Think Like an Adversary: OPSEC for Laravel Developers

// Checklists

What to do today

Actionable items grouped by team size. Pick the tier that fits and start checking things off. Every item is free and takes less than an hour.

Solo Founder Start here

.env in .gitignore and not web-accessible
Secrets rotated quarterly
2FA on GitHub, hosting, payment providers
CI/CD tokens scoped to minimum permissions
Written list of services with production access
composer audit in your pipeline

Small Team (2–10) +6 items

Everything from Solo Founder, plus:

Access segmented by role
Onboarding/offboarding access checklists
Quarterly access reviews
Team trained on social engineering basics
Incident response plan (even one page)
Secrets in a vault, not in Slack

Enterprise +6 items

Everything from Small Team, plus:

Formal trust levels for systems and information
Tabletop exercises at least annually
Vendor security assessments before integration
Contractor access scoped and time-limited
Incident response plan tested, not just documented
Security review in deployment pipeline

// Red Flags

If you hear these, worry

Recognising any of these is the first step. No shame — just fix it before it matters.

🚩"Everyone uses the same deploy key"

🚩"We'll set up access controls later"

🚩"The contractor still has access but it's fine"

🚩"Our incident plan is 'call the CTO'"

🚩"We've never tested a backup recovery"

🚩"Only one person knows the server config"

// Your Turn

Map your threat surface

Fill this in for your own app. Three columns, fifteen minutes. It will change how you think about where to spend your security time. Examples are added in to illustrate the format.

What you protect	Who wants it	Likely vector
Payment data	Financial attackers	Credential theft, MITM
Business logic	Competitors	Insider threat
User PII	Data brokers	Phishing
Infra access	Anyone	Leaked keys, social eng.

Take-home exercise

Sit down after this talk and fill in the table for your own application. You don't need a threat intelligence team — just honestly answer what you're protecting, who would want it, and how they'd realistically get it.

// Ask on Monday

Ask these on Monday

Five real questions for your next morning meeting. You don't need to write them down — they live here. Sit down with your team and actually answer them.

01Who can merge to main?
02Who can deploy to production?
03Who has the payment dashboard?
04Who can delete database backups?
05Who has root on your servers?

The tell

If the answer to most of these is "everyone" or "I'm not sure" — that tells you exactly where to start. Because if the answer is "everyone," your blast radius is your entire company.

// Access Matrix

Access by role - Example

Not everyone needs the keys to every building. Map out who has access to what — and limit it to what they actually need.

Role	Building 1	Building 2	Building 3
Junior dev	✅ Full	✅ Project	❌
Senior dev	✅ Full	✅ Full	🗝 Deploy
DevOps	✅ Full	✅ Full	✅ Full
Contractor	✅ Scoped	⚠ Scoped	❌
Founder	✅ Full	✅ Full	✅ Full

// Book a talk

Bring this to your team or event

I deliver this talk and others on practical security for developers. Available for conferences, meetups, and private team sessions.

OPSEC for developers Laravel security Threat modelling Social engineering awareness

Get in touch Connect