.. Source: Paragon Initiative Enterprises, LLC. URL: https://paragonie.com/b/vSUEhJrxU_N02tjs Format: ReStructuredText Created: 2015-05-12T19:50:20-04:00 Modified: 2018-01-21T06:49:04-05:00 Accessed 2024-12-22T05:52:01-05:00 .. _curated application security reading list: https://github.com/paragonie/awesome-appsec .. _discovering security vulnerabilities: https://paragonie.com/experience .. _security-related blog posts: https://paragonie.com/blog/category/security-engineering .. _formal code audits: https://paragonie.com/service/code-review .. _ASGard: https://paragonie.com/project/asgard .. _Pharaoh: https://paragonie.com/project/pharaoh .. _problem of secure code delivery: https://defuse.ca/triangle-of-secure-code-delivery.htm .. _Composer: https://getcomposer.org .. _PHPUnit: https://phpunit.de/ .. _let us know: https://paragonie.com/contact .. _helping businesses secure their applications: https://paragonie.com/service/appsec .. _OWASP: http://www.meetup.com/OWASP-Orlando .. _Orlando PHP User Group: http://www.meetup.com/orlandophp .. _FOSSETCON: http://fossetcon.org .. _email: https://paragonie.com/contact .. _tweet: https://twitter.com/ParagonIE .. _Github ticket: https://github.com/paragonie/awesome-appsec/issues .. _pull request: https://github.com/paragonie/awesome-appsec/pulls Paragon Initiative Enterprises strives to help software developers around the world learn how to write code that is more secure, easier to maintain, and more efficient. In addition to publishing `security-related blog posts`_, `discovering security vulnerabilities`_ in popular open source products, and performing `formal code audits`_ (our first report is coming soon), we actively pursue find newer and better ways to engage with computer programmers and IT administrators to share our team's knowledge on computer security. So last month, we started to maintain a **`curated application security reading list`_** on Github. It currently has over 390 stars and the number keeps increasing every day. But Wait, There's More... ========================= Instead of just a long README file that users can edit via a pull request, we wrote a custom compiler that reads JSON files and, along with their relative location within the filesystem, assembles a structured Markdown list (complete with Table of Contents). This compiling approach enables us to *guarantee* that the Table of Contents is representative of the underlying list. Going forward, it also allows us to split the main sections (General, PHP, etc.) into their own pages and seamlessly link to them to reduce page load time on mobile devices. Another benefit: When we decide that the list has grown large enough to justify splitting into sub-pages, it won't break any outstanding pull requests that add ``foobar.json`` files to the ``data/`` directory. As the entire project is permissively MIT Licensed, feel free to grab our compiler and refit it in your own curated list projects. This is Only the Beginning ========================== There are two sides to the technology field: The technology *industry*, which many talented people work in, and the technology *community*, which many talented people play in. Our team of engineers and consultants have backgrounds in both, so we feel confident in saying that the industry's future *depends* on a thriving community. Of our previous two projects, `ASGard`_ and `Pharaoh`_, both were developed with the community in mind: * **ASGard** aims to solve the `problem of secure code delivery`_. A working, tested, and peer-reviewed solution to this problem allows consumers of software (including other developers) to quickly, easily, and safely obtain software produced by a third party with a significant guarantee that nobody has tampered with the endpoint and inserted a trojan. * **Pharaoh** is a command line application that allows developers to compare two PHARs (executable PHP Archives). Beyond simply "matches" or "does not match", *Pharaoh* allows you to see what differs. Pharaoh was originally intended as an in-house auditing tool for verifying projects like `Composer`_ and `PHPUnit`_ but we felt the community at large could benefit from the availability of this tool. We are considering setting up a Github service for verifying package releases in the near future. (`Let us know`_ if this interests you!) We intend and anticipate for this trend to continue into the foreseeable future. **Watch this space.** Our team already has a stack of exciting projects that aren't quite ready for prime time, and we enjoy hearing that someone learned a valuable tip or skill from us just as much as we enjoy `helping businesses secure their applications`_. Many of our team members will also be participating in local events, such as the `OWASP`_ quarterly meetup, the monthly `Orlando PHP User Group`_, and the annual `FOSSETCON`_ in December. **If you feel that something is missing from our curated list,** please feel free to suggest it to us through your favorite communication medium (`email`_, `tweet`_, `Github ticket`_, `pull request`_, etc.). Our hope is that it can serve as a starting point for a developer interested in learning how to secure the applications they develop. In our experience, learning secure coding practices leads to cleaner, more organized, and more succinct code even in areas unrelated to security. When anyone decides to learn about computer security, *everybody wins*.