keeping up with php

34
Building the perfect PHP app for the enterprise Episode 1: Keeping up with PHP Rod Cope August 31, 2016

Upload: zend-by-rogue-wave-software

Post on 15-Jan-2017

962 views

Category:

Software


0 download

TRANSCRIPT

Page 1: Keeping up with PHP

Building the perfect PHP app for the enterprise

Episode 1: Keeping up with PHPRod CopeAugust 31, 2016

Page 2: Keeping up with PHP

2

Series overviewNow: Keeping up with PHP

September 14: Developing apps fasterTop lessons to deliver apps quickly, including CD principles and tools, digging into app performance, and using frameworks and extensions.

September 28: Resolving problems and high availabilityYour reputation as a miracle worker is secure when using these principles to isolate faults, optimize scale, and synchronize sessions across clusters.

October 12: Optimizing performanceKeep users on your site by learning how to use background jobs and caching, measure performance, and make data-driven decisions.

Page 3: Keeping up with PHP

Rod Cope, CTORogue Wave Software

Page 4: Keeping up with PHP

4

Agenda

1. What is the perfect enterprise PHP app?

2. Maintaining your stack3. Application security4. System failure!5. Conclusion6. Q&A

Page 5: Keeping up with PHP

What is the perfect enterprise PHP app?

Page 6: Keeping up with PHP

6

Enterprise PHP is mission-critical

• Built securely• Delivers optimal performance + scale• Always on• Meets release timelines• Modernizes legacy business logic• Clear support path (production + LTS)

Page 7: Keeping up with PHP

7

DIY vs. enterprise

Complexity

ScaleROI

DIY

Ideal enterprise

Volume scales beyond servers

Performance degradation

Administrative costs

Typical growth path

Page 8: Keeping up with PHP

8

The perfect PHP app for the enterprise

SecurePerformant

Scalable (up/down)Always on

Agile releases Production support

On-premises

Cloud

Mobile

Page 9: Keeping up with PHP

9

PHP 7.0 vs. 5.6

Page 10: Keeping up with PHP

10

Example• Automated free-trial system for web conferencing &

collaboration products

• Challenge: streamline sign-up experience, collect user data, deliver to CRM, and create host account

• Requirements:– runs on LAMP (virtualized Linux servers on VMWare)– five-nines availability, runs on clustered server

architecture with complete failover solution to backup data center

– Centralized monitoring, shared sessions, session clustering, load balancing, job queueing

• Used: Zend PHP stack, Zend Server, Zend Framework, Zend Studio IDE

Download case study

Page 11: Keeping up with PHP

Poll #1Do you consider your application to be enterprise PHP?

a. Yesb. Noc. Not sure

Page 12: Keeping up with PHP

Maintaining your stack

Page 13: Keeping up with PHP

13

Maintenance activities

Maintaining an up-to-date PHP stack is key to achieving security, performance, and high availability

PHP drivers frameworksOther

components

• Services• PDOs• etc.

• SQL Server• MongoDB• DataStax• etc.

• Laravel• Phalcon• CakePHP• etc.

Cost = developers + testers + DevOps + sys admins

Page 14: Keeping up with PHP

14

Time spent

*Based on industry average (Forrester research)

Time spent on PHP maintenance

Sys admins

DevOps

Testers

Developers

0% 5% 10% 15% 20% 25% 30%

Page 15: Keeping up with PHP

15

LAPPWAMP

Best practices

Use fully-tested stacksGet latest security updates

Verify compatibility with other packagesEnsure technical supportPlan time for upgrades

Don’t forget LAMP!

Page 16: Keeping up with PHP

Poll #2Is your application and deployment stack up to date?

a. Yesb. Mostlyc. Partlyd. No

Page 17: Keeping up with PHP

17

Maintaining app security• Need to keep up with vulnerabilities

– National Vulnerability Database• Proactively look for flaws and act to mediate them• Don’t wait for next Heartbleed

Page 18: Keeping up with PHP

Application security

Page 19: Keeping up with PHP

19

Is PHP insecure?• Everyone says it is• Analysis of secure versions*

– Supported by PHP officially (the latest secure patch with no known vulnerabilities)

– Maintained by a popular, stable Linux distribution

*Jack Skinner, 2015 data

Page 20: Keeping up with PHP

20

The reality

Use the latest version

OWASP

• PHP is as secure as any other major language• Anyone can write insecure PHP – it’s not the language’s job, it’s

yours

Understand best

practicesContribute

back

Page 21: Keeping up with PHP

21

SQL Injection• SQL injection (OWASP A1)

– Using SQL input data to execute unauthorized queries on a database

– Results in corruption, data theft, takeover

• Keep untrusted data separate from commands and queries

• Use input validation• Use a safe API that avoids the use of the

interpreter and offers a parameterized interface, PDO, or wrappers for prepared statements

Page 22: Keeping up with PHP

22

Broken authentication/session management• Broken authentication and session management (OWASP A2)

– Incorrectly implemented or missing schemes– Results in user impersonation, data theft, “do anything”

• Use strong authentication and session management controls• Apigility with OAuth2• uLogin

• Avoid using HTTP for login• Regenerate session ID

Page 23: Keeping up with PHP

23

Cross-site scripting• Cross-site scripting (OWASP A3)

– Using script code (like JavaScript) to insert data into a server response without proper validation/escaping

– Results in session hijacking, site defacement, redirects, etc.

• Use input validation and escape output• Use input white listing to enforce characters,

length, format, etc.• Use CAPTCHAs

Page 24: Keeping up with PHP

System failure!

Page 25: Keeping up with PHP

25

Failure costsAverage cost of application downtime

$1.25B to $2.5B

Average cost of a critical application failure per hour$500K to $1M

Average time to restore production failure

More than 1 hour More than 8 hours

47% 5% IDC DevOps and the cost of downtime, 2014

Page 26: Keeping up with PHP

26

How do you compare?

Page 27: Keeping up with PHP

27

“Break”-ing it downHow do you know? • Monitoring

How do you reproduce?

• Log files• Code tracing• Z-Ray

How do you prevent?• Testing!• Load

balancing• Job queues• clustering

How do you minimize downtime?

• Support

Page 28: Keeping up with PHP

Poll #3How do you implement enterprise features, such as clustering, job queuing, and monitoring?

a. We integrate open source packagesb. We write our ownc. We use Zend Server or another commercial

productd. Don’t know

Page 29: Keeping up with PHP

29

Conclusion

If no one is screaming when it goes down, it’s not enterprise PHP.

So invest in scream prevention.

Page 30: Keeping up with PHP

30

The fastest way to enterprise PHP

Free trial

www.zend.com

• Full, tested, secure PHP stack• Z-Ray vision deep into your app• Code tracing• Job queuing and caching• Deployment and DevOps• High availability session clustering• Backed by support & services

Page 31: Keeping up with PHP

Q & A

Page 33: Keeping up with PHP

33

Stay tunedSeptember 14: Developing apps fasterTop lessons to deliver apps quickly, including CD principles and tools, digging into app performance, and using frameworks and extensions.

September 28: Resolving problems and high availabilityYour reputation as a miracle worker is secure when using these principles to isolate faults, optimize scale, and synchronize sessions across clusters.

October 12: Optimizing performanceKeep users on your site by learning how to use background jobs and caching, measure performance, and make data-driven decisions.

Page 34: Keeping up with PHP

Building the perfect PHP app for the enterprise

Episode 1: Keeping up with PHPRod CopeAugust 31, 2016