Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Paragon Initiative:
A Gentle Introduction to Application Security
Aug 17, 2015 @ 10:51:56

The Paragon Initiative blog has posted a gentle introduction to application security for those new to some of the ideas of secure code and wanting to learn more.

If you are a web developer (or are thinking about teaching yourself web programming), you probably don't think of yourself as a security engineer, or a white-hat/blue-team member of an information security assurance team. You might have considered security threats in the context of quality assurance before (e.g. validating input), but perhaps you're no expert on the subject. But the second your code is deployed in production, your code is the front line of defense for that entire system and quite possibly the entire network. Logically, that means the software you produce must be made reasonably secure.

[...] This might seem like a lot of pressure. [...] I'm not going to say you need to become an application security expert. That very notion betrays the (largely untapped) potential for rich diversity in the technology communities. But I will say this: Application Security is Every Developer's Responsibility

They remind developers that there's a lot more than just 10 types of vulnerabilities (or even 25) and proposes a new model for thinking of security weaknesses in your applications. He outlines five points for assessing the security of your apps, not just common vulnerabilities to fix:

  • Failure to Separate Data from Instructions
  • Unsound Application Logic
  • Your Application's Operating Environment
  • Cryptographic Weaknesses

The fifth is a catch-all "miscellaneous" category that would contain things that are either crossing the boundaries of the other categories or are just each in their own category. He suggests we move on to a "more secure tomorrow", evaluate our applications along these criteria.

tagged: gentle introduction security application paragon initiative taxonomy

Link: https://paragonie.com/blog/2015/08/gentle-introduction-application-security

Community News:
GoPHP5 Initiative Reborn?
Nov 08, 2013 @ 11:46:06

There's a movement stirring in a part of the PHP community (the PHP-FIG group) that wants to bring back the idea behind the "GoPHP5" movement years back. This time, though, their focus is a bit different - it's not switching to PHP5 they want, it's pushing towards PHP 5.5.

We all know that PHP 5.3 is about to lose even security support in the first half of next year. PHP 5.3 is still the most widely used PHP version, with the completely unsupported 5.2 a strong second [and] 5.4 hasn't even reached 10% yet, and 5.5, which is current stable, barely registers. [...] The last time this big of a chicken-and-egg issue existed was around moving to PHP 5.x at all, which took *for frickin' ever* to supplant PHP 4. [...] I believe it is time to discuss round 2 of that effort. I also believe that it would be good for FIG to play a leading role in such an effort if possible.

There's been some varied feedback on the thread both for and against. Overall, there's a lot of support for the idea, but there are a few "hitches" in the plans - mainly the lack of support from the linux OS vendors to bump up their versions. The projects themselves are receptive, many noting that they've been planning the first steps to this already - a move to PHP 5.4 only.

tagged: gophp5 php55 initiative community phpfig project

Link: https://groups.google.com/forum/#!topic/php-fig/ogp03OHbVJ0

Fabien Potencier:
About Symfony: Stability over Features
Apr 15, 2013 @ 10:12:34

Fabien Potencier (of the Symfony framework) has a new post to his site talking about a philosophy that the Symfony framework community should work towards, providing stability over features.

Long story short: in the coming months, the Symfony core contributors should focus their efforts toward stabilizing the existing features instead of working on new ones. At this point, backward compatibility and stability are more important than everything else.

He highlights some of the points that come along with this effort including less refactoring for the sake of refactoring, fixing more bugs/edge cases and writing more tests/documentation. He gets into some of the specifics of this kind of thinking and points out the things that can and can't be changed during this time. He talks more about stability and suggests that not only can it help enhance performance but it could also help motivate more projects/corporate users to start using the framework.

tagged: symfony stability features framework initiative tests bugs backward compatibility

Link: http://fabien.potencier.org/article/68/about-symfony-stability-over-features

Community News:
NuSphere Partners with Parallels (ISV Initiative)
Sep 14, 2007 @ 09:32:00

On the php|architect website today, Elizabeth Naramore mentions a move that NuShphere, creators of the PhpEd IDE for PHP, have teamed up with the Parallels Group in their "Partner Program's ISV initiative".

Via the ISV Initiative, NuSphere will make its flagship product, PhpED, which is an award-winning PHP Integrated Development Environment (PHP IDE) favored for its power, speed, ease of use, exceptional PHP debugging capabilities, and fully configurable user interface, available to the Mac and Linux communities through use of Parallels desktop virtualization products, which include Parallels Desktop 3.0 for Mac and Parallels Workstation 2.2 for Windows and Linux.

The collaboration between the two is bringing one of the more popular PHP IDEs over to the Mac world in one of the first steps the Paralleles Group has made to bridge the gap between Windows and OS X.

Check out some of Joseph Crawford's thoughts on the collaboration too.

tagged: isv initiative nuphere virtualization ide development osx windows isv initiative nuphere virtualization ide development osx windows

Link:

Community News:
NuSphere Partners with Parallels (ISV Initiative)
Sep 14, 2007 @ 09:32:00

On the php|architect website today, Elizabeth Naramore mentions a move that NuShphere, creators of the PhpEd IDE for PHP, have teamed up with the Parallels Group in their "Partner Program's ISV initiative".

Via the ISV Initiative, NuSphere will make its flagship product, PhpED, which is an award-winning PHP Integrated Development Environment (PHP IDE) favored for its power, speed, ease of use, exceptional PHP debugging capabilities, and fully configurable user interface, available to the Mac and Linux communities through use of Parallels desktop virtualization products, which include Parallels Desktop 3.0 for Mac and Parallels Workstation 2.2 for Windows and Linux.

The collaboration between the two is bringing one of the more popular PHP IDEs over to the Mac world in one of the first steps the Paralleles Group has made to bridge the gap between Windows and OS X.

Check out some of Joseph Crawford's thoughts on the collaboration too.

tagged: isv initiative nuphere virtualization ide development osx windows isv initiative nuphere virtualization ide development osx windows

Link: