The OWASP Top Ten is required reading for anyone in software development, regardless of whether or not your role focuses on security. It’s a useful guide to get you started thinking from a strong security mindset. Be careful, however, to avoid thinking the list is exhaustive or provides comprehensive security for your application or system.

Home security systems are an early warning to potential theft or abuse of our personal property. They’re useful because they alert us (and the police) to a problem before the theft happens. Logging and monitoring of our applications and digital systems can similarly help protect our customers and their data. By leveraging an automated intrusion […]

Engineers working on the web are usually well-versed in firewalls. It’s a good practice to limit the potential sources of incoming web traffic; not many engineers focus on limiting approved destinations for outgoing traffic. Locking down a list of approved egress destinations is a strong security stance which limits the potential impact of a breach.

January is a month all about setting resolutions for the new year. A new diet. A new budget. A new FOSS contribution goal. In 2019, let’s intentionally focus on keeping our projects safe and taking a strong stance on security.

Cryptographic primitives we discussed at a hackathon were hashes, and it’s useful to take a more in-depth look at what they are and how to use them in PHP.

Development teams use code review as a way to keep track of one another’s progress on issues and tasks in the work queue. Code reviews are also a stellar way to proactively detect and address security concerns before they become critical to the success of the project.

One thing security professionals in every field have is a cultivated sense of “professional paranoia.” They invest time in understanding and thinking like a potential attacker. As a result, there are fewer ways an attack can surprise—or successfully breach—an application.

Any application aimed at presenting users with a premium, seamless UX must take account of the times when user authentication fails. What happens when a user forgets their password? What can we do to confirm sensitive operations using email or other out-of-band communication? How can we make an application easy to use while also keeping […]

A solid practice in protecting user credentials is to never store passwords in plaintext on the server. Modern content management systems and PHP frameworks leverage strong one-way functions to store only hashes of passwords. This technique protects your users should your database ever be breached by an attacker. An even stronger mechanism, however, would never […]