Florida's Finest Application Security Specialists

Our team's specialties in the field of application security range from developing reliable interactive web applications to modern cryptology to exploit mitigation and defensive operating system configuration.

We are avid security researchers whose contributions are spread across dozens of popular software projects and regularly published in security mailing lists.

We believe that the default status of any software should be secure, not insecure. We hope to accomplish this by securing the tools and frameworks that thousands of companies and other developers depend on.

Unlike most defenders, we don't think in lists.

Compliance is Not Enough

Paragon Initiative Enterprise runs at the forefront of specialized application security research. We don't stop at compliance; our goal is resilience.

Through a potent hybrid strategy that incorporates source code auditing and a deep understanding of secure development practices, Paragon Initiative Enterprises will find and reinforce the vulnerable parts of your business solutions.

Our Application Security Experience is Your Benefit.

Recent Security Advisories Reported by Paragon Initiative Enterprises

• 2016-06-10 CVE-2016-5726, CVE-2016-5727 - Simple Machines Forum - PHP Object Injection

  There are several instances where data pulled from $_POST (i.e. inside a foreach loop) is passed directly to unserialize(). As a consequence, SMF is vulnerable to PHP Object Injection and possibly remote code execution.

• 2015-11-23 CVE-2015-7503 - Zend\Crypt - RSA Padding Oracle (Plaintext Recovery)

  The Zend\Crypt\RSA\PublicKey class in Zend Framework's cryptography library in affected versions of Zend Framework is vulnerable to padding oracle attacks, as first demonstrated by Daniel Bleichenbacher in 1998. The RSA padding oracle attack was further optimized by Steel, et al. in 2012. This vulnerability is specific to PKCS1v1.5 padding; RSA-OAEP is unaffected.

  Back-of-the-envelope math: If you can perform 25 attempts per second using the Steel method, you can decrypt any message encrypted with 1024-bit RSA using a vulnerable version of Zend\Crypt in about 10 minutes (median).

• 2015-11-08 Joomla CMS - JCrypt - Multiple Cryptography Vulnerabilities

  Our chief development officer looked at the cryptography library provided by the Joomla CMS and found numerous cryptography flaws; the most critical (pertaining to JCryptCipherSimple) being a home-grown cipher best described as XOR-ECB. It's relatively trivial to recover the key if you know the plaintext (especially if the plaintext is at least 256 characters long).

  The usual candidates (chosen ciphertext attacks, an insecure fallback in the CSPRNG) for security vulnerabilities in PHP cryptographys were also found.

  Total investigation time: 30 minutes. Imagine what we can do for the security of your projects with days?

• 2015-08-27 CVE-2015-5687 - PHP Object Injection in AnchorCMS v0.9.2 and earlier

  AnchorCMS is a popular blogging platform that focuses on being lightweight and super simple. We discovered and unfortunate vulnerability that is both easy to exploit remotely and has a high impact.

• 2015-06-23 Minds.com - Multiple Vulnerabilities

  Minds.com is a social network and mobile app that claims to offer encrypted chat to its users. After a brief investigation, we discovered that the clients would blindly accept arbitrary RSA public keys from the server, and it encrypted messages with RSA with PKCS1 padding.

• 2015-06-21 Tutanota Encrypted Email Service - Malleable Ciphertext

  Tutanota, which offers a free encrypted email app, does not authenticate its ciphertexts with a MAC. Two others (Steve Weis and Richard) had already alerted the development team to this implementation flaw and their report was dismissed.

• 2015-06-09 Cryptographic Vulnerabilities in RNCryptor-PHP

  RNCryptor's MAC validation suffers from timing leaks and type confusion vulnerabilities.

• 2015-06-04 Friendica - Weak Cryptography Implementations

  There were two symmetric cryptography strategies bundled with Friendica. One used ECB mode, the other used CBC mode. Neither implementation used encryption or authentication correctly.

• 2015-05-02 Yubikey Library Lacks CSPRNG, Has Timing Side-Channels

  Laravel 5 package for integrating with Yubikey lacked a CSPRNG for nonce generation. Furthermore, it was comparing HMAC-SHA1 signatures with PHP's == operator. We informed the maintainer and sent a pull request to fix these issues.

• 2015-04-19 Laravel - PHP Object Injection - 4.1, 4.2, 5.0, master

  Laravel developers that (a) stored their session state inside of a cookie and (b) turned session encryption off were vulnerable to PHP Object Injection, which can lead to Remote Code Execution under the right conditions.