Eric Mann

Eric is a seasoned web developer experienced with multiple languages and platforms. He’s been working with PHP for more than a decade and focuses his time on helping developers get started and learn new skills with their tech of choice. You can reach out to him directly via Twitter.

twitter: @EricMann

Articles

Secure Authentication

By Eric Mann

I’ve written at length in the past about the three dimensions of authentication and how they’re important. The first two are easy.Something you **are**, being your user ID or login, and something you **know**, your password.It’s the third dimension—something you **have** that becomes a bit more complicated. by Eric Mann

Published in PHP Is Listening, September 2024

Schrodinger’s Backup

By Eric Mann

“What!?” I shouted, half asleep into my phone. It was four in the morning, and I was *not* ready to get up. “The server is down. I know it is early … but can you come in and fix it?” by Eric Mann

Published in HaPHPy Developers, August 2024

PHP Under Attack

By Eric Mann

There are many things that need to happen just right for PHP to be vulnerable to a buffer overflow bug. Yet that won’t stop the sensationalized stories about PHP supposedly being insecure. Ironically, this isn’t even a bug in PHP itself but in an upstream library that PHP (and other tools) use. by Eric Mann

Published in Search For Good Code, July 2024

Security-minded Code Review

By Eric Mann

When reviewing documentation or code, I typically ask people to rate the level of pedantry they want me to provide in my commentary. This is mostly snarky, but it also covers a more legitimate set of questions based on the *goal* of the review. Is this merely a code quality edit? Are we trying to optimize the performance of some code? Do we need to assess the tone taken in documentation? by Eric Mann

Published in AI Llamas, June 2024

Rolling Credentials and Keys

By Eric Mann

I’m rarely the only contractor working for a client at any given time. Most of my colleagues are top-notch professionals with whom I love to collaborate. Occasionally, though, I end up paired with someone who has no business *using* a computer, let alone charging a company money to use one on their behalf. by Eric Mann

Published in PHP Reflections, May 2024

Security and Side Channels

By Eric Mann

Any modern film involving hacking will usually feature a scene of attackers breaking into a machine, system, or service in some glorious fashion. They race against a clock featuring animated characters to crack a password. CGI electrons race down a wire to illustrate malware compromising a system. An operative dives out of an overhead vent to insert a device into the mainframe. by Eric Mann

Published in Deep Diving PHP Security, April 2024

23andMe, and You, and Everyone Else

By Eric Mann

Remember this article you’re about to read the next time you’re asked for your birthdate and mother’s maiden name to prove your identity in a doctor’s office … by Eric Mann

Published in World Community, March 2024

Cheating is Encouraged

By Eric Mann

“Never memorize something you can look up.” – Albert Einstein. by Eric Mann

Published in The PHP Gambit: Winning Strategies in Code, February 2024

When Bug Bounties Go Bad

By Eric Mann

Bug bounty programs are critical to any operational product running in the cloud. Know what they are, how they can go wrong, and what you can do to embrace and enhance the practice of responsible disclosure. by Eric Mann

Published in Bad Bug Bounties, January 2024

Demystifying Cryptography

By Eric Mann

One of the more advanced topics handled by modern developers is cryptography. It’s the stuff of science fiction to many, but frankly, it doesn’t have to be a mystery to any of us. by Eric Mann

Published in Generating Efficient PHP, December 2023

PHP, Meet Passkeys

By Eric Mann

Something you know, something you are, something you have. How does the new technology of passkeys fit into the proven authentication pyramid? by Eric Mann

Published in Command Line Picasso, November 2023

The Meaning of “High Trust”

By Eric Mann

When many people think about security, they naturally think about entities attacking from the outside. This might be the outside of their application, network, or even organization. We often fail to realize that the most critical threat is often users already inside your system. by Eric Mann

Published in Software Archeology, October 2023

The Apocalypse is Now

By Eric Mann

The world’s leading experts on artificial intelligence have warned us of a coming “AI Apocalypse”. How real is this threat, and when will we see it?
by Eric Mann

