DDoS Attacks: Threat Landscape & Defensive Countermeasures

October 2016’s attack on Dyn's DNS infrastructure was a gloomy wake-up call to the online community at-large, depriving us access to some of the online destinations and applications we use every day, thereby confronting us with the stark reality of an old and ever-growing threat with which the InfoSec community has been grappling: DDoS Attacks.

As we look at the role that 'Internet of Things' devices played in the attack against Dyn, as well as the attack against Krebs prior to it, we will dive into the DDoS attacks Threat Landscape: Symptoms, Motivations, Business Impact & Attack Vectors. Having thereby gained a better understanding of our exposure to these threats, we'll then explore Defensive Countermeasures with a strong emphasis on preparedness ahead of these attacks, including:

> Reducing Attack Surface
> Monitoring: Availability, Performance & Search Engine Visibility
> DNS Redundancy Planning
> Web Application Scaling Strategies
> Mitigation Vendor Fit Assessment
> Attack Mitigation
Attendees should walk out of this presentation with:

> A better understanding of what DDoS attacks are and how they work.
> A better understanding of their exposure to such attacks.
> A set of concrete steps to better prepare ahead of an attack for more effective mitigation.

A Case for Generics in PHP

PHP 7 has brought us improved support for Types, making us less reliant-upon annotations. Yet we still can't signal that a method should return an array of User objects: function foo() : User[]

What makes an Array of Users so special? What if we'd like to return a HashMap of a given key & value?

We'll explore use-cases for defining composite objects and leveraging Generics to avoid repeating ourselves.

In 2016, Ben Scholzen and Rasmus Schultz drafted an RFC for "Generics in PHP" https://wiki.php.net/rfc/generics

Having worked with these constructs in Java and C# in past lives, I can offer several examples of practical use-cases for them, and help bolster a case for their adoption in PHP.

In the end, we should arrive at how they would nicely complement the most recent enhancements to PHP7's Type System.

Keynote: Taming Change

Change is Software's greatest threat, and its defining characteristic. Disagree? How's that Agile Transformation going for you?

We will explore this cognitively-dissonant statement as we investigate the challenges that we've faced, how we continue to fail to address them, and what we can do tame this raucous beast.

To do this, we will study the most ambitious, most expensive computing system built by the United States military in the post cold-war era of the 1950s, looking at the challenges they faced, and the choices they made to overcome them.

We will then explore how many of those choices were carried-over to modern-day software engineering throughout the 1990s until we, as an industry, decided to free ourselves from the shackles of certain self-imposed limitations.

In doing so, we got ourselves into different sorts of troubles. We will explore what they are and how some of us have chosen to overcome them.

Reviews:
* https://joind.in/event/phpers-day-2019/keynote-taming-change

Video:
* https://www.twitch.tv/videos/389038132?t=01h51m30s

Practical Security for Web Applications

Explore effective methods to identify & avoid the most common and devastating security pitfalls in Web Applications.

When it comes to an enterprise's exposure to security vulnerabilities, one could easily argue that its web presence is by far its greatest threat. There are many ways to build vulnerable applications and a few effective ways to "build them right". We'll instrument you to stay on right side of this equation.

Agenda:

Basic Resources and Tooling
=====================

* We'll look at the OWASP Top 10
* Open-Source Code Analysis for your CI/CD
* Open-Source Security Scanning

Low-level Threat Avoidance
====================

* Avoiding SQL Injections -- Dangers of not properly-using an ORM
* Avoiding CSRF
* Avoiding XSS --- Data Scrubbing --- Data Rendering

Application Threat Avoidance
=====================

* User Authentication / Password Hashing
* OAuth Security
* Resource Access -- Multi Tenancy: Users & Companies

Better and Faster: TDD-ing a Ride-Hailing Application w/ PHPUnit, Symfony and Doctrine

Imagine building an application without having to mess with a Web Browser, a REST client or a MySQL client. What if you could build full-blown functionality with realistic data operations within the comfort of a Unit Test Harness?

What if this meant shipping code earlier and more frequently than you ever have before?

Building upon concepts outlined in this talk: http://bit.ly/tdd-talk-2 , and leveraging an evolving "Kata" for building a "Ride-Hailing Application", this exercise will walk thru a rapid-development example from a "clean-slate" Symfony3 project, with just enough bootstrapping to enable Test-Driven Development with PHPUnit & Doctrine.

Shipping Early & Often with Better Software

A Journey toward sustained agility.

magine shipping software early and often, and sustaining the pace as it matures. Imagine harnessing "Change" as a catalyst for opportunity.

Software Engineering can be extremely difficult and maddening. But it doesn’t have to be. We'll take a look at the various challenges we face and explore practical ways to overcome them, to answer this question:

Can we put ourselves in a position to ship code earlier and more often?

