Securing software applications has not exactly become easier with the advent of agile software development methodologies such as scrum. In this post, I review the book Agile Application Security (by Laura Bell, Michael Brunton-Spall, Rich Smith, and Jim Bird), introduce some of its key ideas, and summarize why I found it so insightful. This book guides software development teams on how to practically integrate security into their agile processes. I recommend it to two groups of readers: (1) information security ...

In August 2018, Sam Thomas discovered a new way to attack PHP applications. This exploitation works by causing the application to unserialize a data structure controlled by the attacker and leads to the execution of arbitrary code on the attacked system. Specifically, this attacks utilizes the phar:// stream wrapper which allows access to Phar application archives. The underlying problem is that PHP unserializes a Phar archive once it is first accessed by a file operation (e.g., file_exists()). In this post, ...