Published in The Spectrum of PHP, September 2023

Vulnerability Management 101

By Eric Mann

Every piece of published code will eventually suffer a vulnerability. Recognizing this truth is the first step to establishing a vulnerability management program.
by Eric Mann

Published in Packing Up PHP, August 2023

Security Corner: Prisoner’s Dilemma

By Eric Mann

Every application must be designed, and the ethical consideration of
that tool’s use (or misuse) must be key to the technical design. by
Eric Mann

Published in Be Barrier Free, July 2023

Security Corner: Types of Tokens

By Eric Mann

Terminology in security can be a finicky thing. When talking about either security-related or adjacent topics, it’s best to be precise in what each term you choose actually means.by Eric Mann

Published in Evolving PHP, June 2023

Security Corner: Tabletop: Planning for Disaster

By Eric Mann

Roughly twice a year, I take time to play a game with my team. To
those who play Dungeons & Dragons, this might sound familiar. I
spend time planning a particular campaign, then each team member picks a
role and plays through it. > >Except we’re not fighting monsters
or casting spells. Instead, I take the role of Dungeon Master for a
simulated cybersecurity incident. To those in the industry, this is
commonly referred to as a tabletop exercise. by Eric Mann

Published in HTTP Burritos, May 2023

Security Corner: The Risks of Free Conference Internet

By Eric Mann

Now that the snow is melting, we’re beginning to see the first signs
of Spring. With Spring comes the rain, wildflowers and honeybees,
bouncing bunnies in the park, and conference season. Traveling for
conferences and other events can be exciting for many. But what most
don’t realize is just how risky it can be. by Eric Mann

Published in Getting TEKnical, April 2023

Security Corner: InfoSec 102: Phishing

By Eric Mann

Continuing on last month’s trend, we want to spend some time defining and explaining some of the terms and jargon frequently used by practitioners in the security community. Fortunately, this month’s term is likely one you’ve already come across in business: phishing. by Eric Mann

Published in Box of PHP, March 2023

Security Corner: Infosec 101: The Confused Deputy

By Eric Mann

When two InfoSec practitioners get together, they often resort to a sort of short-hand in conversation to make things easier. This leverages slang, jargon, or other insider references that are opaque or confusing to those outside our community. Rather than coming up with new terms, it’s often easiest to spend that time disambiguating the jargon already in use. This month we’ll dive deep into a concept that seems to come up frequently – particularly among less technical stakeholders. This is the “confused deputy”. by Eric Mann

Published in Knowledge Crunching, February 2023

Security Corner: PCI-DSS: A Beginners Guide

By Eric Mann

Every developer should strive to not only build a quality application but also to ensure that security is baked in at every phase of development. Applications handling customer payment information are even more critical to secure. Firstly, it’s just the right thing to do to ensure that you handle customer payment data appropriately. But if you want to work with credit cards, you’re explicitly required to follow a set of standardized guidelines: PCI-DSS. by Eric Mann

Published in PHP is Standing Tall, January 2023

Security Corner: Debt Management

By Eric Mann

Every successful development team has two things in common: They’ve shipped a product and accepted compromises to make that shipment possible. by Eric Mann

Published in Owning The Web, December 2022

Security Corner: Direct Object References

By Eric Mann

Building APIs in PHP often exposes us to the potential of obscure bugs that can otherwise compromise the security of our application. Building too pure of an API – and relying on clients to provide too much information about the objects they’re referencing – is one such risk. by Eric Mann

Published in The Value of the AST, November 2022

Security Corner: Cybersecurity Checkup

By Eric Mann

October is recognized as Cybersecurity Awareness Month in the United States. It’s a great opportunity to stop, take stock of your current security stance, and make incremental improvements where possible. by Eric Mann

Published in The State of PHP, October 2022

Security Corner: Surviving Cybersecurity

By Eric Mann

Engineers don’t often last as long in a cybersecurity focus as they do in other disciplines. If this is your path, you should understand why and how to beat the odds. by Eric Mann

Published in Making Code, September 2022

Security Corner: Broken Authentication

By Eric Mann

One of the most foundational elements of security is clear communication. If we fail to use the correct language to communicate, we risk being misunderstood and making critical software mistakes. by Eric Mann

