Profile picture
Scott Arciszewski @CiPHPerCoder
, 16 tweets, 5 min read Read on Twitter
Let's talk about some of the open source libraries that @ParagonIE has created over the years to make it easier to make secure PHP applications.

paragonie.com/software
First, the polyfill libraries:

random_compat exists so that your framework can use the newer PHP 7 CSPRNG API even if they support PHP 5. It's used by a lot of projects, including WordPress.

github.com/paragonie/rand…
In a similar spirit, sodium_compat reimplements (most of) libsodium in pure PHP, and even supports 32-bit operating systems. Its purpose is to help projects transition toward PHP 7.2+ support.

github.com/paragonie/sodi…
If you need a deterministic RNG in 2014 (e.g. shared seed), you might have used srand() or mt_srand() then rand() or mt_rand() (respecitively).

These days, you'll want SeedSpring, which uses AES-CTR to generate a long stream of pseudorandom bytes: github.com/paragonie/seed…
A lot of the cool kids distribute their PHP projects in a PHP Archive (.phar file). One of our first open source projects was called Pharaoh, which allows you to peer inside two Phars and compare them. Great for deterministic builds.

github.com/paragonie/phar…
Ionizer is a dead-simple input filtration library that works on structured input (i.e. $_GET and $_POST). If you want a drop-dead simple way to turn user input into a validated, type-safe array, Ionizer is your tool.

github.com/paragonie/ioni…
CSP-Builder constructs Content-Security-Policy headers at runtime and/or from a JSON configuration file. This allows you to securely use the nonce feature in your favorite template library.

github.com/paragonie/csp-…
CipherSweet lets you encrypt database fields (using correctly-implemented authenticated encryption) and still use the plaintext in SELECT queries after-the-fact.

github.com/paragonie/ciph…
Chronicle is a microservice that lets you tell clients, "No, we don't actually need a #blockchain for that!"

github.com/paragonie/chro…
Certainty makes damn sure you have the latest copy of Mozilla's CACert bundle for use in cURL / Guzzle, without introducing the risk of MITM attacks.

Never again disable certificate validation in a PHP project, especially in eCommerce software!

github.com/paragonie/cert…
EasyDB aims to make SQL injection ancient history by making it super easy to use prepared statements correctly.

github.com/paragonie/easy…
If you're writing PHP software in 2019, you'll want to make sure that:

A. Your framework already solves the same problem as one of these libraries, OR
B. You (or your framework) are using the appropriate library
As far as native framework alternatives go, EasyDB has a some competition so you might not need it.

CipherSweet has no competition. If you need searchable encryption in PHP, that's probably your best bet.

The rest lie on a spectrum in-between both extremes.
Also, this tweet thread didn't cover all of our open source libraries.
Finally, it will cost you $0 to integrate any of these libraries with your PHP code. We're giving this away for free so you can write more secure code. Please take advantage of this.
@threadreaderapp unroll
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Scott Arciszewski
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#blockchain

More from @CiPHPerCoder see all

Profile picture
Want to make PHP's exceptions more helpful to your users, even if they're speaking to it over a JSON API or command line script? github.com/paragonie/corn…
Note: v1.x of this library targets EOL versions of PHP. You'll ideally want to use version 2 at a minimum.

But anyway, consider this a holiday gift to the PHP community. (I might have proposed it to FIG, if I were a member, and wasn't wary of endless bikeshedding.)
So what does Corner do? It transforms thorny corner-case errors into something that developers will find more useful.

It was inspired by this tweet:
Read 6 tweets
Profile picture
Fun activity:

Go through the plugins/extensions/whathaveyou for your favorite CMS/framework (especially eCommerce) and see which ones disable certificate validation for HTTPS requests.

paragonie.com/blog/2017/10/c…
Plugins for payment gateways that disable either are worth 5 points, unless they disable both, in which case they're worth 20 points.
If you expected to not find anything, well, I hope you didn't bet the farm on that:

Read 11 tweets
Profile picture
I've drafted several blog posts in the past week and scrapped them all. None of them feel important enough to write about, let alone publish.
This isn't coming from a position of writer's block. This is coming from a position of empathy. Time is precious, and I hate to waste anyone's.
Application security: I don't know whether it's better classified as "poorly understood" or "underappreciated".
Read 30 tweets

