Eric Mann

Eric is a seasoned web developer experienced with multiple languages and platforms. He’s been working with PHP for more than a decade and focuses his time on helping developers get started and learn new skills with their tech of choice. You can reach out to him directly via Twitter.

twitter: @EricMann


Security Corner: Observable Security

By Eric Mann

Among the easiest ways to ensure your website or web application is behaving security is to subject it to objective, third-party security scans. The Mozilla Observatory is one such tool that helps ensure strong security for any system operating on the public Internet. The Observatory automatically scans your website to make sure you correctly configure common security settings to protect you and your users best.

Published in Under the Scope, September 2020

Security Corner: Usable Security

By Eric Mann

An oft-overlooked aspect of any security practice or policy is its usability. Do the checks and controls added for the sake of security make the system harder for end-users to do their jobs? An unusable system will never be fully implemented and will fail to secure even the simplest of platforms.

Published in Data Discipline, August 2020

Security Corner: Information Tokenization

By Eric Mann

Any system dealing with human users collects some information about those users. That information is private and needs to be kept secure. The most effective way to do so is to avoid its storage in the first place, i.e., by tokenizing the data.

Published in Warp Driven Development, July 2020

Security Corner: Cross Site Request Forgery

By Eric Mann

Cross-site request forgery (CSRF) is a security risk where an attacker tricks a visitor into making a malicious request to your site from another, entirely unrelated site in their control. This particular vulnerability seemingly disappeared from most teams’ radars a few years ago but is beginning to reappear in the wild.

Published in Advanced Design & Development, June 2020

Security Corner: Request Replay Protection

By Eric Mann

One of the most overused terms of security is “token.” It’s used in many different, often unrelated contexts to mean very different things. This month we’re going to discuss one form of tokens—replay prevention nonces—and how to use them.

Published in Unsupervised Learning, May 2020

Security Corner: Buzzword Bingo

By Eric Mann

Buzzwords permeate security. It’s vital for everyone working in application development to have a solid understanding of what the most common buzzwords are—partly so they can protect against misusing them.

Published in Machine Learning and OpenAPI, April 2020

Security Corner: Mutual TLS

By Eric Mann

Certificates issued to protect transport layer security (TLS) help identify servers and protect data in transit through encryption. They can also be used to identify clients making the connection. Let’s look at ways to handle TLS configuration and usage correctly in a PHP application.

Published in How Magento is Evolving, March 2020

Security Corner: A Reintroduction to TLS

By Eric Mann

A mid-January warning from the US National Security Agency about a critical security flaw in how the Windows operating system validates cryptographic certificates. As these certificates underpin how TLS (transport layer security) protects the internet at large, it’s essential to understand both what happened and how your development team can avoid similar mistakes.

Published in Cultivating the Developer Experience, February 2020

Security Corner: Seven Deadly Sins of Security

By Eric Mann

While no list regarding security, risks, or best practices can ever be exhaustive, they often serve as decent starting points. Understanding some of the most common classes of security mistakes is a great way to begin a conversation about total application security. The following seven security risks are critical to any application development team; they’re easy mistakes to make but are equally easy to avoid if you keep your eyes open

Published in New Habits, January 2020

Security Corner: Crypto Streams

By Eric Mann

The goal of any encryption operation is to scramble the patterns in the plaintext source data and otherwise protect its contents by rendering a specific message indistinguishable from random noise. A cryptographically-secure algorithm or implementation is one that can be mathematically proven to render data in such a state—there is no mathematical way to analyze or extract information from a securely encrypted payload. The most important feature of an encryption system, though, is we can revert such a scrambled message to a readable format via a known operation and a specific piece of private information—the decryption key.

Published in Expedition PHP, December 2019

Security Corner: Responsible Encryption

By Eric Mann

As early as 2018, many governments began calling for the tech community to create so-called “responsible encryption.” Their goal is for tech companies to provide blessed “back doors” for law enforcement to decrypt and otherwise inspect messages and data created by citizens within their borders. These calls and the arguments made to support them, however, are horribly misguided and do incredible harm to our overall security and privacy.

Published in Object Orientation, November 2019

Security Corner: Crossing the Streams

By Eric Mann

While not commonly seen in the wild, PHP exposes powerful interfaces empowering applications to manipulate large streams of data directly. Both stream wrappers and filters allow developers to interact with objects too large to fit in memory or which might be ephemeral in nature. Combining these stream interfaces opens up even more possibilities for the savvy developer.

