All the way from Brisbane, Queensland, Cloudways is in conversation with Laravel security teacher Stephen Rees-Carter. Stephen is a security consultant who specializes in security audits for Laravel and PHP sites.
Along with being a security consultant Stephen also organizes different security workshops and training for development teams. These teachings are focused on developers to think like technical experts, to help them write secure code and identify weaknesses hackers may exploit. Stephen also speaks at security conferences and creates newsletters in his free time.
Shahzeb: Hello Stephen, thank you for taking the time out for this interview. Before we start, can you just tell us a little about yourself so our readers can get to know you better?
Stephen: Sure. My name is Stephen Rees-Carter and I live in Brisbane, Australia. I am a massive Tolkien fan – the Lord of the Rings movies are, in my opinion, the best movies ever made – and you’ll find Tolkien references in most of the things that I do.
I’ve been a developer since my high school added a “software design and development” class. I went to university, studied Software Engineering, and got my first job as a developer working with Zend Framework (1) at a local web host.
A friend hired me into their security product business 10 years ago, and that started me on a journey of learning and loving more about security. I’ve since spent a year cleaning hacked WordPress sites at Wordfence, completed two security certifications (Security+ & CEH), and just recently shifted from being a full-time developer to being a security consultant.
I launched my Laravel Security Audits and Penetration testing business at the start of the year and have spent a lot of my working hours since then reading other people’s code and trying to hack into their apps. It’s a lot of fun!
Shahzeb: Can you share your journey with Laravel? Any relatable experience from your career you find interesting and would like to share with our audience?
Stephen: I first heard about Laravel from a friend I was working with in 2013. We were at linux.conf.au in Canberra and he mentioned he was playing with a new framework called “Laravel” that I might like. At the time I considered Zend Framework as my framework of choice, but ZF2 had recently been launched and the developer experience was absolutely terrible – I was not happy with it at all.
So along came this new framework called Laravel – I tried the upcoming version 4 and loved it. It made my life as a developer easier, and that was important to me.
I’ve stuck with Laravel ever since because it made development enjoyable, and that’s something which has influenced my choices throughout my career. Not just in terms of frameworks, but also in code design patterns and tooling.
If you’ve got the choice between following the tedious and strict “best practice”, or the elegantly simple but not “best practice”, choose the method you enjoy and make it your own. This is why I use Laravel, why I use some Facades and not others, and why I use Windows 11 with WSL2. All of these choices help me love development.
It’s also why I shifted into security. I have always been fascinated by security (I think it started early with a love of puzzles and magic), and over the years as opportunities presented themselves to focus more on the security side of development, I kept picking that path to explore because I found it interesting and enjoyable.
Shahzeb: Was there a special reason you chose to work with Laravel over the other Frameworks available? What would you say is the importance of using Laravel to you?
Stephen: As I’ve just talked about, I chose Laravel because it made development enjoyable at a time when I was struggling to use the existing tools I had. This is the strength of Laravel – it’s constantly striving to make development enjoyable. When I sit down to write code, I want to enjoy the experience, to feel like my tools are helping me – rather than fighting against me.
Another aspect of Laravel that I love is the inherent knowledge of the framework – it’s been worked on by so many people that there are a lot of tiny tweaks and features that solve a lot of edge cases you’d never even normally consider.
This makes your life as a developer easier, as you don’t need to worry about these edge cases – and the same for security too. There are so many subtle security features, it makes it really easy for developers with no knowledge of security to make a secure app.
Shahzeb: You’ve created the Laravel Security in Depth website, a bonus for Laravel Developers. How did you come up with the idea?
Stephen: Laravel Security in Depth came about as I was preparing to give a talk at Laracon Online in September 2021. At the time I was taking a break from work due to burnout, and I was thinking about what I wanted to do next.
I was having a lot of fun putting together my talk and really wanted to do more to teach developers about. I considered writing a course or a book, but everyone does those, and I wanted to try something a bit different… so I decided to launch a paid mailing list, with the intention of teaching Laravel developers about security beyond my talks.
Shahzeb: What made you think about creating a website around Laravel security?
Stephen: Security is an underrated topic in development communities, and especially the Laravel community. This is partly the fault of Laravel being so secure out-of-the-box – developers often think they don’t need to worry about it because the framework will handle it – but it’s still incredibly important. So, I wanted to change the mindset and help developers think more about security and how to write secure code.
Shahzeb: What do you think are the main benefits developers take away from the Laravel Security in Depth website?
Stephen: The biggest thing I want to impart is a love of security. I try to make each email fun and interesting and look for the best way to teach a topic where people won’t tune-out and lose interest. It’s why I built an intentionally vulnerable demo site for Laravel Security in Depth.
When teaching about a vulnerability like Cross-Site Scripting (XSS), it’s much easier to wrap your head around it if you can exploit the vulnerability yourself, so I’ve built a series of challenges readers can complete to learn how XSS works – but running real XSS attacks in their own browsers.
