In his latest post, Pádraic Brady suggests that you take PHP security seriously and start really thinking about the security of your applications, not just talking about them.
Most programmers treat security as an afterthought and engage in zero self-directed education about security in general. The most common response is actually shock, followed by denial, followed by excited elation at the idea of fixing stuff, followed by the sobering realisation that someone somewhere is an evil fucker for making their lives harder by not telling them all this sooner. Some graduate further into taking security seriously, seriously. This is actually PHP’s current failing: Knowledge.
He talks about some of the mislead beliefs that many PHP developers share about the "One True Way" to secure their applications from common things like XSS and CSRF. He also shares his thoughts on how to solve this knowledge problem...and it's not by reading the same things we have been for years now. New knowledge needs to be shared, new questions need to be asked and new methods need to be shared for effective security precautions.
Knowledge is the essential ingredient to improving PHP Security. What you don’t know can bite you; what you do know can be hunted down and shot.