PSR-9/10

[Michael Cullum]

Hi all,

PSR-9 and PSR-10 have been quite quiet for a long time. Michael Hess (Drupal security lead) has stepped back from being the Editor

and has asked if I could step up as Editor. The next step is to form a working group. This thread is an appeal for people who wish to

join the working group so we can get the ball rolling with a (re)-entance vote.

What are PSR-9 and PSR-10

---------------------------------------

PSR-9 is about how to inform the public of security advisories once published by a project. The previous direction of this
PSR was particularly focused on standardising a machine-readable advisory format but there's possibility for enhanced scope within that area.

PSR-10 is about security reporting process including aspects of how to responsibly report an issue to a project, what can
be considered reasonable response and resolution times before disclosure by the reporter and the process of patching security issues.

You can join the working group for both or just one of two PSRs.

Who should join the Working Group?

--------------------------------------------------

We're looking for people in a few different categories:

• Security researchers
  
• Security leads of large projects, or in their absense (or lack of a person in such a role), a suitably qualified person from that project
• [PSR-9] People who work on security checker tooling
• [PSR-9] Security advisory database maintainers
• Security advocates

Who is already on the Working Group?

-----------------------------------------------------

* Michael Cullum - Editor & Symfony Security Lead

* Larry Garfield - PSR-9 CC Sponsor

* Korvin Szanto - PSR-10 CC Sponsor

* Michael Hess - Drupal Security Lead

* Adam Englander

The working group are the group of people who are involved in the creation and core discussions for creation of the specifications,
but there's very little active work required, just your opinion.

If you think you might be able to contribute and fit with one of the above categories then please get in touch through this thread or if

you want to chat first, a private email or tweeting me (@michaelcullumuk) is also fine!

--

Thanks,

Michael Cullum

[Chris Cornutt]

Hey Michael,

I'd love to be back in on this one and help push the project on.

-chris

--
You received this message because you are subscribed to the Google Groups "PHP Framework Interoperability Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to php-fig+unsubscribe@googlegroups.com.
To post to this group, send email to php...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/php-fig/CAAqcDMi-zm7cqAWwNWefGAvBb-j8T%3DoFrAnsTsyCd_49AJfEBQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--

Senior Editor
PHPDeveloper.org
ccor...@phpdeveloper.org

@enygma

[Michael Cullum]

Great! Welcome to the team.

Many thanks,

Michael

To unsubscribe from this group and stop receiving emails from it, send an email to php-fig+u...@googlegroups.com.

To post to this group, send email to php...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/php-fig/CAAqcDMi-zm7cqAWwNWefGAvBb-j8T%3DoFrAnsTsyCd_49AJfEBQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--

Senior Editor
PHPDeveloper.org
ccor...@phpdeveloper.org

@enygma

--

You received this message because you are subscribed to the Google Groups "PHP Framework Interoperability Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to php-fig+u...@googlegroups.com.

To post to this group, send email to php...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/php-fig/CAJr8_uRPDN9XqT8Saw9Nj4BM3%2BgzrXe64p4LOe1P0M7pWeFcAQ%40mail.gmail.com.

[Fabien Potencier]

Hi all,

I would be more than happy to participate and give my insight based on
my experience dealing with Symfony security issues and managing the
security advisory database
(https://github.com/FriendsOfPHP/security-advisories).

Fabien

On 26/05/2018 18:17, Michael Cullum wrote:
> Hi all,
>
> PSR-9 and PSR-10 have been quite quiet for a long time. Michael Hess
> (Drupal security lead) has stepped back from being the Editor
> and has asked if I could step up as Editor. The next step is to form a

> working group. *This thread is an appeal for people who wish to*
> *join the working group *so we can get the ball rolling with a

> (re)-entance vote.
>
> What are PSR-9 and PSR-10
> ---------------------------------------
>

> *PSR-9 is about how to inform the public of security advisories* once

> published by a project. The previous direction of this
> PSR was particularly focused on standardising a machine-readable
> advisory format but there's possibility for enhanced scope within that area.
>

> *PSR-10 is about security reporting process* including aspects of how to

> responsibly report an issue to a project, what can
> be considered reasonable response and resolution times before disclosure
> by the reporter and the process of patching security issues.
>
> You can join the working group for both or just one of two PSRs.
>
> Who should join the Working Group?
> --------------------------------------------------
> We're looking for people in a few different categories:
>

> * Security researchers
> * Security leads of large projects, or in their absense (or lack of a

> person in such a role), a suitably qualified person from that project

> * [PSR-9] People who work on security checker tooling
> * [PSR-9] Security advisory database maintainers
> * Security advocates