Toward answering this question, we will explore 5 areas:

* Bad Code vs Agility – What it means to be “Agile” and the impact of Bad Code on Agility.
* Better Code: Enablers – Enabling Concepts for Better Code such as TDD, Clean Code and Patterns, with an eye toward adapting them to various programming paradigms such as Functional and OOP.
* Empowering OOP – If OOP is to be chosen as a paradigm, we’ll explore what it means to play to the strengths of this paradigm.
* Web Application Architectures: When building Web Applications, we’ll explore various architectures that may hinder or promote a sustainable business fueled by better code.
* TDD: Better Fuels Faster – Leveraging preceding topics, we’ll put it all together in describing a workflow leveraging test-driven development for shipping better products ... faster, while delighting our customers.

The end of this talk will showcase code examples of a real-world Kata for building the service layer of a “Ride Hailing Application”. It will also link to recorded Kata videos, as well as a “clean slate” branch in my git repository to follow along. If you wish to take an early look at these videos, they are all available here: http://bit.ly/tdd-vids

Having made this case, we’ll conclude with the positive impact this workflow will have on a team’s ability to ship new products and new features at a sustained pace, with high levels of predictability.

While PHP, Symfony and Doctrine are used for code examples, concepts in this talk are applicable to all PHP frameworks and environments, as well as other programming languages such as Java and C#.

Test-Driving Agility into Software

This session will explore how much time and energy we currently waste when writing software, simply to answer two simple questions:

* "Does my code work?"
* "Did I just break something?"

As we explore these pain-points, Test-Driven Development will emerge as a surprisingly efficient workflow putting us in a position to ship code sooner, more often, on a sustained basis.

Most of us are "surprised" by this, as it just seems very counter-intuitive to write a test before even having written any code. Yet, as we explore this workflow, we start uncovering the efficiencies that we gain, and things become fascinating.

As a result, we will show what it "feels" like to write software that responds to change, as a true sensation of agility emerges, driven not by Scrum, but instead, driven by better code.

Leveraging Typed Exceptions for Cleaner Error Handling

Harnessing Errors & Edge-Cases with Ease & Elegance.

Imagine handling error conditions and unexpected edge-cases with code that is easier to read, maintain & extend.

The temptation is real.

We create methods that return an array of objects, or "false" if nothing was found. Or "null". We might further "signal" unexpected results or error-conditions with integer values.

It then becomes the responsibility of consumers of these methods, to properly interpret what "false", "null", or "-500" mean.

As a result, we produce code that is difficult to read, maintain and extend.

Exceptions are seldom leveraged, and most often thought of as objects thrown by some frameworks for instrumentation.

When properly leveraged, they however offer an opportunity to manage unexpected and edge-case behavior at various layers of our applications, with elegant control flows.

By leveraging your language's Exceptions alongside its "Type System", we can create elegant, flexible and advanced handling of Error conditions, which will promote code that is easier to work with.

Agility in Software Engineering: Concepts & Misconceptions

Despite our agility, we can't ship software at a sustained pace.

With so many companies "becoming agile", nobody bothered to inform the software upon which they depend, that it too, should be agile.

If you ask of any company these days whether or not they consider themselves to be „agile“, the vast majority will answer in the affirmative, and proudly point you to the many „agile processes“ they follow, and „agile tools“ they use.

And yet … in spite of all this „agility“, as our meticulously-planned „sprints“ take longer to execute, as our backlogs fill-up with overhead having nothing to do with core business value, as it gets exponentially difficult to predict just “what” is going to be delivered and “when”, it feels like just about every software project we end-up working on, doesn’t quite deliver on this feeling of overabundant „agility“.

We will explore various challenges that we software engineers face, and offer practical approaches to overcome them, such that we might deliver sustained business value as we evolve toward True Agility.

Real-World TDD Application Development with Symfony & its Friends

Bootstrapping Symfony w/ REST, OAuth, User Management, Unit & Acceptance Tests.

We'll review how I setup Doctrine with PHPUnit in Symfony, to enable a highly-productive TDD workflow for a "Ride-Hailing Application" Web Service "Kata".

We'll examine:

* Bootstrapping Doctrine against SQLite when in PHPUnit, to test-drive Repository classes with true data operations while retaining blazing-fast speed.
* Test-Driving Doctrine Entity classes as part of this process, while not creating a DB schema on our local MySQL instance.
* Letting Doctrine generate all MySQL migrations to bring the DB schema in-sync with our Entities.

We'll also look at:

* API/REST support via FOSRestBundle
* OAuth support via FOSOAuthServerBundle
* User Management via FOSUserBundle

I'll show configuration optimizations to remove overhead on Unit Tests when introducing these frameworks.

Finally, we'll look at leveraging Codeception to test-drive the creation of Symfony Controller classes, with end-to-end tests going over HTTP thru Symfony's web server, hitting our local MySQL.