Published in PHP Blueprint, August 2022

Security Corner: Demystifying Multifactor Authentication

By Eric Mann

Authentication by way of a username and password is well understood. Adding an extra authentication factor—like a smartphone—to the mix helps strengthen a login flow. But what exactly is an authentication factor, and what are the trade-offs between each one? by Eric Mann

Published in Database Freedom, July 2022

Security Corner: Assessing Cybersecurity Risks

By Eric Mann

Every application will, one day, be exposed to a cybersecurity risk. Learning how to categorize and rate those risks is critical to keeping your team focused on the things that matter most.

Published in Another Bright Idea, June 2022

Security Corner: Classifying Ransomware

By Eric Mann

One of the terrifying new developments in technology is the high prevalence of ransomware—criminals using software to hold your data or information systems hostage. by Eric Mann

Published in One Last Slice, May 2022

Security Corner: Operational Security

By Eric Mann

It is remarkably easy to grow complacent in the digital world, but a lapse in security best practices inevitably leads to a lapse in security itself.

Published in Testing The Core, April 2022

Security Corner: Understanding Supply Chain Security

By Eric Mann

In the physical world, it’s relatively easy to understand what a supply chain looks like—the security of physical goods in transit is a straightforward concept. This kind of security in the digital world can be harder to recognize but is just as critical.

Published in World Backup Day, March 2022

Security Corner: Getting Started with Cybersecurity

By Eric Mann

Every career track starts somewhere. Cybersecurity doesn’t always begin where you’d expect. by Eric Mann

Published in Parallelize Your Code, February 2022

Security Corner: The Terrifying Scale of a Security Bug

By Eric Mann

A remote code execution vulnerability discovered in the widely used Log4J library exposed billions of machines to malicious actors in December. Unfortunately, fixing this bug was not straightforward and left much of the Internet exposed to bad actors for over a week. by Eric Mann

Published in Domain-Driven Resolutions, January 2022

Security Corner: Vulnerable and Outdated Components

By Eric Mann

One of the updated risks enumerated by the OWASP Top Ten is using an older component with a known vulnerability. Engineers need to remember that this extends to ancillary systems, not just PHP. by Eric Mann

Published in The Zen of Mindful Programming, December 2021

Security Corner: No Bug Too Small

By Eric Mann

Every bug report, even the innocuous-looking ones, could be evidence of a fatal flaw in your application. You owe it to yourself and your customers to vet and audit any report, even if it lacks proof-of-concept, exploits code, or feels like an extremely hypothetical edge case. by Eric Mann

Published in The Art of Data, November 2021

Security Corner: Updating the OWASP Top Ten

By Eric Mann

The Open Web Application Security Project (OWASP) is a non-profit that focuses on web security research, training, and documentation to help developers make the world a safer place. They regularly collate application security risks seen in the wild and publish a list of the most frequently encountered issues. This list, the OWASP Top Ten, is a common tool used by developers and security auditors alike to gauge the level of security maturity of a project or the team maintaining it.

Published in Decrypting Cryptography, October 2021 —Available for Free

Security Corner: The Pit of Success

By Eric Mann

Security is often difficult to get right, even for those who are experts in the field. Mistakes are easy to make and result in our users falling into a pit. All developers should practice a stance of “security by default.” Doing so means ensuring that any mistakes land users in a pit of success rather than despair.

Published in It’s Really an Upgrade, September 2021

Security Corner: Multifactor Authentication

By Eric Mann

A modern security best practice is to both implement and require a form of authentication beyond a simple password. This practice is known as “multifactor” authentication, as users will have a primary factor—their password—and a secondary factor to successfully authenticate to an application. Proper implementation of a multifactor authentication scheme keeps your application and its users safe and secure by making it more difficult for attackers to get past your authentication.

Published in Trimming One’s Sails, August 2021

Security Corner: Evaluating Password Strength

By Eric Mann

An application is only as strong as the authentication systems used to gate entry and protect the data it contains. So long as your users leverage passwords, the weakest link in your security stance is the strength of those passwords. This month we take a deeper look at the strength of passwords and guidance to keep your users’ data secure.