>
>
> Who is already on the Working Group?
> -----------------------------------------------------
> * Michael Cullum - Editor & Symfony Security Lead
> * Larry Garfield - PSR-9 CC Sponsor
> * Korvin Szanto - PSR-10 CC Sponsor
> * Michael Hess - Drupal Security Lead
> * Adam Englander
>
> The working group are the group of people who are involved in the
> creation and core discussions for creation of the specifications,
> but there's very little active work required, just your opinion.
>
> If you think you might be able to contribute and fit with one of the
> above categories then please get in touch through this thread or if
> you want to chat first, a private email or tweeting me
> (@michaelcullumuk) is also fine!
>
> --
> Thanks,
> Michael Cullum
>

> --
> You received this message because you are subscribed to the Google
> Groups "PHP Framework Interoperability Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to php-fig+u...@googlegroups.com

> <mailto:php-fig+u...@googlegroups.com>.

> To post to this group, send email to php...@googlegroups.com

> <mailto:php...@googlegroups.com>.

> To view this discussion on the web visit
> https://groups.google.com/d/msgid/php-fig/CAAqcDMi-zm7cqAWwNWefGAvBb-j8T%3DoFrAnsTsyCd_49AJfEBQ%40mail.gmail.com

> <https://groups.google.com/d/msgid/php-fig/CAAqcDMi-zm7cqAWwNWefGAvBb-j8T%3DoFrAnsTsyCd_49AJfEBQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.

[Matteo Beccati]

On 26/05/2018 18:17, Michael Cullum wrote:

> If you think you might be able to contribute and fit with one of the
> above categories then please get in touch through this thread or if
> you want to chat first, a private email or tweeting me
> (@michaelcullumuk) is also fine!

Please count me in. I've been personally dealing with the security
issues in Revive Adserver through its various names and iterations since
15+ yrs.


Cheers
--
Matteo Beccati

Development & Consulting - http://www.beccati.com/

[Michael Babker]

Hi, I'd be interested in participating as a current member (and past lead) of Joomla's security team.

[Alice Wonder]

Hi,

If privacy is a religion then I am a zealot, and privacy and security go hand in hand. That being said, I am very interested in the results of these PSRs but I am not sure I could contribute. So why I am I posting?

I'm begging for a PSR specifically for best practices. Just as an example, even though I personally already did a base64 on a password prehash - I didn't know how important that was, the issue is that a raw prehash can result in a null byte which has meaning to C causing everything after it to be ignored by some algos used in password hashing, yet a large percentage of web apps that use a prehash just use a raw prehash and thus are vulnerable to the prehash resulting in reduced entropy.

I've also web applications that do absurd things with CSRF tokens, getting really fancy with how they are generated but actual result is they are somewhat predictable, when really random_bytes(16) is all you need for good CSRF token.

It seems like a lot of talented coders (probably including myself) often do the wrong thing just because what is intuitive with security is often wrong and what is the right way often is not intuitive. A PSR might help reduce those instances, thus reducing how often PSR-9/10 need to be used ;)

Just a thought.

[Lukas Kahwe Smith]

On 29 May 2018, at 10:15, Alice Wonder <alicedo...@gmail.com> wrote:

Hi,

If privacy is a religion then I am a zealot, and privacy and security go hand in hand. That being said, I am very interested in the results of these PSRs but I am not sure I could contribute. So why I am I posting?

I'm begging for a PSR specifically for best practices. Just as an example, even though I personally already did a base64 on a password prehash - I didn't know how important that was, the issue is that a raw prehash can result in a null byte which has meaning to C causing everything after it to be ignored by some algos used in password hashing, yet a large percentage of web apps that use a prehash just use a raw prehash and thus are vulnerable to the prehash resulting in reduced entropy.

I've also web applications that do absurd things with CSRF tokens, getting really fancy with how they are generated but actual result is they are somewhat predictable, when really random_bytes(16) is all you need for good CSRF token.

It seems like a lot of talented coders (probably including myself) often do the wrong thing just because what is intuitive with security is often wrong and what is the right way often is not intuitive. A PSR might help reduce those instances, thus reducing how often PSR-9/10 need to be used ;)

Just a thought.

I agree that the best thing of course is to prevent issues to begin with.

However, I am not sure how much value we can add here compared to organizations like OWASP.

The only thing I could see us doing here is looking at things from a PHP specific point of view, ie. discouraging specific php functions etc.