Published in Coding Without Fear, October 2019

Security Corner: Twist and Shout

By Eric Mann

Most self-taught developers in our industry learn to leverage an API long before they spend time learning lower-level coding patterns. This experience isn’t necessarily a bad thing. All the same, it’s important to take some time to dig deeper and better understand the tools and technologies at the core of our trade. Computers are deterministic by nature, so we need to leverage purpose-built random number generators to introduce unpredictability into the system.

Published in Master of Puppets, September 2019 —Available for Free

Security Corner: System Enumeration

By Eric Mann

The first step to protecting your system is to understand the actions, behaviors, and motivations of those who would potentially breach and damage that system. Learning to think like an attacker is excellent. Mastering the tools attackers are likely to use on your platform is even better. The question isn’t that they’ll get in, it’s what exactly they’ll do once they’ve breached your system.

Published in Renovating Applications with Symfony, August 2019

Security Corner: Defending Against Insider Threats

By Eric Mann

When many people think about security, they naturally think about attacks from external threats and entities. They may originate outside of the application, network, or even organization. What we often fail to realize is the most critical threat is often users already inside your system.

Published in Find the Way With Elasticsearch, July 2019

Security Corner: Credentials and Secrets Management

By Eric Mann

Managing passwords in userland is complicated. Luckily, consumer tools like 1Password and LastPass make it easier than ever to protect user credentials. Unfortunately, this doesn’t help with the credentials used by our servers or code. The ways developers manage application credentials are legion; some are right, others fatally flawed.

Published in How to Tame Your Data, June 2019

Security Corner: Access Control and Authorization

By Eric Mann

Proving the identity of a user isn’t the end of an application’s responsibilities: you must also verify the user is allowed to perform the actions they’re attempting. Conflating authentication (the act of identifying users) with authorization (the act of verifying their level of access within the system) is one of the most common ways applications have been breached in the recent past.

Published in Serverless, ReactPHP, and Expanding Frontiers, May 2019

Security Corner: The Risk of Lists

By Eric Mann

The OWASP Top Ten is required reading for anyone in software development, regardless of whether or not your role focuses on security. It’s a useful guide to get you started thinking from a strong security mindset. Be careful, however, to avoid thinking the list is exhaustive or provides comprehensive security for your application or system.

Published in The New Frontend Fundamentals, April 2019

Security Corner: Intrusion Detection

By Eric Mann

Home security systems are an early warning to potential theft or abuse of our personal property. They’re useful because they alert us (and the police) to a problem before the theft happens. Logging and monitoring of our applications and digital systems can similarly help protect our customers and their data. By leveraging an automated intrusion detection system, our application can catch threats before they have a chance to impact our business.

Published in Building Bridges, March 2019

Security Corner: Egress Lockdown

By Eric Mann

Engineers working on the web are usually well-versed in firewalls. It’s a good practice to limit the potential sources of incoming web traffic; not many engineers focus on limiting approved destinations for outgoing traffic. Locking down a list of approved egress destinations is a strong security stance which limits the potential impact of a breach.

Published in Out on a Limb – February 2019, February 2019

Security Corner: Strong Security Stance in the New Year

By Eric Mann

January is a month all about setting resolutions for the new year. A new diet. A new budget. A new FOSS contribution goal. In 2019, let’s intentionally focus on keeping our projects safe and taking a strong stance on security.

Published in DevOps Depths – January 2019, January 2019

Security Corner: Adventures in Hashing

By Eric Mann

Last month, the PHP community had the opportunity to come together for the excellent php[world] conference in Washington, D.C. As part of the event, we held a hackathon to work through some of the challenges posed by Cryptopals. Some of the cryptographic primitives we discussed were hashes, and it’s useful to take a more in-depth look at what they are and how to use them in PHP.

Published in Better Practice – December 2018, December 2018

Security Corner: Five Risks to Look for In a Code Review

By Eric Mann

Development teams use code review as a way to keep track of one another’s progress on issues and tasks in the work queue. Code reviews are also a stellar way to proactively detect and address security concerns before they become critical to the success of the project.

