Using Laravel: Don’t overlook security says Infosec Skills author Aaron Saray
Laravel is a free, open-source PHP framework designed to make developing web applications faster and easier.
Part of the appeal of the Laravel framework, like other frameworks, is that you can create things quickly without knowing as much about the PHP coding behind the framework, said Aaron Saray, CEO of morebetterfaster.io, a Milwaukee web development company that provides developer coaching.
But that also comes with a downside.
Get your free course catalog
"The Laravel community has focused a lot on ease of use, and if you've been around us nerds in the security thing for long enough, you know 'easy' is easier to break," said Saray. That security angle inspired Saray to get involved with the Laravel community.
"These guys aren't thinking about security, and I got to really focus on that for them," said Saray. "This is great because not only do I continue my programming career, but I get to keep itching that security thing and keep focusing on teaching programmers to be more secure."
That journey has led to the release of Saray's new 13-course Secure Coding in Laravel learning path in Infosec Skills.
Learn how code works, not just that it works
"Laravel is basically just a bunch of PHP code, and many people use those Laravel functions, but they'll never go inside of them and see how they work," said Saray. "If you never go inside of them and see how they work, you can never understand the security goals — or vulnerabilities."
That's his biggest advice for up-and-coming IT and security professionals: understand the code you're working with.
"If you're doing WordPress, if you're doing Ruby on Rails or anything, go into those packages and look at the source code, and understand what's happening. You'll learn a lot that way. Even all these years later, when I look at some of the frameworks, I still learn stuff about PHP from looking at that because it's been programmed by a team of people that have different experiences and know different things about the language."
Breaking down how the code works and how it can lead to a cyber incident is also a key part of his learning path.
"We hear about these attacks all the time, but no one ever shows us how it happens," said Saray. "I show a good number of them."
For example: "I built a form that was specifically vulnerable, got into Chrome, edited the form, put in the bad input and submitted it. I show in the database how I change that ownership of that record to another thing."
Healthy habits for cybersecurity professionals
Many times people outside of cybersecurity view security measures as an obstacle in their workflow. Saray thinks this is a shame.
"My biggest sadness about security professionals and programmers is that they butt heads. They don't work together," said Saray. Ultimately, every part of an organization or project has a common goal. "What if we worked and understood each other better, and what if we could work on those things together?"
Understanding the expertise of other teammates doesn't just help collaborative efforts but can help you grow your skillset. While working at an insurance company, Saray learned from seasoned AS/400 programmers who had completely different work styles than today's programmers.
"They would print out code and hand it to me. I'm like, 'What am I going to do with this?'" said Saray. "But I just felt like they knew something, so I took each programmer out for beers and asked them questions about programming." That's where he learned the design patterns featured in his book, Professional PHP Design Patterns. "I learned my design patterns, which are 60 years old, from them, and moved them into PHP, which was a newer language at the time."
Get your free course catalog
Finding your cybersecurity career path
Aaron's advice for up-and-coming cybersecurity professionals is to find someone you look up to and connect with them.
"If you're lucky enough to know someone that does a thing remotely close to what you're interested in, do that thing," Saray said. "Because you'll be able to ask them questions, and there's nothing more valuable than having a sort of mentor in your life. But if you have three choices for career paths, and you know a friend that does choice B, do B."
You can always change later, he said, but having that guide into the cybersecurity world can help you get your footing and provide a springboard into other areas as you refine your interests.
Click below to create your free Infosec Skills account and browse Saray's Secure Coding in Laravel training— plus 1,300+ other courses in Infosec Skills.
- Expert instruction
- Hands-on labs
- Unlimited access
In this Series
- Using Laravel: Don’t overlook security says Infosec Skills author Aaron Saray
- ISC2 certifications explained: Overview of every ISC2 certification
- Top-paying cybersecurity jobs and salary trends for 2024
- The importance of IT certifications in boosting your career
- Understanding the role of a network engineer in IT
- The role of the chief information officer (CIO) in cybersecurity
- What is a network engineer and how to become one?
- What does a system administrator do and how to become one?
- Cyber security hiring: Tips and best practices
- Cybersecurity soft skills: Career benefits of public speaking
- CompTIA Data+ certification: Opening doors to new careers
- Surviving cybersecurity burnout: Tips from industry experts
- How to make a mid-career change to cybersecurity
- 7 top security certifications you should have in 2024
- The Changing Role of the Modern SOC
- Discover the top 5 information security management certifications
- CySA+ versus CASP+: Is the CySA+ good enough for a career in cybersecurity?
- The best cybersecurity jobs in 2023: Trends, roles and salaries
- Top 10 penetration testing certifications for security professionals (2023)
- How to land an entry-level cybersecurity job: Essential skills and certifications
- 133 cyber security training courses you can take now — for free
- Breaking down barriers: How to make cybersecurity more inclusive and diverse
- Computer forensics interview questions
- The digital security forensic analyst salary guide
- Applying linguistics to cybersecurity: The journey of Jade Brown, a 2022 Infosec Scholarship winner
- The Path to “Career 4.0”: Amy Bonus leverages humanities, FinTech experience to bring Cybersecurity to the layperson
- Security engineer: Degree vs. certification
- Cybersecurity engineer: CyberSeek
- Infosec Accelerate Scholarship winner highlights essential qualities of a successful cybersecurity professional
- Career skills, imposter syndrome and intelligence-led pentesting | From the Cyber Work desk
- Cloud security engineer interview questions and answers
- Prior preparation results in a big payoff for Jason Mondragon, an Army veteran transitioning into cybersecurity
- Infosec scholarship winner Kandice Kucharczyk salutes her mentors as she sets her sights high
- Which CompTIA cert is right for you: Security+, PenTest+, CySA+ or CASP+? [updated 2023]
- How VetsInTech and Infosec Laid the Path to Gaurav Panta’s New IT Career
- Infosec 2022 scholarship winner Anthony Torres: Bringing the Marine Corps ethos to the cyber domain
- Infosec Scholarship winner Chris Chisholm knows the power of service and diversity in cybersecurity
- Betta Lyon Delsordo, Infosec scholarship 2022 winner, is a true life-long learner
- A veteran transitions from military medical logistics to multi-national security analyst
- An Army National Guard member fast tracks his cybersecurity career transition with VetsinTech
- How a career harnessing Navy nuclear energy can power a transition to a Security+ certification
- What is a cloud administrator? Essential roles and skills
- Security control mapping: Connecting MITRE ATT&CK to NIST 800-53
- Should you take the CCSP/SSCP before the CISSP? [updated 2022]
- CCSP vs. Cloud+ [updated 2022]
- Data architect: The ultimate career guide
- The ultimate guide to ISACA certifications: Overview & career paths [updated 2022]
- I failed IAPP’s CIPP/C certification. Here’s how I recovered
- How learning to be "Always Flexible" helped a Marine in earning the Security+ certification
- How to learn and pass your next certification exam
- Mission accomplished: How one army veteran turned neurobiologist moved into cybersecurity
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, ISC2, Cisco, Microsoft and more!
Professional development
ISC2 certifications explained: Overview of every ISC2 certification
Professional development
Professional development
Professional development