Paragon Initiative Enterprises

Software consulting and web development for businesses with attention to security above and beyond compliance.

Our Services »

Technology should support your ambitions, not hinder them!

Secure software development philosophy:

Software should be secure by default.
Tools should be simply yet comprehensively secure.
Cryptography is fundamental to security.

About Paragon Initiative Enterprises - Orlando's Foremost Application Security Consultants

About Our Company

Paragon Initiative Enterprises is a team of technology consultants, website and app developers, and application security experts based in Orlando, FL.

Technology Consulting and Application Security Servicesby Paragon Initiative Enterprises in Orlando, FL

Professional Services Offered

Paragon Initiative Enterprise's expertise in web development and application security can help you fulfill your vision for your business's future while ensuring the safety and security of your online presence.

Community Software Projects by Paragon Initiative Enterprises in Orlando, FL

Community Projects

From solving challenging security problems to reducing the cognitive load of proven security strategies, we actively contribute towards the betterment of our community, both online and offline.

Latest Blog Post

On the (in)security of popular open source Content Management Systems written in PHP

Our previous post included a checklist comparing CMS Airship (our Free Software CMS platform designed with security in mind) to the three most popular content management systems currently in use on the Internet:

  1. WordPress (26.6% of all websites)
  2. Joomla (2.8% of all websites)
  3. Drupal (2.2% of all websites)

The checklist compared out-of-the-box security properties (features or design decisions that affect the security of the software and any extensions developed for it) rather than what's possible with community-provided extensions. Tooltips were also provided on individual cells to clear up any confusion on why we did or did not award a checkmark to a given project for a given security property.

Since the previous post was published, several technologists asked us to explain the individual security deficits of other PHP content management systems in detail. Some of these are straightforward (e.g. WordPress doesn't offer encryption, so there's nothing to analyze), but others require a careful eye for code auditing. Familiarity with PHP security is also greatly beneficial to understanding, although we will attempt to explain each item in detail.

We're going to set Airship aside for the remainder of this post. All you need to know is Airship met all of the criteria for a secure-by-default content management system. If you'd like to learn more about Airship's security features, we've covered this in detail here.

WordPress, Joomla, and Drupal: The Good Parts

All three content management systems score points for being Free Software, released under the GNU Public License. Consequently, their source code is available for their users to inspect and analyze. This offers three benefits:

  1. Independent security experts can assess the security of their offering and, with source code citations to prove their arguments, explain what's secure or insecure.
  2. Independent security experts can take their findings and offers better ways to improve the security of their software.
  3. You have the ability to run a copy of the software that you've verified to be known-good.

For example, last year, we made WordPress's wp_rand() function cryptographically secure as of WordPress 4.4.0. This would not have been possible without the first two properties.

In addition to being open source, all three provide a security mechanism to mitigate Cross-Site Request Forgery attacks. We didn't include whether or not plugins/extensions fail to utilize the CSRF mitigation feature in our analysis. If you're using a third-party plugin, don't assume that CSRF vulnerabilities can't or won't happen to your application just because there's a mitigation feature in the core.

Continue Reading this Blog Post »

The Latest From Our Security Team

Latest Security Advisory

CVE-2016-5726, CVE-2016-5727 - Simple Machines Forum - PHP Object Injection

There are several instances where data pulled from $_POST (i.e. inside a foreach loop) is passed directly to unserialize(). As a consequence, SMF is vulnerable to PHP Object Injection and possibly remote code execution.

Latest Code Audit Report

Bytejail Core Audit

The Bytejailcore audit is our most comprehensive investigation to date, and we are happy to say that we did not find any security-affecting vulnerabilities or cryptographic weaknesses.

More From Our Security Team »

Serving the greater Orlando area, and beyond, with secure and dependable web-based solutions