Eric Mann

Eric is a seasoned web developer experienced with multiple languages and platforms. He’s been working with PHP for more than a decade and focuses his time on helping developers get started and learn new skills with their tech of choice. You can reach out to him directly via Twitter.

twitter: @EricMann

Articles

Security Corner: Defending Against Insider Threats

By Eric Mann

When many people think about security, they naturally think about attacks from external threats and entities. They may originate outside of the application, network, or even organization. What we often fail to realize is the most critical threat is often users already inside your system.

Published in Find the Way With Elasticsearch, July 2019

Security Corner: Credentials and Secrets Management

By Eric Mann

Managing passwords in userland is complicated. Luckily, consumer tools like 1Password and LastPass make it easier than ever to protect user credentials. Unfortunately, this doesn’t help with the credentials used by our servers or code. The ways developers manage application credentials are legion; some are right, others fatally flawed.

Published in How to Tame Your Data, June 2019

Security Corner: Access Control and Authorization

By Eric Mann

Proving the identity of a user isn’t the end of an application’s responsibilities: you must also verify the user is allowed to perform the actions they’re attempting. Conflating authentication (the act of identifying users) with authorization (the act of verifying their level of access within the system) is one of the most common ways applications have been breached in the recent past.

Published in Serverless, ReactPHP, and Expanding Frontiers, May 2019

Security Corner: The Risk of Lists

By Eric Mann

The OWASP Top Ten is required reading for anyone in software development, regardless of whether or not your role focuses on security. It’s a useful guide to get you started thinking from a strong security mindset. Be careful, however, to avoid thinking the list is exhaustive or provides comprehensive security for your application or system.

Published in The New Frontend Fundamentals, April 2019

Security Corner: Intrusion Detection

By Eric Mann

Home security systems are an early warning to potential theft or abuse of our personal property. They’re useful because they alert us (and the police) to a problem before the theft happens. Logging and monitoring of our applications and digital systems can similarly help protect our customers and their data. By leveraging an automated intrusion detection system, our application can catch threats before they have a chance to impact our business.

Published in Building Bridges, March 2019

Security Corner: Egress Lockdown

By Eric Mann

Engineers working on the web are usually well-versed in firewalls. It’s a good practice to limit the potential sources of incoming web traffic; not many engineers focus on limiting approved destinations for outgoing traffic. Locking down a list of approved egress destinations is a strong security stance which limits the potential impact of a breach.

Published in Out on a Limb – February 2019, February 2019

Security Corner: Strong Security Stance in the New Year

By Eric Mann

January is a month all about setting resolutions for the new year. A new diet. A new budget. A new FOSS contribution goal. In 2019, let’s intentionally focus on keeping our projects safe and taking a strong stance on security.

Published in DevOps Depths – January 2019, January 2019

Security Corner: Adventures in Hashing

By Eric Mann

Last month, the PHP community had the opportunity to come together for the excellent php[world] conference in Washington, D.C. As part of the event, we held a hackathon to work through some of the challenges posed by Cryptopals. Some of the cryptographic primitives we discussed were hashes, and it’s useful to take a more in-depth look at what they are and how to use them in PHP.

Published in Better Practice – December 2018, December 2018

Security Corner: Five Risks to Look for In a Code Review

By Eric Mann

Development teams use code review as a way to keep track of one another’s progress on issues and tasks in the work queue. Code reviews are also a stellar way to proactively detect and address security concerns before they become critical to the success of the project.

Published in Generics and Project Success – November 2018, November 2018

Security Corner: Subdomain Takeover

By Eric Mann

In a previous issue, we discussed technical debt—the small compromises made by a development team to ship a product. Over time, every team should try to “pay down” this debt by investing time in refactoring, shoring up unit/integration tests, and conducting deeper code audits. Not every form of technical debt is code-related, though. Infrastructure-related debt can accrue as well and be an enticing target for would-be attackers. This month, we take a look at one such exploit: subdomain takeovers.

