This month, we dive into Libsodium, discuss gatekeeping, learn more about data access, and why even something that might be considered a “small bug” can cause massive damage.

Every bug report, even the innocuous-looking ones, could be evidence of a fatal flaw in your application. You owe it to yourself and your customers to vet and audit any report, even if it lacks proof-of-concept, exploits code, or feels like an extremely hypothetical edge case. by Eric Mann

According to the just-released 2021 version of OWASP Top 10 (a curated list of the most critical web application security risks out there), “Cryptographic Failures” are the 2nd most important of the many security concerns we should have as web developers. These concerns include a lot of misuses of cryptographic systems, like choosing weak algorithms, […]

The Open Web Application Security Project (OWASP) is a non-profit that focuses on web security research, training, and documentation to help developers make the world a safer place. They regularly collate application security risks seen in the wild and publish a list of the most frequently encountered issues. This list, the OWASP Top Ten, is […]

Security is often difficult to get right, even for those who are experts in the field. Mistakes are easy to make and result in our users falling into a pit. All developers should practice a stance of “security by default.” Doing so means ensuring that any mistakes land users in a pit of success rather […]

A modern security best practice is to both implement and require a form of authentication beyond a simple password. This practice is known as “multifactor” authentication, as users will have a primary factor—their password—and a secondary factor to successfully authenticate to an application. Proper implementation of a multifactor authentication scheme keeps your application and its users safe and secure by […]

An application is only as strong as the authentication systems used to gate entry and protect the data it contains. So long as your users leverage passwords, the weakest link in your security stance is the strength of those passwords. This month we take a deeper look at the strength of passwords and guidance to keep your users’ data […]

The last few months have been a whirlwind of API work. If you’ve been following along, you have a solid grasp of the history of APIs, tools to help design your APIs, and a good lump of tips on how to turn that API design into reality. But, for the sake of space, I left […]

Last month, news broke of a breach of the PHP community’s development Git server. This breach included the addition of two malicious commits to the language’s source code. The malicious code was immediately identified and removed; the team is taking further steps to ensure this kind of situation never occurs again.

By Eric Mann Every web application that allows users to authenticate needs to ensure their users’ credentials are afforded the best protection possible. Conventionally, this is done by storing only the hash of a password rather than the password itself. Luckily, password hashing in PHP is secure, safe, and remarkably straightforward to implement. Last month […]