Secure your application data using Symfony

Transcript

1. Secure your application data using Symfony — Evgeny Smirnov, CEO

   of 4xxi (https://4xxi.com), [email protected], FB: @smirik

2. Constant Vigilance!

3. Why should we care?

4. Who should care?

5. FinTech MedTech PII EdTech Social … … … … Passwords,

   SSN, transactions, portfolios, statements… Passwords, SSN, transactions, portfolios, statements…

6. The «Onion» Pattern

7. 3 levels of security

8. Physical Administrative Technical

9. The easiest way to hack you Source

10. Even here

11. 1. Lock your computer 2. Encrypt your computer 3. Check

    the workaround

12. The security policies should be established & should be clear

    for the team

13. The principle 
 of minimal privilege must be used

14. Security Basics

15. Store your passwords securely

16. Never transfer 
 a non-encrypted PII https://github.com/4xxi/caesarapp-server https://github.com/johnelm/PasteVault

17. Do not store the passwords in the code

18. Don’t use public snippet repositories From blogs: How a bug

    in Visual Studio 2015 exposed my source code on GitHub and cost me $6,500 in a few hours

19. Don’t use public screenshot storages Configure your own AWS S3

    or Dropbox instance to store the media

20. Technology

21. Use data obfuscation, e.g. gem data-anomymization (ruby) or neuralyzer (PHP)

22. require 'data-anonymization' database 'DatabaseName' do strategy DataAnon::Strategy::Blacklist # whitelist (default)

    or blacklist ... # configuration # User -> table name (case sensitive) table 'User' do # id, DateOfBirth, Name, UserName, Password -> table column names primary_key 'id' # composite key is also supported anonymize 'DateOfBirth','Name' # default anon. anonymize('UserName').using FieldStrategy::StringTemplate.new('user#{row_number}') anonymize('Password') { |field| "password" } end ... end data-anonymization:

23. require 'data-anonymization' database 'DatabaseName' do strategy DataAnon::Strategy::Blacklist # whitelist (default)

    or blacklist ... # configuration # User -> table name (case sensitive) table 'User' do # id, DateOfBirth, Name, UserName, Password -> table column names primary_key 'id' # composite key is also supported anonymize 'DateOfBirth','Name' # default anon. anonymize('UserName').using FieldStrategy::StringTemplate.new('user#{row_number}') anonymize('Password') { |field| "password" } end ... end data-anonymization: EASY!

24. pro & cons The data are almost real, not test.

    Easy to reproduce 
 the production issues. The developers have 
 no access to PII. PII worldwide 
 compliance Some database changes require additional work. It is difficult to manage denormalised data. The realtime data are not available. Some issues might be PII-specific.

25. Use automatic tool 
 to exclude simple issues https://portswigger.net/burp https://www.owasp.org

26. An example

27. Where to store the credentials?

28. In the files or ENV vars?

29. HashiCorp Vault https://www.vaultproject.io

30. pros 1. Dynamic secrets 2. Audit logs 3. Integrations

31. Encrypt the data

32. What to encrypt? 1. The instance of DB 
 (use

    some built-in tools, e.g. in AWS nor TDE) 2. Encrypt PII: 
 (pgcrypto, DoctrineEncryptBundle, custom-built …) 3. ??

33. Constant Vigilance! Secure your application data using Symfony — Evgeny

    Smirnov, CEO of 4xxi (https://4xxi.com), [email protected], FB: @smirik