Published in Internal Journeys – October 2018, October 2018

Security Corner: Professional Paranoia: Thinking Like an Attacker

By Eric Mann

One thing security professionals in every field have is a cultivated sense of “professional paranoia.” They invest time in understanding and thinking like a potential attacker. As a result, there are fewer ways an attack can surprise—or successfully breach—an application.

Published in Magniphpicent 7.3 – September 2018, September 2018

Security Corner: Secure Tokens

By Eric Mann

Any application aimed at presenting users with a premium, seamless UX must take account of the times when user authentication fails. What happens when a user forgets their password? What can we do to confirm sensitive operations using email or other out-of-band communication? How can we make an application easy to use while also keeping it secure? One mechanism, which protects both password reset links and other secure actions taken by way of an out-of-band confirmation is that of secure tokens.

Published in Masterful Code Management – August 2018, August 2018

Security Corner: Secure Remote Password Authentication

By Eric Mann

A solid practice in protecting user credentials is to never store passwords in plaintext on the server. Modern content management systems and PHP frameworks leverage strong one-way functions to store only hashes of passwords. This technique protects your users should your database ever be breached by an attacker. An even stronger mechanism, however, would never send a plaintext password to the server in the first place.

Published in Navigating State – July 2018, July 2018

Security Corner: Composing Application Security

By Eric Mann

Package managers like Composer make it quick and easy to add third-party libraries to an application. Unfortunately, they can also make it easy to import code that’s not meant to run in production—and might intentionally expose certain vulnerabilities—if your development team isn’t careful.

Published in Command and Control – June 2018, June 2018

Security Corner: Paying Off Technical Debt

By Eric Mann

Every successful development team has two things in common: they’ve shipped a product, and they accepted compromises to make that shipment possible. Every team and every project has technical debt. It comes with the territory when you start building software. Usually, the term “technical debt” is seen as a negative, but that’s not always true.

Published in Treasure, Old & New – May 2018, May 2018

Security Corner: PHP Isolation in Production

By Eric Mann

Developers the world over were in shock this past May as thousands of computers in the UK’s National Health System were rendered inoperable due to a malware attack. Thanks to a previously leaked vulnerability in Windows’ operating system, and the notoriously slow rate at which large enterprises apply system patches, hackers were able to infiltrate and infect these systems with specific viruses.

Published in Testing in Practice – April 2018, April 2018

Signed Commits With Git

By Eric Mann

Many developers confuse platforms like GitHub with tools like Git. On the one hand, this is a bit confusing for those trying to learn the terminology we use on a daily basis. On the other hand, the visibility of GitHub—and its fantastic community features—make it easier for developers to get a handle on critical elements of the underlying utility. In recent years, one of the most visible features developers have discovered is commit signing.

Published in Long Running PHP, March 2018

Security Corner: Application-level Data Security

By Eric Mann

Developers often conflate two different modes of data encryption when protecting the systems on which their applications run. One is encryption at rest—actually encrypting the files the database engine uses to persist state to the hard drive. The other is application-level encryption—where the application itself knows the encryption key and protects data directly. These approaches are similar, but they are not the same. It behooves the savvy developer to understand the difference between them and how to leverage both to secure application data fully.

Published in Know Your Tools, February 2018

Security Corner: Updates to the OWASP Top Ten—Logging

By Eric Mann

Last November, the Open Web Application Security Project (OWASP) published a new list of their “top ten” application security risks (ASRs). These are the most commonly encountered coding and security issues on the web according to an industry survey and the opinion of leading developers in the field. One of the newer ASRs to make the list is Insufficient Logging and Monitoring, something every PHP application can easily avoid.

Published in Setting Up to Succeed, January 2018

Security Corner: PHP, meet Libsodium

By Eric Mann

By the time you read this, the PHP community should have introduced the world to the newest version of our favorite language. This latest version adds better support for type annotations, allows trailing commas in lists (just like JavaScript and other dynamic languages) and introduced several security improvements. The most notable security addition, however, is the introduction of the Sodium cryptographic library as a core extension.

Published in Talking Code, December 2017 —Available for Free