Our Ambitious Plan to Make Insecure PHP Software a Thing of the Past

Last month we published our guide to building secure PHP software in 2018. It provides clear and accessible guidance to writing secure PHP software. If you're a web developer, that page should serve as a great starting point for writing secure software going forward.

However, that guide only solves half the problem.

The other half is the abundance of outdated blog posts and PHP tutorials littered across the Internet that demonstrate bad security practices. And we'll need your help (yes, yours!) to clean up the ecosystem.

Let's Solve Application Security at an Ecosystem Level

Many of you are familiar with our efforts to clean up the bad/questionable cryptography practices on popular Stack Overflow answers over the years. It was challenging, at first, to launch this initiative because of how Stack Exchange websites work:

You need reputation to get started

You cannot post alternative answers that demonstrate an existing answer until you clear a reputation milestone

Peer review is stilted against "changing the intent" of an existing answer (no matter how foolhardy the original intent may be)

Despite these challenges, thanks to the immeasurable support of the StackOverflow moderators and ecosystem-conscious community members, we have been largely successful. These days, if you type "php encryption" into your favorite search engine, the top search results steer developers towards AEAD.

However, there are thousands of old blog posts and tutorial websites that compete with now-secure StackOverflow answers to the sorts of questions that developers seek answers to. Updating Stack Exchange websites and Wiki articles has a positive effect on the likelihood of developers being exposed to good security practices out of the gate, but it isn't enough.

That is why, today, I'm calling on the entire PHP community to organize an ecosystem clean-up initiative.

What We Need You to Do

The task is simple at its face:

Log into your old blogs and/or websites, update your old tutorials to steer newcomers toward secure solutions. Then encourage your friends and peers to do the same.

This may entail one or more of the following:

Prefacing the entire post with a big disclaimer.

Linking users to a better guide that follows security best practices. This can be an updated blog post on your own website, or one of ours. (See below.)

Rewriting example code to demonstrate better security practices, if you'd rather not link to an off-site blog post.

Commenting out the contents of the old blog post to prevent copy-and-paste-driven developers from following outdated or insecure practices, in case they miss the disclaimers and you don't have the time/energy to rewrite it.

At a minimum, it should eradicate all of the following:

Trivial SQL Injection vulnerabilities if anyone copies and pastes your code.

Trivial Cross-Site Scripting vulnerabilities if anyone copies and pastes your code.

Plaintext password storage.

Use of insecure password storage mechanisms, such as MD5.

Unnecessary/insecure use of unserialize() .

If you're unsure why, we wrote at length about all of these topics before.

Why Crowdsource this Effort?

No matter how driven and resourceful we may be, there's only so much impact we can have on the PHP ecosystem alone.

However, if the entire PHP community can rally behind this effort, we can raze the mountains of collective technical debt that have accumulated over the past decade. We can make application security the norm, not something scary that only the elite few can master.

Additionally, the prestige of the PHP developers will increase immensely. The toxic elements of the broader technology community will be totally disarmed the next time they try to dunk on PHP, which I think is an admirable goal to work towards.

What's Your Part in All This?

We'll keep doing what we've already been doing for years, just in greater quantities.

Now that the Sodium cryptography extension has landed in PHP 7.2, our next target is replacing the dangerous JOSE standards with a less error-prone cryptographic standard. More announcements to come, soon.

Our Promise to the PHP Community

Whether or not your choose to link to our blog posts so newcomers will find them easier, we've always conducted ourselves in accordance with these standards, and will continue to do so for as long as our doors remain open:

We will always aspire for excellence in usable security and applied cryptography. We will go out of our way to correct mistakes. We will never do any of the following (and, trust me, we get asked a lot): Third-party banner ads and/or pop-up ads

Intentionally enabling adware and/or malvertising

Native advertising

Paid product endorsements

Guest posts that do any of the above

Paywall our blog contents

Our company has been around for about three years, as of this writing. We aren't going away any time soon.

If you are hesitant to trust us as a resource to recommend to newcomers, we invite you to read our PHP security guide (including the supplementary material it links to), review some of our open source libraries, and ask some PHP and infosec community members what they think of Paragon Initiative Enterprises and the work we've done for both communities.