Clik here to view.
Automatic Output Escaping In PHP And The Real Future Of Preventing Cross-Site...
Even Dexter Knows HTML (Photo credit: mollyeh11) A while back, the Zend Framework 2.0 team decided that automatic escaping for Zend\View (a template engine where all templates are written in PHP...
View ArticleClik here to view.
PHP Security: Default Vulnerabilities, Security Omissions and Framing...
15 (Photo credit: el frijole) Secure By Design is a simple concept in the security world where software is designed from the ground up to be as secure as possible regardless of whether or not it...
View ArticleClik here to view.
PHP Security, Authorative Knowledge and Combining Forces
NIST NVD 2006 Data - Ed Finkler (Photo credit: tychay) It’s about a year since I sat down, quite despondant and discouraged, faced with the seemingly insurmountable task of overcoming PHP’s culture...
View ArticleClik here to view.
PHP Escaper RFC: Consistent Escaping Functionality For Killing XSS
The Incredible Hulk (Photo credit: Boogeyman13) A short time ago today, I submitted a PHP RFC for discussion which proposes adding an SPL Escaper class and, quite possibly, a related set of functions...
View ArticleClik here to view.
Zend Framework ElePHPants Available to Pre-Order – They’re Green!
Blue PHP ElePHPant plush toys are so yesterday. Ben Scholzen (you might know him as DASPRiD on IRC/Twitter) is now taking pre-orders for green Zend Framework ElePHPants. Yes, they are green. Yes, they...
View ArticleClik here to view.
Taking PHP Security Seriously By Taking It Seriously
The Singing Annoying Thing (Photo credit: DWZ) Since the dawn of time, circa 1995 AD, PHP and Security have been at constant loggerheads over what priorities programmers should cling to. Programmers,...
View ArticleClik here to view.
Getting Ahead In Security By Watching The Neighbours
As some of you are likely aware by now, Ruby On Rails posted a security advisory concerning critical remote code execution (RCE) vulnerabilities in its Action Pack for all versions of Rails since 2.0....
View ArticleClik here to view.
Predicting Random Numbers In PHP – It’s Easier Than You Think!
The Zend Framework team recently released versions 2.0.8 and 2.1.4 to address a number of potential security issues including advisory ZF2013-02 “Potential Information Disclosure and Insufficient...
View ArticleClik here to view.
Mockery 0.8.0 Has Been Unleashed!
I’m very happy to announce the release of Mockery 0.8.0. Mockery is a simple yet flexible PHP mock object framework for use in unit testing with PHPUnit, PHPSpec or any other testing framework. Its...
View ArticleClik here to view.
20 Point List For Preventing Cross-Site Scripting In PHP
Watching some asshat fail at cross site scripting attacks against gearfuse.com. (Photo credit: vissago) Summarising knowledge has as much value as writing a 200 page treatise on a topic, so here is a...
View ArticleClik here to view.
Publishing Security Disclosures In Consumable Formats For Simpler Aggregation...
This is a branch off from a separate discussion on the PHP-FIG mailing list about other ways the Framework Interoperability Group can encourage and foster wider interoperability among its member...
View ArticleClik here to view.
BREACH Attacks: Extracting HTTPS Encrypted Data In Under A Minute Without...
Welcome to Black Hat Conference Season… Last week, news started to spread from the Black Hat conference about a new oracle attack (called the BREACH attack) against HTTPS which may allow an attacker...
View ArticleClik here to view.
Stateful vs Stateless CSRF Defences: Know The Difference
w2sp: Slide 8: Problem: Gremlins in the engine (Photo credit: Terriko) Scanning the blogs today, I noticed an article discussing a method of implementing Stateless CSRF protection. Stateless CSRF...
View ArticleClik here to view.
PHP 5.6 and SSL/TLS: Getting Better But Will PHP Programmers Actually Use It?
English: Wuzhen Xizha, Tongxiang, Zhejiang, P. R. of China: central canal; "Watch your step!" (insecure quay wall ) Some time ago I wrote all about the main risks in using SSL/TLS in PHP and here’s...
View ArticleClik here to view.
Mockery 0.9.0 Has Landed…Mostly In One Piece!
The Enterprise ' s saucer section crash landing (Photo credit: Wikipedia) I’m very happy to announce the release of Mockery 0.9.0. Mockery is a simple yet flexible PHP mock object framework for use in...
View ArticleClik here to view.
Coding Standards: Humans Are Not Computers
The Computer in Society - April 1965 This is part rant and part poking fun, but I’ve grown weary with the sight of source code running through phpcs for PSR-2 compliance and finding that it’s riddled...
View ArticleClik here to view.
Composer: Downloading Random Code Is Not A Security Vulnerability?
(Photo credit: bernissimo) Update: A fix which prevents Composer from locally installing packages not explicitly referred to by your root composer.json, or not explicitly referred to by your...
View ArticleClik here to view.
Thoughts on Composer’s Future Security
coconut (Photo credit: @Doug88888) I’ve been spending a chunk of free time recently working on a few PRs for Composer related to security so this is my usual “let’s watch Paddy think aloud in a...
View ArticleClik here to view.
PHP Package Signing: My Current Thoughts
(Photo credit: Wikipedia) We figured out how to write good code. We figured out how to write good code in a reusable way…for the most part. We figured out how to distribute and mix all that good...
View ArticleClik here to view.
Is Facebook’s HHVM Building PHP’s Coffin?
English: THIS IS SPARTA (Photo credit: Wikipedia) With HHVM 3.0 now released, it’s probably time to start talking about HHVM and the new Hack Language. It’s becoming hard to ignore some of the...
View Article