Published in Deep Dive Into Search, July 2021

Security Corner: Responsible Disclosure

By Eric Mann

Despite our best efforts, security bugs will creep into deployed production code. When this happens, members of the community might reach out to report these bugs to you. Your team needs to be prepared to both receive and encourage these forms of responsible disclosure.

Published in Debug, Rinse, Repeat, June 2021

Security Corner: Radical Transparency

By Eric Mann

Last month, news broke of a breach of the PHP community’s development Git server. This breach included the addition of two malicious commits to the language’s source code. The malicious code was immediately identified and removed; the team is taking further steps to ensure this kind of situation never occurs again.

Published in Testing Assumptions, May 2021

Security Corner: Basics of Password Hashing

By Eric Mann

Every web application that allows users to authenticate needs to ensure their users’ credentials are afforded the best protection possible. Conventionally, this is done by storing only the hash of a password rather than the password itself. Luckily, password hashing in PHP is secure, safe, and remarkably straightforward to implement.

Published in Busy Worker Bees, April 2021 —Available for Free

Security Corner: Cooking with Credentials

By Eric Mann

There are many ways to store user credentials for verification on the application side. Only a few of those ways—namely hashing—are considered secure. While an “older” topic, let’s look at how you should store passwords and why it’s vital for every developer to know how to handle sensitive data securely.

Published in Lambda PHP, March 2021

Security Corner: Supply Chain Security

By Eric Mann

The recent security breach of SolarWinds was one of the worst the community has seen in recent years. It isn’t due to the used hack’s severity but the impact on almost all of SolarWinds’ downstream customers. Let’s look at if something like this could happen in the PHP ecosystem and what we could do to guard against it.

Published in Dealing with Data, February 2021

Security Corner: Enforcing Subresource Integrity

By Eric Mann

Any scripts or styles you include into your web application are called “subresources.” As these files can impact your application’s overall operation, it is critical for writing secure software that you ensure the integrity of any subresource loaded into the page. Otherwise, an untrusted party might inject malware, cryptocurrency miners, or another malicious payload into user users’ browsers.

Published in Newfangled Views, January 2021

Security Corner: Circuit Breakers

By Eric Mann

If your application’s stability depends on the availability of a third-party system, the reliability of that external system becomes critical to the smooth operation of your own. The circuit breaker pattern is a proven way to protect against an unstable system causing problems with yours. Use it, and you won’t be surprised by an unplanned outage at a service you rely on, provoking an outage for your service as well.

Published in PHP 8 Bits and Git, December 2020

Security Corner: Self-obfuscating Value Objects—A Design Pattern for PII

By Eric Mann

Leveraging commonly used and well-defined design patterns is paramount in ensuring your application is stable and maintainable over time. Extending those design patterns to focus on security-first is an effective way of ensuring your application and its data are reliably secure. One such pattern is a Value Object, which can be customized to automatically and transparently obfuscate the value it contains. We can use such an object to protect PII, availing it still for use within your business logic while preventing accidental leaks or disclosing the sensitive data with which you work.

Published in SOLID Foundations, November 2020

Security Corner: Configurable Security

By Eric Mann

Having a tool like Mozilla’s Observatory scan the health of your site is useless if you lack the tools to properly secure it and pass the inspections in the first place. You can set most of the required settings directly in the source of your application.

Published in Running Parallel, October 2020

Security Corner: Observable Security

By Eric Mann

Among the easiest ways to ensure your website or web application is behaving security is to subject it to objective, third-party security scans. The Mozilla Observatory is one such tool that helps ensure strong security for any system operating on the public Internet. The Observatory automatically scans your website to make sure you correctly configure common security settings to protect you and your users best.

Published in Under the Scope, September 2020

Security Corner: Usable Security

By Eric Mann

An oft-overlooked aspect of any security practice or policy is its usability. Do the checks and controls added for the sake of security make the system harder for end-users to do their jobs? An unusable system will never be fully implemented and will fail to secure even the simplest of platforms.

