Eric is a seasoned web developer experienced with multiple languages and platforms. He’s been working with PHP for more than a decade and focuses his time on helping developers get started and learn new skills with their tech of choice.
Where do you work, what is your current role?
I’m a Director of Engineering at Vacasa out in Portland. I manage teams responsible for data science, engineering integration with data science deliverables, and a new group focused on real estate.
How do you use PHP professionally?
For a season (about 4 years) I used PHP professionally in the WordPress space. I ran my own small web development company for a while but spent the vast majority of that time doing enterprise web development for an agency called 10up. We build smaller projects for other consulting agencies and larger projects for media companies. Though I can say more in person than in writing or anything published, some of my clients included magazines like TechCrunch and Time, media companies like AMC Networks, and larger corporations like Microsoft.
After I stepped out of agency work, I continued to use PHP on the tooling front, mostly targeted at security and cryptography. I spent over 2 years working for a small cybersecurity firm in Portland where I published tools and tutorials for other developers planning to use PHP securely. Some of those tools powered secure authentication for customers like Atlanta Streetcar and other players in the industry.
Even at Vacasa, we use PHP to power much of the core of our business. The website, backend APIs, even asynchronous cron tasks are all powered by or deeply integrated with PHP solutions.
How and when did you get involved speaking or writing in the community?
Like my PHP work, speaking and community involvement started for me with WordPress. I started visiting WordCamps even before I was focused on WordPress full-time. Making the jump to more technical, PHP-focused events and community projects was a logical next step for me.
What’s your best conference memory?
At my first php[tek] I presented a 3-hour workshop on PHP unit testing and mocking. At one point in the presentation, I detailed a workaround I was using for a bug in Mockery. Pádraic Brady was sitting in on my class and decided to patch the bug during my talk. He interrupted at one point, “go ahead and composer update. I fixed it for you. Thanks for the bug report.”
Being in such close proximity to the leaders in our industry made it easier to see these icons as real people and lowered the bar that I saw in front of me before I could become a “real contributor.”
What advice do you have for someone going to their first conference?
Be social. Break out of your comfort zone and meet as many people as possible. You never know when you’ll be talking to a future supervisor, future hire, or key contributor to a project you depend on.
What’s your primary OS: Windows, Mac, or Linux?
Depends on the project. Linux by preference, Mac for work, Windows if I want to hack on a C# project—Nothing beats Visual Studio for .Net development.
Why is a security mindset important to programmers? Can’t operations handle it?
Security is never “not my job.” Security is a vital issue for everyone to keep in mind—programmers, operations, business, everyone. Your customers won’t care about your role when their data is lost or stolen.
What’s one thing people can do today to write more secure apps?
Work with other developers and audit one anothers’ code. Not just leaving “looks good to me” comments, but thoroughly reviewing commits and identifying potential edge cases for code behavior. It’s these edge cases that are often leveraged by attackers to breach a system.
What is a new or understated threat web developers should be aware of?
I wrote about it in a previous Security Corner piece, but DNS hijacking is a serious threat that not many people realize is out there. Spin up a Heroku app or EC2 instance and point a subdomain at it for testing…then kill off the instance but forget to remove the DNS entry. Now anyone can stand up a new instance and serve their own content on a subdomain of you otherwise legitimate site.
How do you sharpen your web security skills beyond work?
Reading and participating in open source. In addition to my day job, I continue to contribute back to various open source projects when I can. I maintain several security extensions for WordPress because many of the end users in that space need some extra support. Keeping up on current events in the space helps me stay ahead of certain things; continuing to contribute keeps me involved and relevant to the conversation.
OWASP 201 – Request-Based SecurityMORE INFO
OWASP 301 – Infrastructure-Based SecurityMORE INFO
Access Control & AuthorizationMORE INFO
Cryptography 101 – Introduction to CryptographyMORE INFO
Cryptography 201 – Algorithms and AnalysisMORE INFO
Fortifying Your Defenses with Threat ModelingMORE INFO
Federated Identity: OAuth, SAML, FIDO & MoreMORE INFO
Biometrics: Risks & DangersMORE INFO
Password-Based Authentication StrategiesMORE INFO
At-Rest Encryption for Complete Data ProtectionMORE INFO
Mobile PermissionsMORE INFO
Third Party Application AccessMORE INFO
Servers: Configure, Harden & ManageMORE INFO