Using Laravel: Don’t overlook security says Infosec Skills author Aaron Saray
Laravel is a free, open-source PHP framework designed to make developing web applications faster and easier.
Part of the appeal of the Laravel framework, like other frameworks, is that you can create things quickly without knowing as much about the PHP coding behind the framework, said Aaron Saray, CEO of morebetterfaster.io, a Milwaukee web development company that provides developer coaching.
But that also comes with a downside.
“The Laravel community has focused a lot on ease of use, and if you’ve been around us nerds in the security thing for long enough, you know ‘easy’ is easier to break,” said Saray. That security angle inspired Saray to get involved with the Laravel community.
“These guys aren’t thinking about security, and I got to really focus on that for them,” said Saray. “This is great because not only do I continue my programming career, but I get to keep itching that security thing and keep focusing on teaching programmers to be more secure.”
Learn how code works, not just that it works
“Laravel is basically just a bunch of PHP code, and many people use those Laravel functions, but they’ll never go inside of them and see how they work,” said Saray. “If you never go inside of them and see how they work, you can never understand the security goals — or vulnerabilities.”
That’s his biggest advice for up-and-coming IT and security professionals: understand the code you’re working with.
“If you’re doing WordPress, if you’re doing Ruby on Rails or anything, go into those packages and look at the source code, and understand what’s happening. You’ll learn a lot that way. Even all these years later, when I look at some of the frameworks, I still learn stuff about PHP from looking at that because it’s been programmed by a team of people that have different experiences and know different things about the language.”
Breaking down how the code works and how it can lead to a cyber incident is also a key part of his learning path.
“We hear about these attacks all the time, but no one ever shows us how it happens,” said Saray. “I show a good number of them.”
For example: “I built a form that was specifically vulnerable, got into Chrome, edited the form, put in the bad input and submitted it. I show in the database how I change that ownership of that record to another thing.”
Healthy habits for cybersecurity professionals
Many times people outside of cybersecurity view security measures as an obstacle in their workflow. Saray thinks this is a shame.
“My biggest sadness about security professionals and programmers is that they butt heads. They don’t work together,” said Saray. Ultimately, every part of an organization or project has a common goal. “What if we worked and understood each other better, and what if we could work on those things together?”
Understanding the expertise of other teammates doesn’t just help collaborative efforts but can help you grow your skillset. While working at an insurance company, Saray learned from seasoned AS/400 programmers who had completely different work styles than today’s programmers.
“They would print out code and hand it to me. I’m like, ‘What am I going to do with this?'” said Saray. “But I just felt like they knew something, so I took each programmer out for beers and asked them questions about programming.” That’s where he learned the design patterns featured in his book, Professional PHP Design Patterns. “I learned my design patterns, which are 60 years old, from them, and moved them into PHP, which was a newer language at the time.”
Finding your cybersecurity career path
Aaron’s advice for up-and-coming cybersecurity professionals is to find someone you look up to and connect with them.
“If you’re lucky enough to know someone that does a thing remotely close to what you’re interested in, do that thing,” Saray said. “Because you’ll be able to ask them questions, and there’s nothing more valuable than having a sort of mentor in your life. But if you have three choices for career paths, and you know a friend that does choice B, do B.”
You can always change later, he said, but having that guide into the cybersecurity world can help you get your footing and provide a springboard into other areas as you refine your interests.
Click below to create your free Infosec Skills account and browse Saray’s Secure Coding in Laravel training— plus 1,300+ other courses in Infosec Skills.