Paragon Initiative Enterprises Blog

The latest information from the team that develops cryptographically secure PHP software.

In 2015, We Moved the Needle Towards Being Secure

It seems like 2015 just started the other day, and it's already approaching New Years' Eve. We've definitely been busy. Here's a brief list of some of the things we've been working on throughout the past year:

2015 - Year in Review

  • We developed and open sourced six distinct PHP libraries that improve the security of any PHP projects that implement them (as well as a standalone security tool, Pharaoh).
  • Of those six, random_compat has become the de facto polyfill for PHP 7's CSPRNG functions throughout the PHP community. It's used by WordPress, Joomla, Symfony, Laravel, and many other projects.
  • Our security team published nine security advisories in various open source projects since April.
  • Several commits to the PHP core, which landed in 7.0.0. (Mostly: hardening the CSPRNG functions.)
  • A handful of code audits (we haven't published most of them since they're for products that aren't public yet).

Roughly 30% of the Internet is already potentially benefiting from our open source security research in 2015 alone.

We've also been working on a well-known (but rarely addressed) problem: There is a lot of bad security advice in highly accessible, outdated tutorials that rank highly on search engines. As a result, novice programmers would often learn how to solve a problem by mimicking dangerous methodologies.

To address this problem, we've been donating some of our time between client engagements to clean up popular answers on Stack Overflow to ensure that a casual passer-by is exposed to good security advice. For example: This Stack Overflow question about encrypting and decrypting strings in PHP. Although the long-term effects of such an endeavor on the code quality of junior developers is hard to predict (or empirically measure), we have observed a noticeable increase in the quality of the information at the top of a Google search for "php [something security related here]".

It may be too soon to declare victory, but there has been a noticeable step in the right direction in the software development community to emphasize secure-by-default solutions over insecure code. We hope this momentum carries us all into 2016 and the entire world can benefit from free access to higher quality information about basic security practices. (We hope to outperform ourselves next year.)

That's all from us until the new year. Cheers.

About the Author

P.I.E. Staff

Paragon Initiative Enterprises

Paragon Initiative Enterprises is a Florida-based company that provides software consulting, application development, code auditing, and security engineering services. We specialize in PHP Security and applied cryptography.

Need Technology Consultants?

Will tomorrow bring costly and embarrassing data breaches? Or will it bring growth, success, and peace of mind?

Our team of technology consultants have extensive knowledge and experience with application security and web/application development.

We specialize in cryptography and secure PHP development.

Let's Work Together Towards Success

Our Security Newsletters

Want the latest from Paragon Initiative Enterprises delivered straight to your inbox? We have two newsletters to choose from.

The first mails quarterly and often showcases our behind-the-scenes projects.

The other is unscheduled and gives you a direct feed into the findings of our open source security research initiatives.

Quarterly Newsletter   Security Announcements