Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHP.net:
PHP 5.6.29 Released
Dec 09, 2016 @ 11:54:07

On the main PHP.net site there's an announcement about the release of the latest version in the PHP 5.6.x series - PHP 5.6.29:

The PHP development team announces the immediate availability of PHP 5.6.29. This is a security release. Several security bugs were fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version.

Bugs fixed in this version include changes in the Opcache, OpenSSL, SOAP, SQLite3 Standard libraries. You can view the full list of changes in the Changelog and get the downloads from the usual place: the downloads page for the source packages and windows.php.net for the Windows binary downloads.

tagged: language release bugfix security php56

Link: http://php.net/index.php#id2016-12-08-2

PHP.net:
PHP 5.6.28 Released
Nov 14, 2016 @ 12:12:58

The PHP.net site has posted the official announcement about the latest release in the PHP 5.6.x series: PHP 5.6.28:

The PHP development team announces the immediate availability of PHP 5.6.28. This is a security release. Several security bugs were fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version.

Fixes included in this release relate to:

  • core language functionality
  • GD image manipulation
  • fixing an overflow in the IMAP functionality
  • a SQLite issue fetching an integer as a string

As always, you can get this latest release from either the main downloads page (for source packages) or windows.php.net for the Windows binaries. As a reminder, the active support for the PHP 5.6.x series will be ending at the end of 2016 (December 31st) so there's never been a better time to upgrade to PHP 7.

tagged: language release php56 security update download

Link: http://php.net/index.php#id2016-11-10-3

TutsPlus.com:
Programming With Yii2: Security
Nov 09, 2016 @ 12:41:30

The TutsPlus.com site has posted the next article in their "How to Program with Yii2" series of tutorials, this time talking about security covering security tools and functionality already included in the framework.

In this Programming With Yii2 series, I'm guiding readers in use of the Yii2 Framework for PHP. If you're planning to share your application with the public, you'll need it to be secure, and it's best to plan this from the beginning. Fortunately, starting with a framework such as Yii makes this a lot easier than it otherwise would be.

[...] In this tutorial, I'll walk you through the basic security concepts within the Yii application framework. And, if you're interested, future episodes will work to <a href="http://code.tutsplus.com/tutorials/building-your-startup-security-basics--cms-26702>secure the application, Meeting Planner, featured in our startup series, as it approaches alpha release.

The tutorial starts with a look at some of the basics of Yii2's security functionality including authorization tools, password handling and cryptography. Code is included in each section showing the use of the component/functionality. The final point, "Best Practices", links to pages in the Yii2 documentation where you can get more information about preventing vulnerabilities like SQL injection, cross-site scripting and file exposure issues.

tagged: programming yii2 tutorial series framework security controls

Link: https://code.tutsplus.com/tutorials/programming-with-yii2-security--cms-26701

PHP Roundtable:
054: Security: Encryption, Hashing and PHP
Nov 07, 2016 @ 11:16:47

The PHP Roundtable podcast, hosted by Sammy Powers, has posted their latest episode covering Security: Encryption, Hashing and PHP. This time Sammy is joined by guests Scott Arciszewski, Chris Riley and Chris Cornutt.

We chat about security in the the PHP community, encryption & hashing in PHP and a new-hotness crypto library called libsodium.

You can catch this latest episode in a few different ways: either using the in-page audio or video player or you can watch it directly over on YouTube. If you enjoy the show, be sure to subscribe to their feed and follow them on Twitter for updates when new shows are being recorded and released.

tagged: phproundtable podcast video security encryption hashing sammypowers

Link: https://www.phproundtable.com/episode/security-encryption-hashing-and-php

ThisData Blog:
Subscribing to Symfony's Security Events
Nov 01, 2016 @ 12:27:22

In this recent post to the ThisData blog Nick Malcolm shows you a method for subscribing to the events that the Symfony framework throws during the course of its execution with simple listeners.

Symfony is a popular web framework for PHP apps, and comes with a powerful event notification system which fires events when almost anything happens inside the system. Hooking in to these events can add advanced functionality to your app.

The most common way to listen to an event is to register either an event "listener", or an event "subscriber". We're going to use Subscribers. In this post we'll create a Subscriber which listens for successful and unsuccessful Log In events, and responds by sending information to ThisData.

He starts with a Symfony demo application and show the creation of a basic subscriber to specifically listen to the security events. In this case they're only looking for authentication failures and interactive logins. He walks through what the subscriber code is doing step-by-step and includes the registration of the subscriber. This includes an update to send the event results over to the ThisData service for easier ingestion and reporting. This final step isn't a requirement to get the subscriber working, it's just an optional step they've provided as one method to handle the eventing output.

tagged: security events thisdata symfony subscriber tutorial

Link: https://thisdata.com/blog/subscribing-to-symfonys-security-events/

SitePoint PHP Blog:
2FA in Laravel with Google Authenticator – Get Secure!
Nov 01, 2016 @ 10:47:02

On the SitePoint PHP blog there's a tutorial posted from Christopher Thomas showing you how to integrate two-factor authentication into your Laravel application with a Google Authenticator-compatible library, helping to secure your site even better than just one level of authentication and authorization.

In this tutorial, we will use Laravel and Google Authenticator to demonstrate how to implement 2FA in a webapp. Google Authenticator is just one implementation of the Time-Based One-Time Password (TOTP) algorithm, RFC 6238. This industry standard is used in a lot of various 2FA solutions.

