The software that powers about
5 out of every 6 websites
is more secure because of our work.
What follows is a sample of what we have accomplished in past client
engagements. If you'd like assurance that we can deliver results, and
you're using open source PHP software, check your
directory. Chances are, you're already using our code.
No one likes to have to bring in security experts because their systems were breached and their customers might be affected. In troubled times, we pride ourselves on our professionalism and clarity. When called to investigate a hacked server or network, our team focused on answering the big questions:
In addition to our public security research, our company has conducted penetration tests and code audits that stood out above our competition.
Our security expertise has not only saved companies from the cost and anxiety associated with later data breaches, but we've consistently found high-severity security vulnerabilities that other penetration testing firms missed.
Learn more about why you want to hire us.
Paragon Initiative's consultants worked with an online doctor appointment service to integrate their appointment scheduling process with several third-party EMR providers, resulting in less frustration for doctors and patients alike.
We also identified and repaired several programming mistakes made by an offshore team that previously worked on the project that could have resulted in a full server compromise and complete access to protected health information.
Members of the Paragon Initiative team worked with one of the
largest cell tower construction companies to migrate an
incredibly slow Android native app to a modern, cross-platform
HTML5 architecture with offline capability (acheived through
use of the application cache and HTML5's
In addition to a significant speed increase from both a superior architecture and a relational database backend, the new app also offered in-app photo editing and annotations, automated reporting, and an ad-hoc reporting tool.
We improved the random number generator used throughout the Facebook Software Development Kit to produce cryptographically secure output, which nontrivially increases the security of the functions that rely on randomness in apps that use newer versions of the Facebook SDK.
We identified a weakness in the Symfony
security module that affected systems with
Affected sytems would have treated raw binary strings (e.g. Message Authentication Codes) as UTF-8 encoded strings and incorrectly reported the string length.
A member of Paragon Initiative submitted patches to enhance the random number generator employed by WordPress. The improved algorithm relies on the system entropy pool instead of a userspace random number generator.
Paragon Initiative's consultants improved the security of OAuth2 Server library provided by the League of Extraordinary PHP Packages by ensuring the key generation algorithm always returns the correct key size.
We also identified that their
implementation had the side-effect of defining the function
inside of their current namespace. While this is not a security
or performance concern, it does violate software engineering
best practices; so, we fixed that too.
When reviewing the Yii framework, we discovered an inconsistency in how random numbers were being generated. While most of their security code was following industry best standards, their password hashing library was relying on a Merseinne Twister for random salts (which can be predictable).
Predictable or low-entropy salts can cause salted hash collisions (if the passwords are the same). This was fixed before Yii2 was officially released.
One of our team members identified weaknesses with the CodeIgniter session library that, in the hands of a sophisticated attacker, could result in remote code execution..
The discussion that followed resulted in a new, stronger encryption library consistent with industry best practices. The vulnerabilities we identified were fixed in CodeIgniter 2.2.0 and the relevant feature was removed in verison 3.