It seems like 2015 just started the other day, and it's already approaching New Years' Eve. We've definitely been busy. Here's a brief list of some of the things we've been working on throughout the past year:
2015 - Year in Review
- We developed and open sourced six distinct PHP libraries that improve the security of any PHP projects that implement them (as well as a standalone security tool, Pharaoh).
- Of those six, random_compat has become the de facto polyfill for PHP 7's CSPRNG functions throughout the PHP community. It's used by WordPress, Joomla, Symfony, Laravel, and many other projects.
- Our security team published nine security advisories in various open source projects since April.
- Several commits to the PHP core, which landed in 7.0.0. (Mostly: hardening the CSPRNG functions.)
- A handful of code audits (we haven't published most of them since they're for products that aren't public yet).
Roughly 30% of the Internet is already potentially benefiting from our open source security research in 2015 alone.
We've also been working on a well-known (but rarely addressed) problem: There is a lot of bad security advice in highly accessible, outdated tutorials that rank highly on search engines. As a result, novice programmers would often learn how to solve a problem by mimicking dangerous methodologies.
To address this problem, we've been donating some of our time between client engagements to clean up popular answers on Stack Overflow to ensure that a casual passer-by is exposed to good security advice. For example: This Stack Overflow question about encrypting and decrypting strings in PHP. Although the long-term effects of such an endeavor on the code quality of junior developers is hard to predict (or empirically measure), we have observed a noticeable increase in the quality of the information at the top of a Google search for "php [something security related here]".
It may be too soon to declare victory, but there has been a noticeable step in the right direction in the software development community to emphasize secure-by-default solutions over insecure code. We hope this momentum carries us all into 2016 and the entire world can benefit from free access to higher quality information about basic security practices. (We hope to outperform ourselves next year.)
That's all from us until the new year. Cheers.