February meetup: Beveiliging: Tel je mee?

Talk: Beveiliging: Tel je mee?

The OWASP Guide states "Applications MUST protect credentials from common authentication attacks (..)". Symfony 2 has a firewall and a series of authentication components, but none to protect against brute force and dictionary attacks. The popular FOSUserBundle does not keep track of failed login attempts and does not automatically lock accounts either. The CCDNUserSecurityBundle registers failed attempts, but it only blocks per ip address. AuthenticationGuardBundle does both and will soon be available as free open source.

In the talk i will describe the Symfony 2 components that take part in form-based authentication and how they work together. I will explain how the Authentication Guard hooks into them and how it works. But most of the time is reserved for an exchange of ideas and opinions with the attendees about its limitations, how it could statisfy more of the OWASP Guide requirements, and/or the library could be made more (re)usable.

literature: https://www.owasp.org/index.php/Guide_to_Authentication

About the speaker: Henk Verhoeven is founder of MetaClass and has developed three generations of application frameworks, the last one in PHP. A few months ago he started developing an application in Symfony 2 and could not resist to build some reusable components.