Every bug report, even the innocuous-looking ones, could be evidence of a fatal flaw in your application. You owe it to yourself and your customers to vet and audit any report, even if it lacks proof-of-concept, exploits code, or feels like an extremely hypothetical edge case. by Eric Mann

The Open Web Application Security Project (OWASP) is a non-profit that focuses on web security research, training, and documentation to help developers make the world a safer place. They regularly collate application security risks seen in the wild and publish a list of the most frequently encountered issues. This list, the OWASP Top Ten, is […]

Security is often difficult to get right, even for those who are experts in the field. Mistakes are easy to make and result in our users falling into a pit. All developers should practice a stance of “security by default.” Doing so means ensuring that any mistakes land users in a pit of success rather […]

A modern security best practice is to both implement and require a form of authentication beyond a simple password. This practice is known as “multifactor” authentication, as users will have a primary factor—their password—and a secondary factor to successfully authenticate to an application. Proper implementation of a multifactor authentication scheme keeps your application and its users safe and secure by […]

An application is only as strong as the authentication systems used to gate entry and protect the data it contains. So long as your users leverage passwords, the weakest link in your security stance is the strength of those passwords. This month we take a deeper look at the strength of passwords and guidance to keep your users’ data […]

Despite our best efforts, security bugs will creep into deployed production code. When this happens, members of the community might reach out to report these bugs to you. Your team needs to be prepared to both receive and encourage these forms of responsible disclosure.

Last month, news broke of a breach of the PHP community’s development Git server. This breach included the addition of two malicious commits to the language’s source code. The malicious code was immediately identified and removed; the team is taking further steps to ensure this kind of situation never occurs again.

Every web application that allows users to authenticate needs to ensure their users’ credentials are afforded the best protection possible. Conventionally, this is done by storing only the hash of a password rather than the password itself. Luckily, password hashing in PHP is secure, safe, and remarkably straightforward to implement.

There are many ways to store user credentials for verification on the application side. Only a few of those ways—namely hashing—are considered secure. While an “older” topic, let’s look at how you should store passwords and why it’s vital for every developer to know how to handle sensitive data securely.

The recent security breach of SolarWinds was one of the worst the community has seen in recent years. It isn’t due to the used hack’s severity but the impact on almost all of SolarWinds’ downstream customers. Let’s look at if something like this could happen in the PHP ecosystem and what we could do to […]