochdörfer
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
Micron Technology
 
Hacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 PluginHacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 Plugin
Burt Beckwith
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
How to Implement Token Authentication Using the Django REST Framework
How to Implement Token Authentication Using the Django REST FrameworkHow to Implement Token Authentication Using the Django REST Framework
How to Implement Token Authentication Using the Django REST Framework
Katy Slemon
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
Antonio Sanso
 
Numbers in the Hidden: A Pragmatic View of 'Nirvana'
Numbers in the Hidden: A Pragmatic View of 'Nirvana'Numbers in the Hidden: A Pragmatic View of 'Nirvana'
Numbers in the Hidden: A Pragmatic View of 'Nirvana'
VMware Tanzu
 
20160221 va interconnect_pub
20160221 va interconnect_pub20160221 va interconnect_pub
20160221 va interconnect_pub
Canturk Isci
 

Contenu connexe

Tendances

What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
Matt Raible
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
Matt Raible
 
Testing untestable code - oscon 2012
Testing untestable code - oscon 2012Testing untestable code - oscon 2012
Testing untestable code - oscon 2012
Stephan Hochdörfer
 
Real World Dependency Injection - IPC11 Spring Edition
Real World Dependency Injection - IPC11 Spring EditionReal World Dependency Injection - IPC11 Spring Edition
Real World Dependency Injection - IPC11 Spring Edition
Stephan Hochdörfer
 
Real World Dependency Injection - PFCongres 2010
Real World Dependency Injection - PFCongres 2010Real World Dependency Injection - PFCongres 2010
Real World Dependency Injection - PFCongres 2010
Stephan Hochdörfer
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
Antonio Sanso
 

Tendances (20)

JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
Testing untestable code - oscon 2012
Testing untestable code - oscon 2012Testing untestable code - oscon 2012
Testing untestable code - oscon 2012
 
Real World Dependency Injection - IPC11 Spring Edition
Real World Dependency Injection - IPC11 Spring EditionReal World Dependency Injection - IPC11 Spring Edition
Real World Dependency Injection - IPC11 Spring Edition
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
Real World Dependency Injection - PFCongres 2010
Real World Dependency Injection - PFCongres 2010Real World Dependency Injection - PFCongres 2010
Real World Dependency Injection - PFCongres 2010
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
Hacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 PluginHacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 Plugin
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
How to Implement Token Authentication Using the Django REST Framework
How to Implement Token Authentication Using the Django REST FrameworkHow to Implement Token Authentication Using the Django REST Framework
How to Implement Token Authentication Using the Django REST Framework
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
 

Similaire à Implementing security routines with zf2

Escape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceEscape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud Service
Robert Munteanu
 
Blockcerts: The Open Standard for Blockchain Credentials
Blockcerts: The Open Standard for Blockchain CredentialsBlockcerts: The Open Standard for Blockchain Credentials
Blockcerts: The Open Standard for Blockchain Credentials
SSIMeetup
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
Gianluca Arbezzano
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
fangjiafu
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
Nuno Godinho
 

Similaire à Implementing security routines with zf2 (20)

Numbers in the Hidden: A Pragmatic View of 'Nirvana'
Numbers in the Hidden: A Pragmatic View of 'Nirvana'Numbers in the Hidden: A Pragmatic View of 'Nirvana'
Numbers in the Hidden: A Pragmatic View of 'Nirvana'
 
20160221 va interconnect_pub
20160221 va interconnect_pub20160221 va interconnect_pub
20160221 va interconnect_pub
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Escape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceEscape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud Service
 
Blockcerts: The Open Standard for Blockchain Credentials
Blockcerts: The Open Standard for Blockchain CredentialsBlockcerts: The Open Standard for Blockchain Credentials
Blockcerts: The Open Standard for Blockchain Credentials
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
 
Backtrack Manual Part5
Backtrack Manual Part5Backtrack Manual Part5
Backtrack Manual Part5
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
 
Building Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in RailsBuilding Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in Rails
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
 
OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a Fox
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Brst – Border Router Security Tool
Brst – Border Router Security ToolBrst – Border Router Security Tool
Brst – Border Router Security Tool
 
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
 

Plus de Er Galvão Abbott

Plus de Er Galvão Abbott (20)