[...] How the TOTP works is that the server generates a secret key. This secret key is then passed to the user. The secret key is used in combination with the current Unix timestamp to generate a six digit number, using a keyed-hash message authentication code (HMAC) based algorithm. This six digit number is the OTP. It changes every 30 seconds.

They start with a clean slate and build a new Laravel project out and include the libraries needed for the TFA support: pragmarx/google2fa and paragonie/constant_time_encoding. You then add in the provider to Laravel's config, build out the models/tables to hold the two-factor information and add a few routes to handle the validation steps. They also include the details in building out the controllers, updating the AuthController for the new step in the authentication flow and how to handle the code validation. The code for all of this (as well as the views) is included as well as screenshots showing the setup and usage of the two-factor handling in the standard authentication flow.

tagged: tutorial google authenticator security laravel twofactor authentication

Link: https://www.sitepoint.com/2fa-in-laravel-with-google-authenticator-get-secure/

TutsPlus.com:
How to Secure a REST API With Lumen
Oct 26, 2016 @ 10:56:58

Over on the TutsPlus.com site there's a new tutorial posted for the Lumen users out there building REST APIs. The post walks you through an authentication method for the API making use of Laravel's included "guard" handling and an API token.

Lumen is Laravel's little brother: a fast, lightweight micro-framework for writing RESTful APIs. With just a little bit of code, you can use Lumen to build a secure and extremely fast RESTful API.

In this video tutorial from my course, Create a REST API With Lumen, you'll learn how to use Lumen's built-in authentication middleware to secure a REST API with Lumen.

The post includes the screencast of the tutorial but it also includes all of the content below that in more developer-friendly text form. Screenshots of the code in various states are also included as well as descriptions of what's happening in the auth process along the way.

tagged: lumen security rest api screencast tutorial

Link: https://code.tutsplus.com/tutorials/how-to-secure-a-rest-api-with-lumen--cms-27442

Paragon Initiative:
Guide to Automatic Security Updates For PHP Developers
Oct 25, 2016 @ 12:51:21

On the Paragon Initiative blog they've posted a guide to handling automatic security updates for PHP developers, helping to prevent security-related issues by keeping your libraries up to date.

Most of the software security vulnerabilities known to man are preventable by careful development practices. [...] However, even if you're trying to do everything right, eventually we all make mistakes and ship exploitable software.

[...] By making updates manual rather than automatic, you're forcing your customers to take all the responsibility for making sure that your mistakes don't hurt their business. Only a very small minority of your customers might prefer the responsibility of verifying and applying each update themselves. [...] Automatic security updates reduce the interval between points 2 and 3 from possibly infinite to nearly zero. That's clearly a meaningful improvement over manual patch management.

The post then walks through the aspects of a secure automatic update system that includes offline cryptographic signatures, transport layer security and separation of privileges (who will perform the actual update). The author gets into a bit of detail for each item on the list, explaining how the system should be set up and some tools you can use to start working up the process in your own applications.

tagged: automatic security update developers tutorial system

Link: https://paragonie.com/blog/2016/10/guide-automatic-security-updates-for-php-developers

PHP.net:
PHP 5.6.27 Released
Oct 18, 2016 @ 11:48:09

As announced on the main PHP.net site, the latest version in the PHP 5.6.x series has been released: PHP 5.6.27, a bugfix only release.

The PHP development team announces the immediate availability of PHP 5.6.27. This is a security release. Several security bugs were fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version.

Bugfix locations include DOM, GD mbstring, OpenSSL and SimpleXML. As always, this latest version can be downloaded from the main downloads page (source) or from windows.php.net (binaries). You can view the full list of updates and fixes in the related Changelog.

tagged: language release bugfix security php56

Link: http://php.net/index.php#id2016-10-14-1

SitePoint PHP Blog:
Phpseclib: Securely Communicating with Remote Servers via PHP
Oct 04, 2016 @ 13:37:33

The SitePoint PHP blog has posted a new tutorial by Viraj Khatavkar showing how to use the phpseclib library to securely communicate with remote servers directly from your PHP code.

PHP has an SSH2 library which provides access to resources (shell, remote exec, tunneling, file transfer) on a remote machine using a secure cryptographic transport. Objectively, it is a tedious and highly frustrating task for a developer to implement it due to its overwhelming configuration options and complex API with little documentation.

The phpseclib (PHP Secure Communications Library) package has a developer friendly API. It uses some optional PHP extensions if they’re available and falls back on an internal PHP implementation otherwise. To use this package, you don’t need any non-default PHP extensions installed.

The first step is getting the library installed (via Composer) and a few example use cases including generating SSH keys dynamically and testing a SSH/SFTP connection. The tutorial then talks about three methods you can use with phpseclib to connect to remote servers: using an RSA key, using a password-protected RSA key and just the normal username/password combination. With the connection made they then show you how to:

  • execute (single and multiple) commands on the remote server
  • exit on the first error
  • gather the output from the commands

There's also a bit included about some other interesting configuration options and a few alternatives to the library if phpseclib doesn't work exactly right for your application.

tagged: phpseclib security communication server library tutorial introduction

Link: https://www.sitepoint.com/phpseclib-securely-communicating-with-remote-servers-via-php/