Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Full Stack Radio:
62: Timezones, Webhook Security, and UI Decisions
Apr 12, 2017 @ 13:06:25

The Full Stack Radio podcast, with host Adam Wathan, has posted their latest episode with guest David Hemphill - Episode #62: Timezones, Webhook Security, and UI Decisions.

In this episode, David talks about adding timezone support to Crondog, and Adam wrestles with some decisions about dealing with failed webhooks in KiteTail.

We also talk a lot about different strategies for securing webhooks, and what we're looking forward to at MicroConf.

You can listen to this latest episode either using the in-page audio player or by downloading the mp3 directly. If you enjoy the show, be sure to subscribe to their feed and follow them on Twitter to get the latest announcements when new shows are released.

tagged: fullstackradio podcast ep62 davidhemphill adamwathan timezone webhook security ui

Link: http://www.fullstackradio.com/62

SitePoint PHP Blog:
How to Secure Laravel Apps with 2FA via SMS
Mar 01, 2017 @ 11:52:23

On the SitePoint PHP blog there's a new tutorial posted by author Younes Rafie showing you how to secure your Laravel application with 2FA (two-factor authentication) via SMS messages. In this example they make use of the Twilio SMS handling to send the message to the end user's device.

While everyone is concerned about their application’s security, few take it seriously and take the plunge. The first thing you’ll notice when learning about this is that two factor authentication (2FA) is the go-to solution as a first step.

Although there have been some serious problems with using text messages as a second factor, it’s definitely safer than a plain username and password combination, given that many users tend to use popular and easy to guess passwords for critical services such as payments, chat, emails, etc. In this article, we’re going to build two factor authentication into a Laravel application using Twilio SMS as the second factor.

The tutorial then starts by explaining what the end result will look like - a basic username/password login system that will require a code (from the SMS message) to continue into the account. They walk you through the creation of a new Homestead instance and installation/configuration of the new Laravel project. It then shows the updates you'll need to make to migrations and the models to handle the storage of the SMS tokens. It also shows the Blade templates to create the code entry view and error output in case of a code validation failure.

The tutorial then integrates Twilio's PHP SDK via a provider and provides a screencast of the end result.

tagged: laravel application security sms twofactor authentication

Link: https://www.sitepoint.com/secure-laravel-apps-2fa-via-sms/

Mattias Geniar:
Mitigating PHP’s long standing issue with OPCache leaking sensitive data
Feb 28, 2017 @ 11:39:33

In a new post to his site Mattias Geniar looks at an old security issue in PHP, opcache information leakage and how to mitigating the issue.

A very old security vulnerability has been fixed in PHP regarding the way it handles its OPCaches in environments where a single master process shares multiple PHP-FPM pools. This is the most common way to run PHP nowadays and might affect you, too.

He starts by talking about the vulnerability itself, that the PHP process doesn't validate the userid when fetching cached bytecode. This could result in information from other operations/scripts being exposed to other processes in a PHP-FPM pool. His solution? Upgrade PHP (the bug is fixed back in PHP 5.6.5) and set a few additional opcache ini settings to enforce the validation. Besides 5.6.29, it was also corrected in the PHP 7 releases (7.0.14 and 7.1.0). The post then talks about the potential exploit - an indirect local privilege escalation to root where the shared memory is read and access to outside information is possible.

tagged: opcache bytecode security issue leak sensitive information mitigation

Link: https://ma.ttias.be/mitigating-phps-long-standing-issue-opcache-leaking-sensitive-data/

PHP.net:
PHP 5.6.30 Released
Jan 23, 2017 @ 11:55:08

The PHP.net site has posted an announcement about the latest release in the PHP 5.6.x series: PHP 5.6.30.

The PHP development team announces the immediate availability of PHP 5.6.30. This is a security release. Several security bugs were fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version.

According to our release calendar, this PHP 5.6 version is the last planned release that contains regular bugfixes. All the consequent releases will contain only security-relevant fixes, for the term of two years. PHP 5.6 users that need further bugfixes are encouraged to upgrade to PHP 7.

If you'd like to view the full list of changes, head over to the Changelog for what was fixed and their related bug entries. As always you can download this latest release from the main downloads page for the source release and windows.php.net for the Windows binaries.

tagged: language release bugfix security php56

Link: http://php.net/index.php#id2017-01-19-3

DotDev.co:
Google ReCaptcha integration with Laravel
Jan 10, 2017 @ 09:26:28

On the DotDev.co site they've posted an article from Talevski Igor about integrating Google's ReCaptcha with Laravel for use in verifying forms and protecting them against automated attacks.

Today i have task to create ReCaptcha on contact form with in a Laravel Web page and I like to share the process of making this possible.

He then walks you through the process of getting the configuration you'll need for your domain and using this package to easily integrate it with Laravel and its forms. He adds the routes for both the GET and POST requests along with the matching view and controller. He then uses the env helper function to get the ReCaptcha key from the configuration and places it in the form. He also adds the "g-recaptcha-response" variable to the required values rules and creates a simple Guzzle HTTP client to make the request back to Google to verify the result.

tagged: recaptcha security laravel tutorial form integration package

Link: https://dotdev.co/google-recaptcha-integration-with-laravel-ad0f30b52d7d?gi=ec5b94e26a27#.qdpwauax0

Aidan Woods:
Secure Headers for PHP
Jan 09, 2017 @ 13:14:11

In a recent post to his site Aidan Woods shares information (and code) related to the use of secure headers in PHP applications. He's even created a package to help make it easier to drop them into a new or existing project without too much trouble.

