Our Experience

"Technology should support your ambitions, not hinder them"

Is Paragon Initiative Enterprises Right For Your Business?

The software that powers about 5 out of every 6 websites
is more secure because of our work.

What follows is a sample of what we have accomplished in past client engagements. If you'd like assurance that we can deliver results, and you're using open source PHP software, check your vendor directory. Chances are, you're already using our code.

Business Success

Incident Response

No one likes to have to bring in security experts because their systems were breached and their customers might be affected. In troubled times, we pride ourselves on our professionalism and clarity. When called to investigate a hacked server or network, our team focused on answering the big questions:

  1. How did it happen?
  2. What data was at risk?
  3. How can we prevent this in the future?

Vulnerability Assessment

In addition to our public security research, our company has conducted penetration tests and code audits that stood out above our competition.

Our security expertise has not only saved companies from the cost and anxiety associated with later data breaches, but we've consistently found high-severity security vulnerabilities that other penetration testing firms missed.

Learn more about why you want to hire us.

EMR Integration

Paragon Initiative's consultants worked with an online doctor appointment service to integrate their appointment scheduling process with several third-party EMR providers, resulting in less frustration for doctors and patients alike.

We also identified and repaired several programming mistakes made by an offshore team that previously worked on the project that could have resulted in a full server compromise and complete access to protected health information.

Android App Migration

Members of the Paragon Initiative team worked with one of the largest cell tower construction companies to migrate an incredibly slow Android native app to a modern, cross-platform HTML5 architecture with offline capability (acheived through use of the application cache and HTML5's localStorage feature).

In addition to a significant speed increase from both a superior architecture and a relational database backend, the new app also offered in-app photo editing and annotations, automated reporting, and an ad-hoc reporting tool.

Open Source Development

Facebook SDK v4

We improved the random number generator used throughout the Facebook Software Development Kit to produce cryptographically secure output, which nontrivially increases the security of the functions that rely on randomness in apps that use newer versions of the Facebook SDK.

Symfony Framework

We identified a weakness in the Symfony security module that affected systems with mbstring.func_overload enabled.

Affected sytems would have treated raw binary strings (e.g. Message Authentication Codes) as UTF-8 encoded strings and incorrectly reported the string length.

WordPress Core

A member of Paragon Initiative submitted patches to enhance the random number generator employed by WordPress. The improved algorithm relies on the system entropy pool instead of a userspace random number generator.

The PHP League's OAuth2 Server

Paragon Initiative's consultants improved the security of OAuth2 Server library provided by the League of Extraordinary PHP Packages by ensuring the key generation algorithm always returns the correct key size.

We also identified that their hash_equals() implementation had the side-effect of defining the function inside of their current namespace. While this is not a security or performance concern, it does violate software engineering best practices; so, we fixed that too.

Yii Framework 2.0

When reviewing the Yii framework, we discovered an inconsistency in how random numbers were being generated. While most of their security code was following industry best standards, their password hashing library was relying on a Merseinne Twister for random salts (which can be predictable).

Predictable or low-entropy salts can cause salted hash collisions (if the passwords are the same). This was fixed before Yii2 was officially released.

CodeIgniter Framework

One of our team members identified weaknesses with the CodeIgniter session library that, in the hands of a sophisticated attacker, could result in remote code execution..

The discussion that followed resulted in a new, stronger encryption library consistent with industry best practices. The vulnerabilities we identified were fixed in CodeIgniter 2.2.0 and the relevant feature was removed in verison 3.