Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Joshua Sampia:
CORS Slim PHP Setup
Nov 05, 2015 @ 10:38:47

In this post to his site Joshua Sampia shows how to set up and configure CORS in your Slim-based application. CORS or Cross-Origin Resource Sharing, lets you further lock down what sources can access your application and some requirements around the ones that can.

Ok, another PHP post but this time it’s about setting up some middleware for a slim PHP application.

Let me set this up. We are building a simple REST API for use with a basic phone native app (both Android and iOS). Me being new to this, I wasn’t sure if the native app domain call is considered cross browser or not, plus there are some outside companies we are working with who MAY access the API as well. [...] I setup some middleware by extending the Slim Middleware class and adding them via the app.

He talks about the steps he had to take in the middleware to set up an AccessControlOrigin middleware (and two others requiring HTTPS and HTTP Basic Auth). He includes the simple code to send the required HTTP headers to support CORS on the response object and the update to his Javascript to include credentials with every request.

tagged: cors slim framework security middleware https httpbasic authentication crossorigin

Link: http://joshuasampia.com/2015/11/05/cors-slim-php-setup/

Three Devs & A Maybe:
Episode 76 - Let's TalkTalk about Security
Oct 30, 2015 @ 09:23:55

On the latest episode of the Three Devs and a Maybe podcast hosts Michael Budd, Fraser Hart, Lewis Cains and Edd Mann talk about security in web applications, both on the client and server side.

This week we are very lucky to have Lewis back on the show after his recent move. We discuss what he has been getting up to in his absence and how he is balancing work/life whilst being remote. Following this, we touch upon a reinvigorated passion for software architecture, moving to a framework from bespoke solutions and the middleware pattern. Discussion then turns towards moving from AngularJS to React/Flux and resources Edd has written and found useful whilst learning the subject. Security is the next hot-topic with the recent TalkTalk security breach in question, an interesting pseudo-random number seed issue and SSL/TLS/HTTPS all explained. Finally, we conclude with an update on Mick’s final year project and his work with decision trees.

You can listen to this latest episode either through the in-page audio player or by downloading the mp3. If you enjoy it, be sure to subscribe to their feed to get updates when the latest episodes are released.

tagged: threedevsandamaybe podcast ep76 security frontend backend

Link: http://threedevsandamaybe.com/lets-talktalk-about-security/

PHP Security Video Series on YouTube
Oct 21, 2015 @ 10:49:02

As is mentioned in this quick post Codecourse (formerly PHP Academy) has posted a series of free videos to YouTube that aim to help you increase the security of your PHP applications. These videos go beyond the usual OWASP Top 10 you'll see in most security-related resources and dive into both some "old favorites" and some new interesting topics.

This YouTube series from Codecourse gives you a good overview of the most common PHP security issues. They use a very practical approach, showing how the attacks are done and how to protect your code from them.

Topics covered in the video series include things like:

There's ten videos in the series with a total run time of about an hour. They're split up for great bite-sized viewing chunks, so be sure to check them all out and see what you can learn.

tagged: codecourse phpacademy security video series youtube tutorial

Link: https://www.youtube.com/playlist?list=PLfdtiltiRHWFsPxAGO-SVPGhCbCwKWF_N

Paragon Initiative:
Coming to WordPress 4.4: CSPRNG
Oct 12, 2015 @ 12:52:42

The Paragon Initiative blog has a post from Scott Arciszewski about a new feature coming to upcoming WordPress versions - the use of a cryptographically security random number generator starting in version 4.4.0.

At Paragon Initiative Enterprises, we believe that security should be the default state of affairs, not something only in the reach of security experts. That is why [...] our team spends a great deal of time working to improve the security of popular free and open source software.

Today, we're pleased to announce an exciting security enhancement coming to WordPress in the next major version. Starting in 4.4.0, wp_rand() is cryptographically secure on all platforms.

He walks the reader through the "road" that's lead to the introduction of this support and the work he did in the past to help push the project (and others) towards it. Given that the WordPress project has a lot of emphasis on backwards compatibility, effort need to be put into a method that would work across new and old PHP versions. The random_compat library was created and was adopted not only by WordPress but also by several other major PHP projects.

Our part in this long and crazy journey has reached its end. In the course of fixing the same flaw in two distinct projects, the PHP community banded together to identify and expunge a bug in the PHP core, create a new feature in PHP 7, and in some small way helped to secure the CMS that powers more than 20% of websites on the Internet.
tagged: wordpress csprng random number generator cryptography security

Link: https://paragonie.com/blog/2015/10/coming-wordpress-4-4-csprng

PHP 5.5.30 & 5.6.14 Released
Oct 02, 2015 @ 11:16:57

The PHP.net site has announced the release to two new versions of PHP in the 5.5.x and 5.6.x series: PHP 5.5.30 and PHP 5.6.14:

he PHP development team announces the immediate availability of [these versions]. This is a security release. Two security bugs were fixed in this release. All PHP [5.5 and 5.6] users are encouraged to upgrade to this version.

