Keeping secrets secure with cutting edge technology doesn't have to be hard.
Effective PHP credential security can be tricky, but simpler is better than complex
Hash length extension vulnerabilities can easily slip in under the radar but are easy to prevent.
Get started building security into your applications
Securing legacy code can be tricky, here's a few more hints
Securing legacy code can be tricky, here's a few "quick hits" to get you started
Defaulting to secure settings in your tools helps keep the world a safer place
Good validation practices on incoming data can save lots of trouble down the line.
Proper risk evaluation can minimize the impact an attack can have on your apps.
Property-based policy evaluation is a more flexible alternative to the usual hard-coded checks
Why isn't application security taught as a beginner concept?
Validating input can help prevent most common security issues - let's learn how.
Validating input isn't just about values, it's about context too.
Input validation is a must for any application but changing rules can make it tricky.
The Aura.Filter component provides effective and easy to use data filtering & validation features.
Securing your configuration is important - let this tool help
Good access control systems (and its management) are key to an application's security.
Implement your own SMS-based two-factor authentication via the Twilio API.
The Clef service provides an interactive, easy to implement two-factor solution.
Trust boundaries are the gatekeepers for data in your applications.
The XACML standard from OASIS provides an attribute-based authentication structure.
Logging is a tricky subject - what to log, when to log and what tools to use.
Learn about Microsoft's industry standard secure development practices.
The Respect Validation library helps validate and protect from bad user data.
Using the DREAD threat modeling framework you can get a better view of the risk of your application.
The Yubikey USB hardware token makes two-factor authentication as easy as pushing a button.
Composer providies easy package management for PHP developers, but be careful with what you use.
Implementing a public/private HMAC hashing layer to your API helps authenticate and validate the request.
Mass assignment vulnerabilities can be a hard-to-find issue in your applications. Learn how to prevent them.
Knowing the exposed points of your application can help heighten your security and defenses.
The Google Authenticator smartphone application makes two-factor auth simple, even without a connection.
Using the Duo Security API you can manage multiple users and integrations, all through a REST interface
Using the Authy REST API, you can quickly and easily integrate two-factor auth into your system.
Keeping the "bigger picture" in mind when assessing the security of your application is vital.
Just because you're using a NoSQL db doesn't mean you're safe from SQL injections.
Attack patterns provide a common language to refer to threat types and methods of attack.
The STRIDE method of threat modeling gives you a simple way to evaluate the possible weak points in your application.
Sometimes the best defense is a good offense - "think like an attacker" with these hints to prevent exploits.
Cross-site Request Forgeries are still a common threat. Learn how to protect your app from this pesky issue.
Part of the "Core Concepts" series, examines the "Defence in Depth" thought pattern to secure your app.
Learn how to protect your site with a Content Security Policy limiting Javascript, CSS and reporting.
An introduction to this new tool and implementing it with jQuery and a bit of PHP
Learn about the WebGoat and Damn Vulnerable Web Application tools to practice your testing skills.
All user data is tainted, but how to you effectively deal with it? Read on...
Use a simple custom session handler in PHP to protect your session data on the server.
Learn how to use the TCrypto library to protect your data.
XML External Entity attacks are a lesser-known threat, learn how to protect your PHP application.
A few things to think about when using PHP sessions, especially on a shared server.
Handling user input can be tricky, file uploads even more so - here's some do's, don't and musts.
A look at one of the "Top 10" from the OWASP largest vulnerabilities list
See how to use this simple tool to help find flaws in your applications.
Google offers an API that tells you if a site is "safe". Read on to learn how to use it.
Default PHP error handling shares way too much information - learn how to use custom handlers to prevent it.
The default settings in PHP's configuration aren't all secure, here's a few you should change.
PHP's $_SERVER suportglobal contains some values that come from the user - be careful what you use!
A look at one of the "Top 10" from the OWASP largest vulnerabilities list