When it comes to building your own apps, setting development priorities, spending budgets, and generally getting stuff done, security is usually considered to be boring and unnecessary. This is especially true when you’re working with a modern PHP framework like Laravel or CodeIgniter. Security is included out of the box so you don’t need to think about it, right?
This is the mentality that results in vulnerabilities being introduced because the developer overlooked something. I’ve seen it many times when doing security audits: authentication missed on an admin route, or signed URLs not actually checking for a valid signature. When it comes to working with modern “secure” frameworks, it’s the little things that get missed because no one takes the time to think about security.
As a friend of mine once put it: “I find unless a company has had a security scare they don’t consider it a high level risk or priority.” The development time is put into features and shiny things, with no time dedicated to security because “we use a secure framework”.
I’ve been a PHP developer for 20 years, and in that time I’ve seen trends come and go. One that always sticks with me is testing. Testing used to suck. No one wanted to do it. We’d write rubbish tests to make the pretty Jenkins dashboard flash Green and move on. Code Coverage was about some magic percentage, not actually testing the use cases. Add in the fact that everything was supposed to be fully mocked and tested in isolation, and testing was slow, painful, and everyone hated it.
However, at some point that changed…
Testing stopped being the boring thing everyone avoided doing and felt bad for not focusing on, and has become somewhat interesting and innovative, and maybe even fun? There are modern testing tools that make testing easier, frameworks now include testing helpers, and we’re talking about integration tests on entire routes with full databases and sandbox APIs, rather than painfully breaking everything up. The change is significant and dramatic and if you’d told me about it when I first struggled with testing, I probably wouldn’t have believed you!
So my question to you is: How do we make Security fun?
Testing was made fun with shiny tools, framework features, and simpler methodologies, but can we do the same for Security? I don’t think we can simply automate the process like we did for testing. We now have a number of code quality and static analysis tools available in the PHP world, which are doing their part in raising the security topic, but they aren’t good enough. Plus I suspect they actually give a false sense of security. Static analysis tools look at code conventions like type hints and unused variables, but it’s hard to detect a vulnerability in code where authentication is completely missing on one specific route!
The big shift for testing came not just because of the shiny tools, but because developers talked about how to make testing easier and more enjoyable. Courses were developed and articles written. This is what I believe we need to do with security in the PHP community. That’s why I started my mailing list, Laravel Security in Depth, in September last year, and why I’ve started working on a course, Practical Laravel Security.
My goal is to teach developers about security within the PHP ecosystem, in a way that is fun and engaging. I want to give them practical steps and talk about common issues I find when doing my security audits and penetration tests. Ultimately, I want to teach PHP developers why I find security interesting. To make it something developers talk about, something they prioritise, something that sits alongside testing in the realms of non-feature priorities that developers care about when writing their apps. I want developers to write secure apps and not overlook the simple things.
And most importantly, I want security to stop being boring.