Paragon Initiative Enterprises strives to help software developers around the world learn how to write code that is more secure, easier to maintain, and more efficient. In addition to publishing security-related blog posts, discovering security vulnerabilities in popular open source products, and performing formal code audits (our first report is coming soon), we actively pursue find newer and better ways to engage with computer programmers and IT administrators to share our team's knowledge on computer security.
So last month, we started to maintain a curated application security reading list on Github. It currently has over 390 stars and the number keeps increasing every day.
But Wait, There's More...
Instead of just a long README file that users can edit via a pull request, we wrote a custom compiler that reads JSON files and, along with their relative location within the filesystem, assembles a structured Markdown list (complete with Table of Contents).
This compiling approach enables us to guarantee that the Table of Contents is representative of the underlying list. Going forward, it also allows us to split the main sections (General, PHP, etc.) into their own pages and seamlessly link to them to reduce page load time on mobile devices.
Another benefit: When we decide that the list has grown large enough to justify splitting into sub-pages, it won't break any outstanding pull requests that add foobar.json
files to the data/
directory.
As the entire project is permissively MIT Licensed, feel free to grab our compiler and refit it in your own curated list projects.
This is Only the Beginning
There are two sides to the technology field: The technology industry, which many talented people work in, and the technology community, which many talented people play in. Our team of engineers and consultants have backgrounds in both, so we feel confident in saying that the industry's future depends on a thriving community.
Of our previous two projects, ASGard and Pharaoh, both were developed with the community in mind:
- ASGard aims to solve the problem of secure code delivery. A working, tested, and peer-reviewed solution to this problem allows consumers of software (including other developers) to quickly, easily, and safely obtain software produced by a third party with a significant guarantee that nobody has tampered with the endpoint and inserted a trojan.
- Pharaoh is a command line application that allows developers to compare two PHARs (executable PHP Archives). Beyond simply "matches" or "does not match", Pharaoh allows you to see what differs. Pharaoh was originally intended as an in-house auditing tool for verifying projects like Composer and PHPUnit but we felt the community at large could benefit from the availability of this tool. We are considering setting up a Github service for verifying package releases in the near future. (Let us know if this interests you!)
We intend and anticipate for this trend to continue into the foreseeable future. Watch this space. Our team already has a stack of exciting projects that aren't quite ready for prime time, and we enjoy hearing that someone learned a valuable tip or skill from us just as much as we enjoy helping businesses secure their applications.
Many of our team members will also be participating in local events, such as the OWASP quarterly meetup, the monthly Orlando PHP User Group, and the annual FOSSETCON in December.
If you feel that something is missing from our curated list, please feel free to suggest it to us through your favorite communication medium (email, tweet, Github ticket, pull request, etc.). Our hope is that it can serve as a starting point for a developer interested in learning how to secure the applications they develop.
In our experience, learning secure coding practices leads to cleaner, more organized, and more succinct code even in areas unrelated to security. When anyone decides to learn about computer security, everybody wins.