php[architect] magazine has announced the release of the latest issue for June 2017: Secure By Design:

In this issue, focused on security and secure development, articles include:

• Analyzing for security in "Nuclear Powered Software Security" by Chris Riley.
• Mark Niebergall surveys the "Cybersecurity State of the Union".
• "Make your site anonymous via Tor in The Digital Speakeasy: Secure and Anonymous Access to Your Website" by Dustin Younse.
• "High performance data exchanges using Googles Protocol Buffers" by Christopher Mancini.

There's also the usual set of columns returning this month covering topics like image manipulation, burnout and spurring community involvement. If you're interested in the magazine but want a "try before you buy", check out the free article for this month (the "State of the Union"). If you enjoy the article or just want to pick up a copy of the issue to call your own, you can order a print or digital copy directly from the php[architect] site.

In this new post (and this related article) Pádraic Brady shares some of his opinions about default security languages should provide and the Secure by Design principles.

Odd though it may seem, this principle explains some of PHP’s greatest security weaknesses. PHP does not explicitly use Secure By Design as a guiding principle when executing features. I’m sure its in the back of developers’ minds just as I’m sure it has influenced many if their design decisions, however there are issues when you consider how PHP has influenced the security practices of PHP programmers. The result of not following Secure By Design is that all applications and libraries written in PHP can inherit a number of security vulnerabilities, hereafter referred to as “By-Default Vulnerabilities”.

He focuses on what he sees as a responsibility of those creating the language to either default to a more secure architecture or provide information as to why their choices could cause problems. In the extended version of the post, he talks about some specific issues that the language has including SSL/TLS misconfiguration, openings for XML entity injection attacks and limited native filtering for cross-site scripting.