October is Cybersecurity Awareness Month in the United States. It’s the perfect time to stop, audit your current security stance, and make incremental improvements. Security is foundational to everything we build. A structured checkup keeps it manageable.
Enable Multi-Factor Authentication Everywhere
Your username is often public. Your password is the single secret protecting your account — and it can fail through bugs, user error, or malicious activity.
The easiest way to protect against password breaches is to add authentication factors. Time-based one-time passwords (TOTP) are short 6-digit codes generated by apps like Google Authenticator. They change every 30 seconds and rely on a secret key known only to you and the application.
App-based push notifications (via Authy, for example) convert your phone into an authentication factor requiring proactive confirmation.
Hardware tokens like YubiKey provide the strongest protection. Once configured, an attacker cannot impersonate you without physical access to the token. Newer models support NFC for mobile use and integrate with SSH and GPG for asymmetric encryption.
Avoid SMS-based codes when possible. While better than nothing, unencrypted text messages are vulnerable to SIM-swapping attacks.
Use Strong Passwords (The Right Way)
Old advice has you creating complicated strings like bpz.y24X!H@TFA with uppercase, lowercase, numbers, special characters, no dictionary words, and no repeated characters. A computer doesn’t care about any of that.
What matters is entropy. Each character set above introduces a small amount of entropy. You need at least 14 characters following those rules to stay secure against a devoted attacker for five years.
A passphrase like “husky conduit fiji mystery unaware” — five random dictionary words — remains secure against the same attacker for nearly 100 thousand years. It’s also easier to remember and type.
Use a password manager like 1Password or Bitwarden. They synchronize across devices, keep data encrypted, generate truly random passwords, and notify you when credentials appear in a breach.
Recognize and Report Phishing
According to Mimecast, 91% of cyber attacks start with email. Attackers impersonate someone you trust to trick you into downloading malware, providing credentials, or granting access.
Quick checks for phishing:
- Does the sender know you? Is the message addressed to you by name, or to “user” or “subscriber”?
- Is it asking you to do something unusual — download a file, visit an unfamiliar website, or “confirm your account”?
- Is there a sense of urgency or a threat for non-action?
If something looks suspicious, contact the sender through a separate channel. Call them. Do not reply to the email. Do not click any links.
Report suspicious messages to your IT department. They have tools to check attachments for malware. Never provide credentials in direct response to an email. If a legitimate service asks you to change your password, type their URL manually into your browser.
Update Your Software
OWASP ranks vulnerable and outdated components as the sixth most common application security risk. As developers, we’re responsible for keeping our applications secure. As technology users, we’re responsible for our own endpoints.
Apple disclosed a critical remote code execution flaw in WebKit last month. Visiting a malicious website could give attackers full control. Apple patched it quickly. How many people install updates and reboot immediately?
Run uptime in your terminal. When did you last restart? If it’s been a while, install updates now. The rest of this article can wait.
Audit Your PHP Dependencies
Composer makes dependency auditing straightforward:
$ composer auditThis command checks your installed packages against known vulnerability databases. Run it regularly in CI/CD pipelines.
Beyond auditing, review your composer.json for outdated packages. Each dependency is an attack surface. Remove packages you don’t use. Pin versions with explicit constraints rather than floating ^ constraints for production deployments.
Review Authentication and Authorization
Walk through every authenticated endpoint in your application:
- Are password policies enforced server-side?
- Do sessions expire appropriately?
- Is CSRF protection enabled on all state-changing routes?
- Are API tokens revocable and rate-limited?
- Does every protected route enforce authorization, not just authentication?
Use Laravel’s built-in authorization gates and policies, or Symfony’s Voters. Avoid inline permission checks scattered across controllers.
Validate Input Everywhere
Unvalidated input is the root cause of SQL injection, XSS, and command injection. Review every entry point:
- Use prepared statements for all database queries
- Validate and sanitize file uploads — check MIME types server-side
- Escape output context-appropriately (HTML, JSON, XML, etc.)
- Use Laravel’s validation rules or Symfony’s constraints
- Never trust
$_SERVERvalues without sanitization
Secure Configuration
Check your configuration files for:
- Debug mode enabled in production (never set
APP_DEBUG=trueon a live server) - Hardcoded secrets or API keys
- Exposed environment files (
.envshould never be web-accessible) - Verbose error messages that leak stack traces
- Permissive CORS policies
Add a .htaccess or nginx rule blocking access to .env and composer.json:
# Apache
<FilesMatch "^\.env|composer\.(json|lock)$">
Require all denied
</FilesMatch>Logging and Monitoring
If a breach happens, logs tell the story:
- Are authentication failures logged?
- Are privilege escalation attempts logged?
- Do logs include timestamps, IP addresses, and user agents?
- Are logs stored outside the application (separate server or service)?
- Do you have alerts for anomalous patterns (e.g., 100 failed logins in 5 minutes)?
Create a Remediation Plan
An audit is only useful if you act on the findings. Prioritize fixes:
- Critical — actively exploited vulnerabilities, exposed secrets, missing authentication on sensitive endpoints
- High — outdated dependencies with known CVEs, weak password policies, missing CSRF protection
- Medium — verbose error messages, permissive CORS, missing rate limiting
- Low — log verbosity, minor config hardening
Assign owners and deadlines for each item. Re-audit in six months. Security is not a one-time project — it’s an ongoing practice.