This year's PHP[tek] conference in Atlanta was fantastic. I feel like I got a ton out of this year's event. Here are some personal highlights:
- Put together an awesome superhero costume with @afilina.
- Played a few hands of Magic: the Gathering with the Pucatrade team.
- Submitted my first pull request to the PHP core thanks to a little incentive from @SammyK.
- Enjoyed some retro-style arcade games at the PHP[tek] after-party at the Joystick Gamebar.
- Had the opportunity to meet and discuss with more awesome members of the PHP community than I can fit in this blog post!
I was thoroughly impressed with the number of high quality talks at this year's conference. I am happy to say that I was able to take away new knowledge and insight from just about every talk I attended. Here is a summary of some of the talks that I thought were particularly well done in terms of their content and presentation.
Pieces of Auth
Chris Cornut (@enygma)
Chris Cornut, a security engineer for SalesForce, provided a very thorough overview of all of the different concerns and approaches to the different sides of auth. While authentication and authorizations are concepts that I deal with regularly at Plank, having all sides of the issue summed up so succinctly was enlightening.
The talk addressed the many approaches to authenticating users (proving a user's identity) including credential-based login, one-time-use codes, third-party services, federated identity (OAuth), certificate-based exchanges, and multi-factor authentication. Chris examined pros and cons of each solution as well as considerations such as password policies and brute force prevention.
With regards to authorization (checking if the user is allowed to perform certain actions), there are multiple ways of structuring the logic. Authorization can be set up as simple permissions, shared roles, formal access control lists, role-based access control lists, or policies.
With both of these concerns, Chris reminded us that figuring out the minimum requirements for the needs of a given application is often the most secure. Over-engineering and contradicting controls can often lead to less security.
In addition, Chris provided insight on best practices for session management and logging.
Writing Tests for PHP source
Sammy K. Powers (@SammyK)
PHP's C source code is most likely obscure to most PHP developers. However, as Sammy eloquently explained, becoming involved in PHP's internals is much more accessible than one might otherwise think. You don't need to master C to write tests for features of the PHP language – the tests are themselves written in PHP.
Sammy covered how to configure and compile the PHP source code, in order to get up and running. He then explained the nature of PHP's black box test files. For those who are not familiar, .phpt files are laid out in (at least) three sections, a title and/or description of the test, a PHP file block and an expectation block. The file block should execute some PHP and echo out text. if this output matches the expected output, the test passes. Otherwise, it fails.
--TEST-- Simple echo test --FILE-- <?php echo 'Hello World\n'; ?> --EXPECT-- Hello World
Clearly Sammy's talk (and maybe the promise of an elephpant) made an impression on me as I dove right into the php-src to find some untested functions in order to get my feet wet. I submitted a pull request with tests for two functions in the GD extension, which has been accepted and merged! I guess that makes me a core contributor now?
Building for Utopia
Gemma Anible @ellotheth
My favourite talk from the conference was Gemma's entertaining keynote about designing for the perfect user. In her talk, she discussed how designers often assume that their users are as familiar with their products as they are and are always fully attentive when they use it. Unfortunately, more often than not, this is not the case.
One of Gemma's many analogies, was her recently purchased electric stove. The stove has four dials for its four burners and two more dials for its oven mode and temperature. Using the stove is simple enough, but Gemma explained that its limited visual feedback caused her to almost burn her house down. When turned to medium heat, the dials look almost identical to the off position. The electric burners do not change in any way that would indicate their state making it surprisingly easy to make a dangerous oversight.
The lesson to be taken away is that users are human and prone to making mistakes. We should never assume that they are perfect and design products that communicate effectively to mitigate the chances of misuse.