Your two jobs

1. Reduce the likelihood of an attack
2. Limit the damage when something gets through

Table stakes

• .env hygiene
• Secrets rotation
• Deployment pipeline security
• Dependency supply chain

.env in the wild

Your pipeline is an attack surface

The supply chain you don't think about

composer require totally-legit-package/laravel-helper

You're not just trusting the package. You're also trusting all the package's dependencies.

But this only protects the front door

Threat modeling

1. What are you protecting?
2. Who would want it?
3. How would they get it?
4. What's the realistic impact?

Real example

Situation: R&D startup with patented hardware.

Threat: Overseas factory could replicate or leak the design.

Solution: No single factory got the complete design.

Trade-off: More expensive. Far cheaper than domestic-only.

Your turn

Take-home exercise: Fill this in for your app. 15 minutes.

The building analogy

The building analogy

Building 1 — Marketing site, blog, public docs
Building 2 — Internal tools, staging, employee data
Building 3 — Production DB, payments, user PII

Clearance ≠ access

Need-to-know, not nice-to-have.

Blast radius thinking

Ask these on Monday

• Who can merge to main?
• Who can deploy to production?
• Who has the payment dashboard?
• Who can delete database backups?
• Who has root on your servers?

Access by role

Role	Bldg 1	Bldg 2	Bldg 3
Junior dev	Full	Project
Senior dev	Full	Full	Deploy
DevOps	Full	Full	Full
Contractor	Scoped	Scoped
Founder	Full	Full	Full

The human layer

Advanced Protection Programs

• Hardens your Google account
• Requires hardware security keys
• Free to enable

If you handle production credentials — you probably should.

Incident response

Having a plan is step one.
Testing it is step two.

"Our CI/CD provider was just compromised. What do we do?"

Vendor and contractor trust

Quarterly access reviews. Calendar it.

Security is about trade-offs

The goal isn't perfect security.
It's proportionate security.

Checklist: solo founder

• [ ] .env in .gitignore and not web-accessible
• [ ] Secrets rotated quarterly
• [ ] 2FA on GitHub, hosting, payment providers
• [ ] CI/CD tokens scoped to minimum permissions
• [ ] Written list of services with production access
• [ ] composer audit in your pipeline

Checklist: small team (2–10)

Everything above, plus:

• [ ] Access segmented by role
• [ ] Onboarding/offboarding access checklists
• [ ] Quarterly access reviews
• [ ] Team trained on social engineering basics
• [ ] Incident response plan (even one page)
• [ ] Secrets in a vault, not in Slack

Checklist: enterprise

Everything above, plus:

• [ ] Formal trust levels for systems and information
• [ ] Tabletop exercises at least annually
• [ ] Vendor security assessments before integration
• [ ] Contractor access scoped and time-limited
• [ ] Incident response plan tested, not just documented
• [ ] Security review in deployment pipeline

Red flags

"Everyone uses the same deploy key"
"We'll set up access controls later"
"The contractor still has access but it's fine"
"Our incident plan is 'call the CTO'"
"We've never tested a backup recovery"
"Only one person knows the server config"

Your two jobs — revisited

1. Reduce the likelihood → Laravel surface, access controls, training
2. Limit the damage → Blast radius, segmentation, incident response

Make sure the next one is a contained incident — not a company-wide headache.