Published in Generics and Project Success – November 2018, November 2018

Security Corner: Subdomain Takeover

By Eric Mann

In a previous issue, we discussed technical debt—the small compromises made by a development team to ship a product. Over time, every team should try to “pay down” this debt by investing time in refactoring, shoring up unit/integration tests, and conducting deeper code audits. Not every form of technical debt is code-related, though. Infrastructure-related debt can accrue as well and be an enticing target for would-be attackers. This month, we take a look at one such exploit: subdomain takeovers.

Published in Internal Journeys – October 2018, October 2018

Security Corner: Professional Paranoia: Thinking Like an Attacker

By Eric Mann

One thing security professionals in every field have is a cultivated sense of “professional paranoia.” They invest time in understanding and thinking like a potential attacker. As a result, there are fewer ways an attack can surprise—or successfully breach—an application.

Published in Magniphpicent 7.3 – September 2018, September 2018

Security Corner: Secure Tokens

By Eric Mann

Any application aimed at presenting users with a premium, seamless UX must take account of the times when user authentication fails. What happens when a user forgets their password? What can we do to confirm sensitive operations using email or other out-of-band communication? How can we make an application easy to use while also keeping it secure? One mechanism, which protects both password reset links and other secure actions taken by way of an out-of-band confirmation is that of secure tokens.

Published in Masterful Code Management – August 2018, August 2018

Security Corner: Secure Remote Password Authentication

By Eric Mann

A solid practice in protecting user credentials is to never store passwords in plaintext on the server. Modern content management systems and PHP frameworks leverage strong one-way functions to store only hashes of passwords. This technique protects your users should your database ever be breached by an attacker. An even stronger mechanism, however, would never send a plaintext password to the server in the first place.

Published in Navigating State – July 2018, July 2018

Security Corner: Composing Application Security

By Eric Mann

Package managers like Composer make it quick and easy to add third-party libraries to an application. Unfortunately, they can also make it easy to import code that’s not meant to run in production—and might intentionally expose certain vulnerabilities—if your development team isn’t careful.

Published in Command and Control – June 2018, June 2018

Security Corner: Paying Off Technical Debt

By Eric Mann

Every successful development team has two things in common: they’ve shipped a product, and they accepted compromises to make that shipment possible. Every team and every project has technical debt. It comes with the territory when you start building software. Usually, the term “technical debt” is seen as a negative, but that’s not always true.

Published in Treasure, Old & New – May 2018, May 2018

Security Corner: PHP Isolation in Production

By Eric Mann

Developers the world over were in shock this past May as thousands of computers in the UK’s National Health System were rendered inoperable due to a malware attack. Thanks to a previously leaked vulnerability in Windows’ operating system, and the notoriously slow rate at which large enterprises apply system patches, hackers were able to infiltrate and infect these systems with specific viruses.

Published in Testing in Practice – April 2018, April 2018

Signed Commits With Git

By Eric Mann

Many developers confuse platforms like GitHub with tools like Git. On the one hand, this is a bit confusing for those trying to learn the terminology we use on a daily basis. On the other hand, the visibility of GitHub—and its fantastic community features—make it easier for developers to get a handle on critical elements of the underlying utility. In recent years, one of the most visible features developers have discovered is commit signing.

Published in Long Running PHP, March 2018

Security Corner: Application-level Data Security

By Eric Mann

Developers often conflate two different modes of data encryption when protecting the systems on which their applications run. One is encryption at rest—actually encrypting the files the database engine uses to persist state to the hard drive. The other is application-level encryption—where the application itself knows the encryption key and protects data directly. These approaches are similar, but they are not the same. It behooves the savvy developer to understand the difference between them and how to leverage both to secure application data fully.

Published in Know Your Tools, February 2018

Security Corner: Updates to the OWASP Top Ten—Logging

By Eric Mann

Last November, the Open Web Application Security Project (OWASP) published a new list of their “top ten” application security risks (ASRs). These are the most commonly encountered coding and security issues on the web according to an industry survey and the opinion of leading developers in the field. One of the newer ASRs to make the list is Insufficient Logging and Monitoring, something every PHP application can easily avoid.

Published in Setting Up to Succeed, January 2018

Security Corner: PHP, meet Libsodium

By Eric Mann

By the time you read this, the PHP community should have introduced the world to the newest version of our favorite language. This latest version adds better support for type annotations, allows trailing commas in lists (just like JavaScript and other dynamic languages) and introduced several security improvements. The most notable security addition, however, is the introduction of the Sodium cryptographic library as a core extension.

Published in Talking Code, December 2017 —Available for Free