Segurança PHP em 2016
Segurança PHP em 2016Segurança PHP em 2016
Segurança PHP em 2016
 
Tudo o que você precisa saber sobre o php7
Tudo o que você precisa saber sobre o php7Tudo o que você precisa saber sobre o php7
Tudo o que você precisa saber sobre o php7
 
DRYing the Skeleton: Reducing code repetition in ZF2
DRYing the Skeleton: Reducing code repetition in ZF2DRYing the Skeleton: Reducing code repetition in ZF2
DRYing the Skeleton: Reducing code repetition in ZF2
 
Php7 esta chgando! O que você precisa saber
Php7 esta chgando! O que você precisa saberPhp7 esta chgando! O que você precisa saber
Php7 esta chgando! O que você precisa saber
 
PHP e Open Source
PHP e Open SourcePHP e Open Source
PHP e Open Source
 
ABRAPHP: Conquistas e Realizações - 2012-2014
ABRAPHP: Conquistas e Realizações - 2012-2014ABRAPHP: Conquistas e Realizações - 2012-2014
ABRAPHP: Conquistas e Realizações - 2012-2014
 
Desenvolvendo aplicações com ZF2
Desenvolvendo aplicações com ZF2Desenvolvendo aplicações com ZF2
Desenvolvendo aplicações com ZF2
 
Apresentacao frameworks
Apresentacao frameworksApresentacao frameworks
Apresentacao frameworks
 
Web: funcionamento, evolução e mercado
Web: funcionamento, evolução e mercadoWeb: funcionamento, evolução e mercado
Web: funcionamento, evolução e mercado
 
Otimizando a execução de código-fonte PHP
Otimizando a execução de código-fonte PHPOtimizando a execução de código-fonte PHP
Otimizando a execução de código-fonte PHP
 
Unbreakeable php
Unbreakeable phpUnbreakeable php
Unbreakeable php
 
PHP: Evolução
PHP: EvoluçãoPHP: Evolução
PHP: Evolução
 
ZF2 Menor, melhor e mais poderoso
ZF2 Menor, melhor e mais poderosoZF2 Menor, melhor e mais poderoso
ZF2 Menor, melhor e mais poderoso
 
Implementando rotinas de geolocalização
Implementando rotinas de geolocalizaçãoImplementando rotinas de geolocalização
Implementando rotinas de geolocalização
 
OSS, Comunidade, Eventos e como sua empresa ganha com isso
OSS, Comunidade, Eventos e como sua empresa ganha com issoOSS, Comunidade, Eventos e como sua empresa ganha com isso
OSS, Comunidade, Eventos e como sua empresa ganha com isso
 
OWASP: O que, Por que e Como
OWASP: O que, Por que e ComoOWASP: O que, Por que e Como
OWASP: O que, Por que e Como
 
Além da autenticação: Permissões de acesso com Zend Framework
Além da autenticação: Permissões de acesso com Zend FrameworkAlém da autenticação: Permissões de acesso com Zend Framework
Além da autenticação: Permissões de acesso com Zend Framework
 
Proposta de Boas Práticas e Padrões de Desenvolvimento Web
Proposta de Boas Práticas e Padrões de Desenvolvimento WebProposta de Boas Práticas e Padrões de Desenvolvimento Web
Proposta de Boas Práticas e Padrões de Desenvolvimento Web
 
PHPBR TestFest
PHPBR TestFestPHPBR TestFest
PHPBR TestFest
 
Preto, Branco e as Sombras de Cinza
Preto, Branco e as Sombras de CinzaPreto, Branco e as Sombras de Cinza
Preto, Branco e as Sombras de Cinza
 

Dernier

CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
anilsa9823
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 

Dernier (20)

Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 

Implementing security routines with zf2

  • 1. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Implementing Security Routines with Zend Framework 2 by Er Galvão Abbott Authentication Filter & Validation Password Recovery Cryptography Authorization CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 1 / 34 Brute-Force
  • 2. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Er Galvão Abbott is the President of ABRAPHP – Brazilian Association of PHP Professionals and Director of PHP Conference Brasil. Works for 20 years developing web interfaced systems and applications, being 15 of those with PHP and 7 with Zend Framework. Have worked with several companies, both local and off-shore. Talks at events, teaches both on-site and on-line courses and is the founder and leader of the PHPBR UG, a national User Group that counts with more than 1.200 registered users. Site: http://www.galvao.eti.br/ Twitter: @galvao Slides and Documents: http://slideshare.net/ergalvao https://speakerdeck.com/galvao Github: http://github.com/galvao Who?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 2 / 34
  • 3. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Goal Discuss in both conceptual and technical detail about how to implement Security Routines with Zend Framework 2. I'll present the following topics: → Authentication → Brute-force protection → Password recovery → Cryptography → Authorization → Data Filtering and Validation CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 3 / 34
  • 4. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Security != a piece of cake* Why? Because, for an example, I'm required to tell you this: CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 4 / 34 * Not the framework (Hilarious!) Before we begin
  • 5. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Security != a piece of cake* Why? Because, for an example, I'm required to tell you this: Disclaimer (or the “Not my fault” part) !Perfect|Complete $this is... !Fool proof !The only|right way Found out an example why? Let me know! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 5 / 34 * Not the framework (Hilarious!) Before we begin
  • 6. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 6 / 34
  • 7. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication ZfcUser, right?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 7 / 34
  • 8. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication ZfcUser, right?! YES! Well... CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 8 / 34
  • 9. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Let's talk about wheels... Authentication If you don't [want to]know much about security... http://modules.zendframework.com/ZF-Commons/ZfcUser CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 9 / 34
  • 10. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Let's talk about wheels... Authentication If you don't [want to]know much about security... http://modules.zendframework.com/ZF-Commons/ZfcUser if you do... Authentication Crypt Filter Form CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 10 / 34
  • 11. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Now that we've put that aside... Authentication Authentication → Service* Cryptography → (Can also be a) Service* Authentication attempts → Event * Yes, yes, it could be done as a Module, Plugin, etc... -.-” CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 11 / 34
  • 12. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 12 / 34
  • 13. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Authentication & Cryptography << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 13 / 34
  • 14. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Cryptography << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 14 / 34
  • 15. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Authentication << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 15 / 34
  • 16. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Authentication << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 16 / 34
  • 17. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 17 / 34
  • 18. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 18 / 34 Checklist 1. User doesn't “need to change pwd” already; 2. User is “active”; 3. Randomize a temporary pwd; 4. Randomize a temporary, short-life, token; 5. Send a tokenized link for the user to change his pwd; 6. He must correctly enter the temp pwd; 7. If the new pwd and/or token expires, inactivate, make him contact support; 8. Else, change the pwd, mark the user as “OK”. 9. If any step fails, see step 7! For your randomization needs: https://github.com/galvao/PHPToolkit* * Shameless advertising detected!
  • 19. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery Key points Know what to do and what to avoid Lazyness and “user-comfortcentrism” are your enemies CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 19 / 34
  • 20. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 20 / 34
  • 21. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 21 / 34 It's all about TIME 1. Generate a timestamp; 2. Log the attempt; 3. Get previous attempt timestamp; 4. Interval = current - previous 5. If the interval is suspicious, lock the user out; 6. If x unsucessful attempts, lock the user out;
  • 22. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 22 / 34
  • 23. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Brute Force << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 23 / 34
  • 24. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 24 / 34
  • 25. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization The relation between roles and resources. Roles can inherit from other roles. Resources may be available to multiple roles. It's all about CAN & CAN'T A few not-so-obvious-things to consider: 1. Everyone has a role; 2. Static storage > Dynamic storage; 3. Ideally, role of the current user should be fetched dynamically... 4. … and a user's role should be “immutable”. CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 25 / 34
  • 26. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization ZendPermissionAcl CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 26 / 34
  • 27. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 27 / 34
  • 28. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 28 / 34
  • 29. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. (Keep It Simple, Stupid...) CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 29 / 34
  • 30. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation A few not-so-obvious-things to consider: 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. (Keep It Simple, Stupid...ly beautiful people!) CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 30 / 34
  • 31. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation Flexibility in ZF2 In the form Filter & Validation In the model Separated CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 31 / 34
  • 32. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation Show me the code! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 32 / 34
  • 33. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br code Filter & Validation << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 33 / 34
  • 34. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Muchas gracias! ? Questions? ↓ Criticism? ↑ Complements?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 34 / 34