Related threads

Profile picture
Cloudflare is burying the lede here a bit: they have built a cloud platform that costs a third of what AWS costs and can run any language, by compiling it down to WebAssembly and running it in V8 isolates. blog.cloudflare.com/cloud-computin…
WebAssembly modules are already in the npm registry and interoperable with other JS. There is a potential future, not guaranteed but possible, in which all open-source software written in any language agglomerates into a single giant pool of useful libraries available on npm.
npm transitioned from the package manager for Node to the package manager for JavaScript and now with TypeScript, Electron and mobile transpilers has moved into being a general purpose software development platform.
Read 9 tweets
Profile picture
I have been formally studying or working in one engineering discipline or another for over 18 years. I am well-educated on failure rates of both machines and software.

If the reports of broken machines are true, the chance that this is random probability is nearly zero.
It is fallacious to assume that failure of machines in this case is an independent, identically-distributed (i.i.d. for those who want the lingo) process. Machine failure rarely is.
The reasons why failures are rarely i.i.d. is because similar models have the same design flaws, or they might be operated under the same conditions, by the same operator(s), who make(s) the same mistakes.
Read 11 tweets
Profile picture
After studying a bit of game theory and modern digital economics, I have come to the conclusion that network effects can sometimes provide a non-govt solution to tragedies of commons and mis-pricing due to externalities.
An externality is when a transaction between consumer & producer has an effect on third parties. When the effect is bad (eg: pollution), the costs are partially being paid by third-parties without them benefiting. This leads to over-pricing & therefore, over-supply of such txns.
Similarly, positive externalities benefit third-parties who did NOT pay the cost but did receive the benefit, which leads to under-pricing and under-supply of such goods. Inventions are classic examples. In tech, open-source software is the most familiar one.
Read 13 tweets
Profile picture
1. Unbelievable.

"The source with knowledge of his statements confirmed to Fox News that Moffa said FBI personnel would use media reports based on information they leaked to justify applications for Foreign Intelligence Surveillance Act warrants."

foxnews.com/politics/2018/…
2. So happy for freedom-loving Iranians! Looks like Rouhani has some 'splainin' to do to Iranian Parliament re: "unemployment, rising prices & sharp depreciation of the rial, which has lost more than half of its value since April." Are his days numbered?

aljazeera.com/news/2018/08/i…
3. Chain of Cmd: INSCOM -> NSA -> ODNI -> POTUS. FISAs granted by FISC. Given magnitude of #Spygate, Hussein clearly directed spy ops. Apprised via Pres Daily Briefs in PEOC. Trump has justification for FISA warrants vs DS mbrs colluding w/foreign gov'ts.
washingtonian.com/2013/02/01/oba…
Read 39 tweets
Profile picture
Hi, I'm Jeff and I'm an Engineering Manager at @npmjs and I'd like to talk a little bit about open source, humans, and general empathy
When you think about npm, you probably think about a gigantic company that plays a part in a lot of what you do, in what everybody does... and there's some truth to that.
We have roughly 10 million users. We're near 5 Billion, that's with a B, downloads per week. Even if you're not using our CLI tool (which most are), you're using our registry anyway. It's a great responsibility and we take it seriously
Read 18 tweets
Profile picture
As you might have heard, @nchousedems are fielding democratic candidates in all 120 House seats in the #ncga. If we want to #TurnNCBlue then we have to support every candidate in our #120DistrictStrategy.
First up, in House District 1, we have Ron Wesson who is currently serving his community as Vice-Chair of the Bertie County Commission. Check out his website or on Facebook at:
wessonfornc.com
facebook.com/ronwessonfornc…
dailyadvance.com/News/2018/02/0…
In House Dist. 6, we have Tess Judge. A successful business owner and community leader, Tess is running to support the children and families that live along our central coast. #ncga #ncpol #120DistrictStrategy

facebook.com/tessjudgefornc…

outerbanksvoice.com/2018/02/12/tes…
Read 42 tweets

Trending hashtags

#stablecoin #OpenSource #3GPP #AFM2018 #crypto #VeChainThor #Zcash #SanFrancisco #MySQL #Bluetooth #MMT2017 #tech #library #2019Position #ERC20 #cloud #EducatedElites #taxation #röstemermänskligt #Sapling #Cryptography #vanelxn18 #Seoul #libraries #php

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!