In this issue of Behind the Dev, we're going to be taking a look at the day-to-day of the security consultant and penetration tester, Stephen Rees-Carter.
Stephen is huge in the Laravel world and is well known for scaring us all during his Laracon talks with his hacking demonstrations! He also has a mailing list (Securing Laravel) and an interactive course (Practical Laravel Security) where you can learn how to improve your application's security.
If you don't follow him on Twitter, make sure to check out his profile at: @valorin!
Behind the Dev
Can you tell us a bit about yourself?
Hey! My name is Stephen Rees-Carter. I’m a Security Consultant and Penetration Tester, although I usually go by the title “Friendly Hacker” - which is much easier to say and explain! I’m also a PHP developer for life - I started using PHP over 20 years ago, and so much of what I do still focuses around PHP. I spend my time doing Security Audits and Penetration Tests for PHP and Laravel applications, as well as writing my Securing Laravel newsletter and building my Practical Laravel Security course. I’m also a conference speaker - I was lucky enough to speak at Laracon EU in January, and Laracon US is coming up next week (at the time of writing)!
How did you first get into web development?
Oh, good question… It was a long time ago, but if I remember correctly, I got involved in some online text-based games (Star Kingdoms and Legend of the Green Dragon) and wanted to build my own. So I did. I signed up for shared hosting, built the whole game, and had a lot of fun with my friends. I’ve long since lost the code to it though…
As a developer, what’s your typical day like?
As a consultant, my days are pretty variable, but it typically goes something like this:
Wake up and get the kids ready for school. Once I’m back home, I’ll work through whatever emails/chat/social messages that need handling. Once that’s done, I’ll typically be working on an audit, which involves going to my massive checklist of steps and proceeding through the list. I tend to focus my mornings on working through points and flagging potential issues - more surface level work, while afternoons are more for digging deeper into flagged and focus areas that need more concentration. I’ll always have music playing while I’m working, usually some soundtrack - most often from LOTR & Hobbit movies, or The Rings of Power and The Wheel of Time. I generally avoid working after dinner - it’s usually reserved for building lego, or reading, or watching an episode of whatever TV show we’re currently working through with my wife.
Are there any tools that you use on a daily basis?
Let’s see… The biggest one is my trusty ThinkPad X1 Carbon. I do everything from my laptop, without an external screen. It’s not the fastest machine (low power CPU 😭), but it handles absolutely everything I throw at it.
In terms of software, Windows 11 and Chrome are my obvious base tools, with Notion and Microsoft To-Do for project management and task lists.
For dev work, I use Windows Subsystem for Linux (WSL) to host all of my local dev (I have a custom nginx conf directly on Ubuntu WSL that everything runs through without the fuss of Docker), with PhpStorm as my IDE and Windows Terminal in Quake mode so it’s easily accessible anywhere.
I also use Burp Suite Professional for my security audits - for automated and manual scans, plus NordVPN as a VPN and a way to get new IPs when I hit a rate limit. 🤣
Oh and I use Backblaze to keep everything backed up.
Is there anything in particular related to development that you enjoy working on the most?
What I really love doing, development-wise, is digging into and figuring out complicated bugs. I just love tackling a challenging bug, tracing it through, replicating it, and eventually figuring out that one character that’s the cause of so much weirdness. In a way it’s similar to doing a pentest - I can see the code is vulnerable, it’s just a matter of figuring out how to trigger and exploit it.
If you could go back in time and give younger Stephen some advice when you were first starting in development, what would it be?
Find your dev community and join it somehow. It took me a long time before I started actually taking part in the community, and it wasn’t until that point where my skills really took off.
Do you have any hobbies outside of web development?
Yes! I love music and used to play Bari Sax in a big band, although I haven’t had a chance to find a new band since we moved. I also love building Lego - I’m currently building the Rivendell set. And let’s not forget Lock Picking! It’s a bit cliche for the security guy to do lock picking, but hey, it’s a lot of fun. Oh and reading, I love reading fantasy, and I’m a huge Tolkien fan. I also just finished reading The Wheel of Time for the first time.
Can you tell us a little bit about "Securing Laravel"?
Securing Laravel is my mailing list focused on teaching Laravel developers about security concepts they need to know to keep their apps secure. I send out weekly security tips, and monthly In Depth articles that dive deep into specific topics. So far there have been 50 tips and 17 in depth articles published, and I’ve plenty more on my ideas list. The full archive is there, so you can go searching for topics we’ve already covered too.
The big highlights so far have been to build interactive challenges for specific vulnerabilities (XSS, SQLi, IDOR & Enumeration), and and my two big series, the first covering the OWASP Top 10, and the second my own Top 10 vulnerabilities I’ve found during security audits.
Why did you decide to build your interactive course “Practical Laravel Security”?
I decided to build Practical Laravel Security as an interactive course because I personally find it a lot easier to learn with hands-on experience - this is how I structure my conference talks too. So I decided to build a Laravel security course around practical hacking exercises, where those doing the course will actually conduct their own attacks directly in their browser. This means they learn how to exploit XSS and bypass the basic protections in Laravel’s Markdown parser, as well as abuse a vulnerable subdomain to bypass CSRF protections. These hands-on skills make vulnerabilities understandable, and then when building their own apps, they’ll start to see potential vulnerabilities and avoid them.
It does have some huge challenges - for example, how do I build an app that is insecure enough for the exercises, but secure enough to keep working and not be compromised. So each challenge takes time to design, but the overall experience is totally worth it.
If you could give one security tip to web developers, what would it be?
Don’t forget the basics!
You’d be surprised how often I find a vulnerability caused by the developer forgetting or overlooking something simple. If you assume the basics are already covered, you’ll overlook something eventually and leave a vulnerability open.