Published in Data Discipline, August 2020

Security Corner: Information Tokenization

By Eric Mann

Any system dealing with human users collects some information about those users. That information is private and needs to be kept secure. The most effective way to do so is to avoid its storage in the first place, i.e., by tokenizing the data.

Published in Warp Driven Development, July 2020

Security Corner: Cross Site Request Forgery

By Eric Mann

Cross-site request forgery (CSRF) is a security risk where an attacker tricks a visitor into making a malicious request to your site from another, entirely unrelated site in their control. This particular vulnerability seemingly disappeared from most teams’ radars a few years ago but is beginning to reappear in the wild.

Published in Advanced Design & Development, June 2020

Security Corner: Request Replay Protection

By Eric Mann

One of the most overused terms of security is “token.” It’s used in many different, often unrelated contexts to mean very different things. This month we’re going to discuss one form of tokens—replay prevention nonces—and how to use them.

Published in Unsupervised Learning, May 2020

Security Corner: Buzzword Bingo

By Eric Mann

Buzzwords permeate security. It’s vital for everyone working in application development to have a solid understanding of what the most common buzzwords are—partly so they can protect against misusing them.

Published in Machine Learning and OpenAPI, April 2020

Security Corner: Mutual TLS

By Eric Mann

Certificates issued to protect transport layer security (TLS) help identify servers and protect data in transit through encryption. They can also be used to identify clients making the connection. Let’s look at ways to handle TLS configuration and usage correctly in a PHP application.

Published in How Magento is Evolving, March 2020

Security Corner: A Reintroduction to TLS

By Eric Mann

A mid-January warning from the US National Security Agency about a critical security flaw in how the Windows operating system validates cryptographic certificates. As these certificates underpin how TLS (transport layer security) protects the internet at large, it’s essential to understand both what happened and how your development team can avoid similar mistakes.

Published in Cultivating the Developer Experience, February 2020

Security Corner: Seven Deadly Sins of Security

By Eric Mann

While no list regarding security, risks, or best practices can ever be exhaustive, they often serve as decent starting points. Understanding some of the most common classes of security mistakes is a great way to begin a conversation about total application security. The following seven security risks are critical to any application development team; they’re easy mistakes to make but are equally easy to avoid if you keep your eyes open

Published in New Habits, January 2020

Security Corner: Crypto Streams

By Eric Mann

The goal of any encryption operation is to scramble the patterns in the plaintext source data and otherwise protect its contents by rendering a specific message indistinguishable from random noise. A cryptographically-secure algorithm or implementation is one that can be mathematically proven to render data in such a state—there is no mathematical way to analyze or extract information from a securely encrypted payload. The most important feature of an encryption system, though, is we can revert such a scrambled message to a readable format via a known operation and a specific piece of private information—the decryption key.

Published in Expedition PHP, December 2019

Security Corner: Responsible Encryption

By Eric Mann

As early as 2018, many governments began calling for the tech community to create so-called “responsible encryption.” Their goal is for tech companies to provide blessed “back doors” for law enforcement to decrypt and otherwise inspect messages and data created by citizens within their borders. These calls and the arguments made to support them, however, are horribly misguided and do incredible harm to our overall security and privacy.

Published in Object Orientation, November 2019

Security Corner: Crossing the Streams

By Eric Mann

While not commonly seen in the wild, PHP exposes powerful interfaces empowering applications to manipulate large streams of data directly. Both stream wrappers and filters allow developers to interact with objects too large to fit in memory or which might be ephemeral in nature. Combining these stream interfaces opens up even more possibilities for the savvy developer.

Published in Coding Without Fear, October 2019

Security Corner: Twist and Shout

By Eric Mann

Most self-taught developers in our industry learn to leverage an API long before they spend time learning lower-level coding patterns. This experience isn’t necessarily a bad thing. All the same, it’s important to take some time to dig deeper and better understand the tools and technologies at the core of our trade. Computers are deterministic by nature, so we need to leverage purpose-built random number generators to introduce unpredictability into the system.