Recently I've been working on a drop in class to manage certain "Secure Headers" in PHP. By "Secure Headers", I'm of course talking about those mentioned in the OWASP Secure Headers Project. The project, SecureHeaders is available on GitHub.

He starts by covering why he created the library and what it can help you with including making things like a CSP policy easier to maintain. The article goes on to talk about the Content-Security-Policy header is and what kind of prevention it applies. He also shares how the package displays errors, modifies cookies to secure them (HTTPOnly and Secure flags) as well as provide a "safe mode" that "place an upper limit on things like HSTS and HPKP, and remove flags like includeSubDomains or preload until the header is manually added as a safe mode exception, or safe mode is disabled."

tagged: header security package project csp https cookies

Link: https://www.aidanwoods.com/blog/secure-headers-for-php

thePHP.cc:
PHP 5: Active Support Ends. Now what?
Jan 02, 2017 @ 12:54:03

The final day of 2016 has come and gone and with it came the end of active support for the PHP 5.6 series of releases. This also marks the end of active support for anything in the PHP 5.x major release and pushing on with PHP 7. In this post to thePHP.cc blog Sebastian Bergmann talks about what this means for you and the tools you use.

The active support by the PHP project for PHP 5.6, the final release series of PHP 5, ends today. What is "active support"? And what does it mean for you? To answer this, you need to understand PHP's release process.

He starts with the release schedule and when it shifted from the "consensus based model" over to an official process, introducing more formality to the whole process (in 2012). He mentions two key terms to the process: "active support" and "security support". PHP 5.6 has moved past active support and is now in the the security support phase with only security fixes to be released from here on out. Sebastian then talks about what this means for your current code and, if you're still running on PHP 5.6, what you should do to come up to speed with PHP 7.x. He lists some of the projects that are moving into the world of PHP 7 only including PhpSpec 4.0, Laravel 5.5 and Symfony 4.

tagged: php5 active support end security php7 migration upgrade

Link: https://thephp.cc/news/2016/12/php-5-active-support-ends-now-what

Medium.com:
The Art of Defensive Programming
Dec 30, 2016 @ 12:59:38

In this post on Medium.com author Diego Mariani talks about the "Art of Defensive Programming" as it relates to the security of the code developers write.

Why don’t developers write secure code ? We’re not talking yet another time about “clean code” here. We’re talking about something more, on a pure practical perspective, software’s safety and security. Yes, because an insecure software is pretty much useless.

[...] Why do I think Defensive Programming is a good approach to issue these problems in certain kind of projects? [...] I personally believe this approach [of continued functionality even in unforeseen circumstances] to be suitable when you’re dealing with a big, long-lived project where many people are involved. Also for instance, with an open source project that requires a lot of extensive maintenance.

He then covers some of what he sees as key tenets of programming defensively:

  • Never trust user input
  • Use database abstraction
  • Don’t reinvent the wheel
  • Don’t trust developers
  • Write SOLID code
  • Write tests

For each item in the list he provides a brief summary of the idea behind it and, in some places, some example code to help illustrate the point. The examples are in PHP but the principles could be applied to just about any language.

tagged: defensive programming tutorial security tenets

Link: https://medium.com/web-engineering-vox/the-art-of-defensive-programming-6789a9743ed4#.u3bzu5xam

TutsPlus.com:
Building Your Startup: Security Basics
Dec 20, 2016 @ 11:55:58

The TutsPlus.com site has continued their "Building Your Startup" tutorial series with this latest article covering the "security basics" you'll need to adequately protect your application. This tutorial touches on both the server-level and code-level security aspects.

In today's episode, we'll dive into the basics of web server security. I'll cover securing the Linux VPS running Meeting Planner and some basic Yii security. In the next episode, I'll dive more into programmatic Yii application security.

The article starts off with the server side of things, introducing hosting options, keeping the server updated, configuring SSH for logins, setting up a firewall and SSL. With that solid base in place, it then starts on the code side covering the built-in functionality used to secure the backend and frontend functionality.

tagged: tutorial series yii2 startup security basics server code

Link: https://code.tutsplus.com/tutorials/building-your-startup-security-basics--cms-26702

PHP.net:
PHP 5.6.29 Released
Dec 09, 2016 @ 11:54:07

On the main PHP.net site there's an announcement about the release of the latest version in the PHP 5.6.x series - PHP 5.6.29:

The PHP development team announces the immediate availability of PHP 5.6.29. This is a security release. Several security bugs were fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version.

Bugs fixed in this version include changes in the Opcache, OpenSSL, SOAP, SQLite3 Standard libraries. You can view the full list of changes in the Changelog and get the downloads from the usual place: the downloads page for the source packages and windows.php.net for the Windows binary downloads.

tagged: language release bugfix security php56

Link: http://php.net/index.php#id2016-12-08-2