But even there I am not sure if this isn't rather the task of PHP core.

regards,

Lukas Kahwe Smith

sm...@pooteeweet.org

[Larry Garfield]

I would agree. "General security best practices" sounds like something for
PHPTheRightWay.com, not FIG. But absolutely it's important.

Looks like they already have a security section:

http://www.phptherightway.com/#security

I know the maintainers are very PR-friendly, so if you have something to add,
go for it.

--Larry Garfield

[Enrico Zimuel]

Hi Michael,

I'm representative of the Zend Framework Security Team and I would be happy to contribute to PSR-9 and PSR-10.

This is our policy regarding security issue: https://framework.zend.com/security

We managed the security advisories using this format: https://framework.zend.com/security/advisories

I think PSR-9 and PSR-10 can definitely propose a standard way to report and discover security issue to PHP projects.

Maybe, we should also consider a way to integrate the security advisories in composer, e.g using https://github.com/Roave/SecurityAdvisories or https://security.sensiolabs.org/.

Regards,

Enrico Zimuel

Regards,

Enrico Zimuel

--

You received this message because you are subscribed to the Google Groups "PHP Framework Interoperability Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to php-fig+unsubscribe@googlegroups.com.
To post to this group, send email to php...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/php-fig/CAAqcDMi-zm7cqAWwNWefGAvBb-j8T%3DoFrAnsTsyCd_49AJfEBQ%40mail.gmail.com.

[Michael Cullum]

Hi all,

Thanks for all of your interest. So far the Working Group is looking like this then:

* Michael Cullum - Editor & Symfony Security Lead

* Larry Garfield - PSR-9 CC Sponsor

* Korvin Szanto - PSR-10 CC Sponsor

* Michael Hess - Drupal Security Lead

* Fabien Potencier - Symfony Lead Developer & Friends of PHP Security Checker

* Enrico Zimuel - Zend Security Team

* Michael Babker - Joomla Security Team

* Matteo Beccati - Revive Adserver

* Chris Cornutt
* Adam Englander

Other people interested please continue to post. I'll probably leave this open until the end of this week.

--

Many thanks,

Michael

[Marco Pivetta]

Hey Michael,

Count me in: I've got experience in distributing Fabien's excellent collection of security issues, as well as a fair share of maintenance experience when it comes to bad disclosures, and we can surely improve a lot here.

Greets,

Marco

[Michael Cullum]

Hi all,

So I've got the working group as-is for now (and invited you all onto the FIG slack). The next step is to define the scope and put it forward for an entrance vote which will hopefully happen this week or next but we'll see. If anyone else wants to get involved, you can still reach out (as the WG membership can change at any time during the process).

WG:

* Michael Cullum - Editor, Symfony Security Lead & phpBB Core Team

* Larry Garfield - PSR-9 CC Sponsor

* Korvin Szanto - PSR-10 CC Sponsor

* Michael Hess - Drupal Security Lead

* Fabien Potencier - Symfony Lead Developer & Friends of PHP Security Checker

* Enrico Zimuel - Zend Security Team

* Michael Babker - Joomla Security Team

* Matteo Beccati - Revive Adserver

* Aaron Campbell - WordPress Security Lead

* Marco Pivetta

* Chris Cornutt

* Adam Englander

--

Michael C

--
You received this message because you are subscribed to the Google Groups "PHP Framework Interoperability Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to php-fig+unsubscribe@googlegroups.com.
To post to this group, send email to php...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/php-fig/b7a47e3a-17af-41b3-888a-a1bc3105546f%40googlegroups.com.

[Tom Adams]

Hi Michael,

I'd like to take part. I have some experience reporting vulnerabilities in WordPress plugins.

Thanks,

Tom A

--

Michael C

To unsubscribe from this group and stop receiving emails from it, send an email to php-fig+u...@googlegroups.com.

To post to this group, send email to php...@googlegroups.com.

[phil...@gamache.com]

Wow, didn't have time to post latelly (changed work). I did say I was interested in an other tread.

[Philippe Gamache]

Like I said earlier (in PSR status Update) , I'm interested on PSR-9 and PSR-10. 

Worked on security on Tiki and with Sensio. Did the only french book on PHP security (with Damien Seguy). Wrote a lot about it, and speak in different conferences (PHP and Security alike). Fonder of the OWASP Montreal Chapters. Work for 14 years as a Security Consultant on PHP projects.

--

Michael C

To unsubscribe from this group and stop receiving emails from it, send an email to php-fig+u...@googlegroups.com.

To post to this group, send email to php...@googlegroups.com.

[Diana Arnos]

I kknow it's late for me to ask to be part of the working group, but is there a way I could at least keep up with the discussion since this thread here is not updated very often?