Published in Master of Puppets, September 2019 —Available for Free

Security Corner: System Enumeration

By Eric Mann

The first step to protecting your system is to understand the actions, behaviors, and motivations of those who would potentially breach and damage that system. Learning to think like an attacker is excellent. Mastering the tools attackers are likely to use on your platform is even better. The question isn’t that they’ll get in, it’s what exactly they’ll do once they’ve breached your system.

Published in Renovating Applications with Symfony, August 2019

Security Corner: Defending Against Insider Threats

By Eric Mann

When many people think about security, they naturally think about attacks from external threats and entities. They may originate outside of the application, network, or even organization. What we often fail to realize is the most critical threat is often users already inside your system.

Published in Find the Way With Elasticsearch, July 2019

Security Corner: Credentials and Secrets Management

By Eric Mann

Managing passwords in userland is complicated. Luckily, consumer tools like 1Password and LastPass make it easier than ever to protect user credentials. Unfortunately, this doesn’t help with the credentials used by our servers or code. The ways developers manage application credentials are legion; some are right, others fatally flawed.

Published in How to Tame Your Data, June 2019

Security Corner: Access Control and Authorization

By Eric Mann

Proving the identity of a user isn’t the end of an application’s responsibilities: you must also verify the user is allowed to perform the actions they’re attempting. Conflating authentication (the act of identifying users) with authorization (the act of verifying their level of access within the system) is one of the most common ways applications have been breached in the recent past.

Published in Serverless, ReactPHP, and Expanding Frontiers, May 2019

Security Corner: The Risk of Lists

By Eric Mann

The OWASP Top Ten is required reading for anyone in software development, regardless of whether or not your role focuses on security. It’s a useful guide to get you started thinking from a strong security mindset. Be careful, however, to avoid thinking the list is exhaustive or provides comprehensive security for your application or system.

Published in The New Frontend Fundamentals, April 2019

Security Corner: Intrusion Detection

By Eric Mann

Home security systems are an early warning to potential theft or abuse of our personal property. They’re useful because they alert us (and the police) to a problem before the theft happens. Logging and monitoring of our applications and digital systems can similarly help protect our customers and their data. By leveraging an automated intrusion detection system, our application can catch threats before they have a chance to impact our business.

Published in Building Bridges, March 2019

Security Corner: Egress Lockdown

By Eric Mann

Engineers working on the web are usually well-versed in firewalls. It’s a good practice to limit the potential sources of incoming web traffic; not many engineers focus on limiting approved destinations for outgoing traffic. Locking down a list of approved egress destinations is a strong security stance which limits the potential impact of a breach.

Published in Out on a Limb – February 2019, February 2019

Security Corner: Strong Security Stance in the New Year

By Eric Mann

January is a month all about setting resolutions for the new year. A new diet. A new budget. A new FOSS contribution goal. In 2019, let’s intentionally focus on keeping our projects safe and taking a strong stance on security.

Published in DevOps Depths – January 2019, January 2019

Security Corner: Adventures in Hashing

By Eric Mann

Last month, the PHP community had the opportunity to come together for the excellent php[world] conference in Washington, D.C. As part of the event, we held a hackathon to work through some of the challenges posed by Cryptopals. Some of the cryptographic primitives we discussed were hashes, and it’s useful to take a more in-depth look at what they are and how to use them in PHP.

Published in Better Practice – December 2018, December 2018

Security Corner: Five Risks to Look for In a Code Review

By Eric Mann

Development teams use code review as a way to keep track of one another’s progress on issues and tasks in the work queue. Code reviews are also a stellar way to proactively detect and address security concerns before they become critical to the success of the project.

Published in Generics and Project Success – November 2018, November 2018

Security Corner: Subdomain Takeover

By Eric Mann

In a previous issue, we discussed technical debt—the small compromises made by a development team to ship a product. Over time, every team should try to “pay down” this debt by investing time in refactoring, shoring up unit/integration tests, and conducting deeper code audits. Not every form of technical debt is code-related, though. Infrastructure-related debt can accrue as well and be an enticing target for would-be attackers. This month, we take a look at one such exploit: subdomain takeovers.