Shahzeb: You’ve worked on a number of side projects over the years. What should readers know about all the stuff you’re doing in Laravel these days?
Stephen: Outside of my Laravel Security Audits and my mailing list, I’ve got three main projects:
The first is WithExtraVeg, which is my wife’s business. She’s a vegan nutritionist who provides meal plans and nutrition help for vegan families. I’m the technical side of the business, and build and maintain the meal plans system.
One of the other two projects is technically public, although it’s incredibly early days and not really usable yet. I’m building an open-source toolkit for checking the security of PHP sites and code. My intention is to wrap up all the scriptable bits of my security audit workflow into a single tool. I’m sure you can find it if you’re interested. 😉
My third is a secret project that I hope to launch in the next few months. (Hint: it’s geared around developer education.)
Shahzeb: What motivated you to become a Laravel web developer and security consultant? Who were your mentors and inspirations in this journey?
Stephen: The Laravel coding experience itself is what pulled me into the community, although I would be lying if I said that was the only influence. Dayle Rees and Jeffery Way (i.e. Laracasts) were two of the big influences in my early days with Laravel, especially Jeffery’s teaching of elegant code and embracing the designs around Facades – rather than being stuck on “best practice”.
I also had a fantastic manager in one of my jobs who challenged me every day to write better code – which forced me to think about the “why” of my coding choices.
The biggest influence in my security journey is Troy Hunt. I attended his “Hack Yourself First” workshop early on in my security journey and absolutely loved it. The idea that if you know how to hack and exploit vulnerabilities, you’ll better defend your stuff was a game-changer for me.
Shahzeb: I have noticed that you enjoy speaking at Laracon conferences. Which topic are you going to talk about this year? And why?
Stephen: I honestly have no idea! 🤣
In my first Laracon talk I hacked into the application, and my second was hacking into the server behind the app – the sequel to my first talk. So where do I take the series next? I’ve considered looking at something like Vapor (i.e. hacking serverless), but I don’t know enough about serverless to know what’s possible in that realm. Maybe I’ll write a prequel and hack the developer instead?
Shahzeb: Which type of web hosting would you prefer? In your opinion, what are the benefits of hosting a site on a managed solution provider rather than conventional shared hosting?
Stephen: All of my stuff is hosted on DigitalOcean, on a server management tool to manage the servers, although I do want to launch a project on Vapor, so I can get a feel for how it works. But I’ve been managing my own servers since I worked at a webhost 15 years ago, so I have a good idea of what I’m doing.
For someone without experience with managing servers or AWS experience, I would recommend a managed solution provider who can manage the infrastructure for you. It’s just one less thing you need to worry about, so you can concentrate on your code.
The provider can worry about updates, outages, and scaling to manage the load. All of these are painful to figure out if you don’t have experience already.
If you can’t use a managed service provider, go for something like server management tools over shared hosting. That’s a recipe for disaster – I’ve got some horror stories from my time working at a hosting provider and at Wordfence… but that’s a topic for another time.
Shahzeb: How important do you think managed hosting is for Laravel developers? What values does this bring to their development, and how does this affect their workflow?
Stephen: I think it depends on the project and the developer’s skills, but in general, having someone else manage the infrastructure means it’s one less thing for the developer to handle themselves.
Shahzeb: What do you think about managed hosting solutions like Cloudways that provide an optimized PHP stack and offer Laravel framework in one click with features to deploy their web apps?
Stephen: I’m not familiar with Cloudways specifically, but the whole point of managed hosting is to make the developer’s life easier. If the tooling saves them the time and effort of managing infrastructure and provides security and reliability, without the need to jump through any hoops, then it’s a good thing.
Making framework-specific tooling is a definite plus – the less effort it takes to use a tool, the more benefit the developer will get out of it.
Shahzeb: Who should we interview next and why?
Stephen: Michael Dyrynda – he’s a fellow Aussie and does a lot for the Laravel community. He organizes Laracon Australia (ask him when the next one is!) and co-hosts the Laravel News podcast.
Shahzeb: Stephen, I’m sure many people have taken notes. I’m also sure they’d love to see a picture of your workstation if you’d like to share one!
Stephen: Happy to share!
For those wondering, that’s my beloved X1 Carbon, the 14” laptop I do everything on. I gave up using multiple monitors years ago – when my eldest son was quite young. I would work wherever in and out of the house he was playing and soon got to the point where trying to use a second monitor (or even one of a different size) would slow me down. Having virtual desktops in Windows really makes a difference too.
Shahzeb: Thank you once again, Stephen Rees-Carter!
Shahzeb Ahmed
Shahzeb is a Digital Marketer with a Software Engineering background, works as a Community Manager — PHP Community at Cloudways. He is growth ambitious and aims to learn & share information about PHP & Laravel Development through practice and experimentation. He loves to travel and explore new ideas whenever he finds time. Get in touch with him at [email protected]