As always, you can grab these latest stable versions from the main downloads page or the windows.php.net site for the Windows binaries. If you're interested in the bugs fixed here, check out the full Changelog.

tagged: language release bugfix security update php55 php56

Link: http://php.net/archive/2015.php#id2015-10-01-3

PHP 5.6.13 & 5.5.29 Released
Sep 04, 2015 @ 14:12:29

The main PHP.net site has announced the availability of the latest versions in the PHP 5.5.x and 5.6.x series - PHP 5.5.29 and PHP 5.6.13

The PHP development team announces the immediate availability of [these new versions]. This is a security release. Many security-related issues were fixed in this release. All PHP 5.5 [and 5.6] users are encouraged to upgrade to this version.

Problems fixed included issues around "user after free" memory bugs, PCRE (regular expression) handling and other smaller issues in other extensions. As mentioned, upgrading is highly recommended to these latest versions, especially given the security fixes involved. You can get these latest releases from the main downloads page (or windows.php.net for the Windows users out there). If you're interested in all of the changes in these releases, check out the full Changelog

tagged: language release bugfix security php55 php56

Link: http://php.net/index.php#id2015-09-04-3

Run Geek Radio:
Episode 008 – Escaping PHP Variables Forgotten
Sep 04, 2015 @ 09:50:22

Adam Culp has posted his latest episode of his "Run Geek Radio" podcast series with Episode #8: Escaping PHP Variables Forgotten

Escaping variables in PHP is as important as ever, and developers can sometimes forget about it when using a modern framework. Adam Culp, the host of Run Geek Radio, talks a little about common pitfalls and how to handle them. Also covered is the ZendCon and SunshinePHP preparations and status of Adam speaking at some other upcoming conferences. Plus a brief update on the running front and training.

You can listen to this latest episode either through the in-page audio player or by downloading the mp3 directly. If you enjoy the show, be sure to subscribe to the feed and get information about the latest episodes as they're released.

tagged: rungeekradio ep08 escape variables security conference update

Link: https://rungeekradio.com/episode-008-escaping-php-variables-forgotten/

September 2015 Issue Released - Security Boot Camp
Sep 02, 2015 @ 12:19:02

The latest issue of the php[architect] magazine has been released for September 2015. In this latest issue they focus on security in PHP along with the same columns you know and love.

In this issue, we have an overview of the various techniques that malicious users can use to attack your application, a deep dive into how passwords can be stored securely and how PHP’s built in password functions make this easier, a look at how to setup a PHP based Intrusion Detection System, and how to use PDO to guard against SQL injection attacks

Elsewhere, there’s a look at how to think like a functional programmer, an introduction to using Sculpin for generating a static site, an interview with Elizabeth Naramore, and more.

This month's issue includes articles like:

  • Basic Intrusion Detection with Expose (Greg Wilson) (read this one free here)
  • Keep Your Passwords Hashed and Salted (Leszek Krupi?ski)
  • Leveling Up: DeLoreans, Data, and Hacking Sites (David Stockton)

...as well as the "Education Station", "Community Corner" and "finally{}" columns from returning authors. You can purchase your copy of this month's issue directly from the php[architect] website either as a single issue or as a part of a subscription.

tagged: phparchitect magazine sept2015 security issue release

Link: https://www.phparch.com/magazine/2015-2/september/

Paragon Initiative:
A Gentle Introduction to Application Security
Aug 17, 2015 @ 10:51:56

The Paragon Initiative blog has posted a gentle introduction to application security for those new to some of the ideas of secure code and wanting to learn more.

If you are a web developer (or are thinking about teaching yourself web programming), you probably don't think of yourself as a security engineer, or a white-hat/blue-team member of an information security assurance team. You might have considered security threats in the context of quality assurance before (e.g. validating input), but perhaps you're no expert on the subject. But the second your code is deployed in production, your code is the front line of defense for that entire system and quite possibly the entire network. Logically, that means the software you produce must be made reasonably secure.

[...] This might seem like a lot of pressure. [...] I'm not going to say you need to become an application security expert. That very notion betrays the (largely untapped) potential for rich diversity in the technology communities. But I will say this: Application Security is Every Developer's Responsibility

They remind developers that there's a lot more than just 10 types of vulnerabilities (or even 25) and proposes a new model for thinking of security weaknesses in your applications. He outlines five points for assessing the security of your apps, not just common vulnerabilities to fix:

  • Failure to Separate Data from Instructions
  • Unsound Application Logic
  • Your Application's Operating Environment
  • Cryptographic Weaknesses

The fifth is a catch-all "miscellaneous" category that would contain things that are either crossing the boundaries of the other categories or are just each in their own category. He suggests we move on to a "more secure tomorrow", evaluate our applications along these criteria.

tagged: gentle introduction security application paragon initiative taxonomy

Link: https://paragonie.com/blog/2015/08/gentle-introduction-application-security

Release of PHP 5.6.12, 5.4.44 and 5.5.28
Aug 07, 2015 @ 08:49:54

The PHP.net site has announced the release of the latest versions of the current releases of the PHP language: PHP versions 5.6.12, 5.4.44 and 5.5.28.

The PHP development team announces the immediate availability of PHP [versions 5.6.12, 5.4.44 and 5.5.28]. 12 security-related issues were fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version.

It's also pointed out that this 5.5.x release marks the first security-only bugfix release according to their release calendar. As always, you can get these latest versions from the downloads page or the windows.php.net site for the Windows binaries. You can view the full list of changes in these releases in the Changelog for each version.

tagged: language release bugfix security schedule php55 php54 php56

Link: http://php.net/archive/2015.php#id2015-08-06-4