Published in Internal Journeys – October 2018, October 2018

Security Corner: Professional Paranoia: Thinking Like an Attacker

By Eric Mann

One thing security professionals in every field have is a cultivated sense of “professional paranoia.” They invest time in understanding and thinking like a potential attacker. As a result, there are fewer ways an attack can surprise—or successfully breach—an application.

Published in Magniphpicent 7.3 – September 2018, September 2018

Security Corner: Secure Tokens

By Eric Mann

Any application aimed at presenting users with a premium, seamless UX must take account of the times when user authentication fails. What happens when a user forgets their password? What can we do to confirm sensitive operations using email or other out-of-band communication? How can we make an application easy to use while also keeping it secure? One mechanism, which protects both password reset links and other secure actions taken by way of an out-of-band confirmation is that of secure tokens.

Published in Masterful Code Management – August 2018, August 2018

Security Corner: Secure Remote Password Authentication

By Eric Mann

A solid practice in protecting user credentials is to never store passwords in plaintext on the server. Modern content management systems and PHP frameworks leverage strong one-way functions to store only hashes of passwords. This technique protects your users should your database ever be breached by an attacker. An even stronger mechanism, however, would never send a plaintext password to the server in the first place.

Published in Navigating State – July 2018, July 2018

Security Corner: Composing Application Security

By Eric Mann

Package managers like Composer make it quick and easy to add third-party libraries to an application. Unfortunately, they can also make it easy to import code that’s not meant to run in production—and might intentionally expose certain vulnerabilities—if your development team isn’t careful.

Published in Command and Control – June 2018, June 2018

Security Corner: Paying Off Technical Debt

By Eric Mann

Every successful development team has two things in common: they’ve shipped a product, and they accepted compromises to make that shipment possible. Every team and every project has technical debt. It comes with the territory when you start building software. Usually, the term “technical debt” is seen as a negative, but that’s not always true.

Published in Treasure, Old & New – May 2018, May 2018

Security Corner: PHP Isolation in Production

By Eric Mann

Developers the world over were in shock this past May as thousands of computers in the UK’s National Health System were rendered inoperable due to a malware attack. Thanks to a previously leaked vulnerability in Windows’ operating system, and the notoriously slow rate at which large enterprises apply system patches, hackers were able to infiltrate and infect these systems with specific viruses.

Published in Testing in Practice – April 2018, April 2018

Signed Commits With Git

By Eric Mann

Many developers confuse platforms like GitHub with tools like Git. On the one hand, this is a bit confusing for those trying to learn the terminology we use on a daily basis. On the other hand, the visibility of GitHub—and its fantastic community features—make it easier for developers to get a handle on critical elements of the underlying utility. In recent years, one of the most visible features developers have discovered is commit signing.

Published in Long Running PHP, March 2018

Security Corner: Application-level Data Security

By Eric Mann

Developers often conflate two different modes of data encryption when protecting the systems on which their applications run. One is encryption at rest—actually encrypting the files the database engine uses to persist state to the hard drive. The other is application-level encryption—where the application itself knows the encryption key and protects data directly. These approaches are similar, but they are not the same. It behooves the savvy developer to understand the difference between them and how to leverage both to secure application data fully.

Published in Know Your Tools, February 2018

Security Corner: Updates to the OWASP Top Ten—Logging

By Eric Mann

Last November, the Open Web Application Security Project (OWASP) published a new list of their “top ten” application security risks (ASRs). These are the most commonly encountered coding and security issues on the web according to an industry survey and the opinion of leading developers in the field. One of the newer ASRs to make the list is Insufficient Logging and Monitoring, something every PHP application can easily avoid.

Published in Setting Up to Succeed, January 2018

Security Corner: PHP, meet Libsodium

By Eric Mann

By the time you read this, the PHP community should have introduced the world to the newest version of our favorite language. This latest version adds better support for type annotations, allows trailing commas in lists (just like JavaScript and other dynamic languages) and introduced several security improvements. The most notable security addition, however, is the introduction of the Sodium cryptographic library as a core extension.

Published in Talking Code, December 2017 —Available for Free