Paragon Initiative Enterprises Blog

The latest information from the team that develops cryptographically secure PHP software.

In 2015, We Moved the Needle Towards Being Secure

by P.I.E. Staff

Paragon Initiative

It seems like 2015 just started the other day, and it's already approaching New Years' Eve. We've definitely been busy. Here's a brief list of some of the things we've been working on throughout the past year:

2015 - Year in Review

  • We developed and open sourced six distinct PHP libraries that improve the security of any PHP projects that implement them (as well as a standalone security tool, Pharaoh).
  • Of those six, random_compat has become the de facto polyfill for PHP 7's CSPRNG functions throughout the PHP community. It's used by WordPress, Joomla, Symfony, Laravel, and many other projects.
  • Our security team published nine security advisories in various open source projects since April.
  • Several commits to the PHP core, which landed in 7.0.0. (Mostly: hardening the CSPRNG functions.)
  • A handful of code audits (we haven't published most of them since they're for products that aren't public yet).

Roughly 30% of the Internet is already potentially benefiting from our open source security research in 2015 alone.

We've also been working on a well-known (but rarely addressed) problem: There is a lot of bad security advice in highly accessible, outdated tutorials that rank highly on search engines. As a result, novice programmers would often learn how to solve a problem by mimicking dangerous methodologies.

To address this problem, we've been donating some of our time between client engagements to clean up popular answers on Stack Overflow to ensure that a casual passer-by is exposed to good security advice. For example: This Stack Overflow question about encrypting and decrypting strings in PHP. Although the long-term effects of such an endeavor on the code quality of junior developers is hard to predict (or empirically measure), we have observed a noticeable increase in the quality of the information at the top of a Google search for "php [something security related here]".

It may be too soon to declare victory, but there has been a noticeable step in the right direction in the software development community to emphasize secure-by-default solutions over insecure code. We hope this momentum carries us all into 2016 and the entire world can benefit from free access to higher quality information about basic security practices. (We hope to outperform ourselves next year.)

That's all from us until the new year. Cheers.

Permalink
License: Creative Commons Attribution-ShareAlike 4.0 International CC-BY-SA 4.0 Intl
View source (Markdown)

About the Author

P.I.E. Staff

Paragon Initiative Enterprises

Paragon Initiative Enterprises is a Florida-based company that provides software consulting, application development, code auditing, and security engineering services. We specialize in PHP Security and applied cryptography.

About

Paragon Initiative Enterprises
offers technology consulting and web development services to businesses with attention to security above and beyond compliance.

Our Professional Experience

Blog Categories

  1. Business
  2. Paragon Initiative
    1. Community
      1. Gossamer
      2. Open Source
      3. Pharaoh
      4. Security Advice
    2. Our Products
      1. Airship
      2. ASGard
      3. Ward
    3. Slice of PIE
  3. Security News
  4. Technology
    1. Cryptology
    2. Databases
    3. Hardware
    4. Programming
    5. Quality Assurance
    6. Security Engineering
    7. System Administration
  5. Uncategorized

Tags

  1. Access Controls
  2. Application Security
  3. Authentication
  4. Authorization
  5. Automatic Updates
  6. Business
  7. Central Florida
  8. Confidentiality
  9. Cryptography
  10. CSPRNG
  11. Data Science
  12. Encryption
  13. HTTPS
  14. Integrity
  15. Libsodium
  16. Login
  17. .NET
  18. Networking
  19. Node.js
  20. Open Source
  21. Orlando
  22. OWASP
  23. OWASP Top Ten
  24. PHP
  25. PostgreSQL
  26. Public Key Cryptography
  27. Python
  28. Ruby
  29. Secret Key Cryptography
  30. Security
  31. Signatures
  32. SQL
  33. SQL Injection
  34. Statistics
  35. Vulnerability
  36. Web Development
  37. XSS

Mailing Lists

  1. Paragon Initiative Quarterly
  2. Paragon Initiative Vanguard

Elsewhere

  1. ParagonIE on Github
  2. @ParagonIE
  3. Paragonie on Facebook

Need Technology Consultants?

Will tomorrow bring costly and embarrassing data breaches? Or will it bring growth, success, and peace of mind?

Our team of technology consultants have extensive knowledge and experience with application security and web/application development.

We specialize in cryptography and secure PHP development.

Let's Work Together Towards Success

Our Security Newsletters

Want the latest from Paragon Initiative Enterprises delivered straight to your inbox? We have two newsletters to choose from.

The first mails quarterly and often showcases our behind-the-scenes projects.

The other is unscheduled and gives you a direct feed into the findings of our open source security research initiatives.

Quarterly Newsletter   Security Announcements