blog.phpdev

Latest articles

Introspection, Growth and Passion

Having a moment of introspection this morning, thinking back over the years of how my work has changed – sometimes in pretty dramatic ways. It seems like forever ago that I was fresh out of school and working my first real programming job at a domain host. I worked hard until I was ultimately let go from the role due to some interpersonal issues. Fortunately,...

Preparing for Pentesting (@ Longhorn PHP 2018)

At this year’s Longhorn PHP conference I’ll be presenting two talks: an updated version of my “Securing Legacy Applications” session and something new and a bit different for a conference primarily aimed at development topics. I’ll be giving a tutorial on the first day (April 19th) about penetration testing. For those not familiar with the topic, penetration...

Saying Thanks – Open Source Appreciation

Wow, it has been a really long time since I’ve posted here. Most of my writing has ended up in articles of php[architect] or over on Websec.io. I wanted to jump back into the blog though and talk about something inspired by a post over on the Symfony blog about giving thanks. Normally the Thanksgiving holiday is more associated with sharing what you’re...

Protecting your application with PropAuth (Property-based Policy evaluation)

Library: PropAuth (Property-based policy evaluation) I’ve been working on a library for a while now that kind of distills down some of the ideas of property-based authorization (like XACML) and makes it a bit more accessible to the average developer. Property-based evaluation can be a little tricky to get your head around if you’re used to the usual...

Custom Callbacks with Invoke

In putting the Invoke library to use I noticed something. While I could tell it to check for groups and permissions on the current user and limit HTTP methods on the request, there were more complex things I needed to check that weren’t part of these defaults. Now, I could just extend invoke to include match types for everything I needed (injecting...

Laravel Route Protection with Invoke

I started on a tool a while back to “scratch an itch” in a personal project to make it easier to protect endpoints based on the requested URL. The Invoke library makes it possible to detect the route requested and ensure a set of criteria are met to be sure a user can access a resource. This isn’t anything new or revolutionary, but it is something I...

Why Drupal’s Bug Bounty is Important

The Drupal project has just announced a bug bounty program where they’re offering sums between $50-1000 USD for anyone who finds and reports a security issue with Drupal 8: Drupal 8 is nearing release, and with all the big architectural changes it brings, we want to ensure D8 upholds the same level of security as our previous releases. That’s where...

Gatekeeper & Policies

I’ve been working on a system for a while now, inspired by the work that was done on the Sentry project, to provide a role-based access control system that was not only more well-maintained but also built on the foundation they provided to add in some new features. My “little project” Gatekeeper has really grown over time and (I think) really evolved...

PHP, Security & PSR-9/PSR-10

Late yesterday afternoon the PSR-9 and PSR-10 drafts were moved into master on the php-fig/standards repository, moving them along to the next step and to get the wider perspective of the main PHP-FIG group’s opinions on it. What are PSR-9 and PSR-10, you ask? Here’s a brief summary so far: At the end of last year (2014) Lukas Smith made a proposal...

Speaking at AppSec USA 2015

It’s always good to step outside of your usual bubble and try something new every once and a while. I recently took this step and submitted for the AppSec USA 2015 conference happening in San Francisco on September. My topic? PHP security, naturally but it’s to a much more diverse audience. At PHP conferences its easy to take a lot of things for granted....

Discover, share and read the best on the web

Subscribe to RSS Feeds, Blogs, Podcasts, Twitter searches, Facebook pages, even Email Newsletters! Get unfiltered news feeds or filter them to your liking.

Get Inoreader
Inoreader - Subscribe to RSS Feeds, Blogs, Podcasts, Twitter searches, Facebook pages, even Email Newsletters!