Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure your application data using Symfony

Evgeny Smirnov
September 22, 2017

Secure your application data using Symfony

The work on the application that deals with FinTech, MedTech or other kinds of sensitive PII (personal identifying information) requires high attention to security. There are different kinds of threats: risk of internal data leakage, a risk of infrastructure hacking, a risk of vulnerabilities inside the app e.t.c. This becomes even more complicated if the development or QA are outsourced.

In this talk I will cover the following topics:
— Protecting PII using data obfuscation during development and QA.
— Secure alternatives for storing the credentials in the config files or environment variables.
— Various techniques of encrypting data inside your app.

Evgeny Smirnov

September 22, 2017
Tweet

More Decks by Evgeny Smirnov

Other Decks in Technology

Transcript

  1. FinTech MedTech PII EdTech Social … … … … Passwords,

    SSN, transactions, portfolios, statements… Passwords, SSN, transactions, portfolios, statements…
  2. Don’t use public snippet repositories From blogs: How a bug

    in Visual Studio 2015 exposed my source code on GitHub and cost me $6,500 in a few hours
  3. require 'data-anonymization' database 'DatabaseName' do strategy DataAnon::Strategy::Blacklist # whitelist (default)

    or blacklist ... # configuration # User -> table name (case sensitive) table 'User' do # id, DateOfBirth, Name, UserName, Password -> table column names primary_key 'id' # composite key is also supported anonymize 'DateOfBirth','Name' # default anon. anonymize('UserName').using FieldStrategy::StringTemplate.new('user#{row_number}') anonymize('Password') { |field| "password" } end ... end data-anonymization:
  4. require 'data-anonymization' database 'DatabaseName' do strategy DataAnon::Strategy::Blacklist # whitelist (default)

    or blacklist ... # configuration # User -> table name (case sensitive) table 'User' do # id, DateOfBirth, Name, UserName, Password -> table column names primary_key 'id' # composite key is also supported anonymize 'DateOfBirth','Name' # default anon. anonymize('UserName').using FieldStrategy::StringTemplate.new('user#{row_number}') anonymize('Password') { |field| "password" } end ... end data-anonymization: EASY!
  5. pro & cons The data are almost real, not test.

    Easy to reproduce 
 the production issues. The developers have 
 no access to PII. PII worldwide 
 compliance Some database changes require additional work. It is difficult to manage denormalised data. The realtime data are not available. Some issues might be PII-specific.
  6. What to encrypt? 1. The instance of DB 
 (use

    some built-in tools, e.g. in AWS nor TDE) 2. Encrypt PII: 
 (pgcrypto, DoctrineEncryptBundle, custom-built …) 3. ??