This Is a Troubling Sort of Post

Since my departure from Jamf in November, I have immersed myself in AI-driven development, accumulating over 633 million tokens with Claude

“[…] I have immersed myself in AI-driven development, accumulating over 633 million tokens with Claude in just a month, resulting in a total spend of $522, primarily on Opus 4.5 for complex coding tasks. What started as a vibe has evolved to a systematic product management and delivery system, leveraging agents, skills, and commands to deliver high quality and secure solutions. There’s an incredible opportunity to enable people to produce high quality work at speeds we’ve only dreamt of.”

This to me is a deeply troubling thought. So he starts by boasting how little thinking he has done and how much money it cost him to not think. Notice the trumpeting of $522 and the number of token being handed over to and from Claude. Then he follows up by saying that it produces high quality work at speed. On what metric does it do that? Is this just better than what he can create, or is this good as far as he is concerned? Is this objectively amazing code? I can tell you it’s not. If it was then why are there so many developers who say that it creates work for them more often than it saves them work?

“This hands-on experience has enhanced my focus on integrating security with AI innovation. I have been developing projects where agentic security reviews are triggered via GitHub Actions, utilizing Claude to automate vulnerability scans and compliance checks. Additionally, I maintain customized system prompts that direct Claude to proactively incorporate security best practices—such as input validation, encryption, and access controls—during the implementation phase.”

The first sentence just makes me chortle. Calling an LLM “AI” is like calling your shoe a hammer. Then he talks about “agentic security reviews” and vulnerability scans this to me is hilarious. I have significant experience in the realm of static code analysis, and I can tell you for a fact that tools get the job part of the way, and people part of the way, and then there is all the stuff that is missed. This is the reality of this problem–it is hard and it is unsolved and LLMs have not moved that problem into the solved category.

Here is the real issue: writing secure code is hard. Every project is different and the way secure code is going to look is also going to be a bit different. Furthermore, what is required for a given application is not a fixed point. For example: is it a problem that I run a Python SimpleHTTP server in my home lab, for a static page that is only accessed in my network? Probably not, but if I was to put that on the internet–big problems.

LLMs don’t understand–anything. They have no judgement. They have no experience. They are simply plagiarizing others work and giving you the endorphin rush of accomplishment without any effort of skill gains.

This idea that making customized prompts and this fiddling he is doing is anything more than an exercise in delusion is just sad.

“Looking forward, I recognize significant opportunities in AI-enhanced threat detection, such as real-time anomaly detection in logs, and secure agentic workflows for DevSecOps teams. This approach is transforming how we create safer systems without compromising speed.”

This is not a new idea. People have been using “AI” for security and log analysis for years. In fact this has been the case long before this LLM fad drove the world up the wall.

His final analysis is just so out of touch with reality. That LLMs are improving speed and safety. For example, you can look here where the vendor lays out some of the risks of AI generated code. Remember this guy is using the AI to write the code and review the code to make him feel good that it is secure and that he accomplished something–without any effort or thought.

If you actually do research into the topic what you find is that at best LLM code is as secure as human code–occasionally more so. However, if the LLM is doing rarely better than a human, but the perception is that it is doing far better than a human consistently than the LLM is actually worse than a human coder.

Perception drives actions, and if we delude ourselves into thinking LLM generated code is better than people, then we are just inviting the same bad code and insecure code into our projects that a person would make. Remember these LLMs are just generating the most likely result. This is based on human and LLM code. This means that you are getting results that are going to represent the most common best and worst mixed with possible or even likely hallucination. Does that sound like a recipe for better than human code with better than average security and practices?

If you want to get into the weeds on this; look at this paper. This topic is a deeply nuanced issue and everyone has their opinion. However, this is one opinion broadcast on LinkedIn that should have been kept out of public view.

Best Ways to Secure PHP Apps from Hacks

PHP powers over 70% of websites today. Think WordPress sites, Laravel apps, and countless e-commerce platforms. Yet hacks hit PHP apps hard, leading to data theft, downtime, and lost trust. One breach can cost millions in fixes and fines. Security isn’t a nice add-on; it’s the backbone of any solid app.

This guide digs deep into real ways to lock down your PHP code. We’ll skip the basics and focus on layers that block modern threats. From input checks to smart updates, you’ll get steps to build a tough defense. Let’s make your PHP apps hack-proof.

Foundational Security Practices: Setting the Baseline for Protection

Start with the basics to stop most attacks before they start. These steps form your app’s first line of defense. Without them, even fancy tools won’t save you.

Input Validation and Sanitization: Stopping Attacks at the Gate

All data from users can hide nasty surprises. GET requests, POST forms, cookies, and server vars might carry malware. Treat every bit as untrusted.

White-list allowed values to keep things tight. For example, if a form expects an email, check it matches a pattern like user@example.com. Use PHP’s filter_var() for this job. It flags bad inputs fast.

Frameworks help too. In Laravel, Eloquent models cast types automatically. Say you set a field as an integer; it blocks junk like “abc” right away. Always sanitize before you touch the data. This cuts off paths for injection attacks early.

Prepared Statements and Parameterized Queries: Eliminating SQL Injection

SQL injection sneaks bad code into your database queries. Hackers slip in commands like DROP TABLE by gluing strings together in raw SQL. It’s easy if you build queries like “SELECT * FROM users WHERE id = $id”.

Switch to prepared statements instead. They separate your code from user input. Use PDO for most databases. Here’s a quick example:

$stmt = $pdo->prepare (“SELECT * FROM users WHERE id = ?”);

$stmt->execute([$userId]);

This binds the input safely. No more string tricks work. MySQLi does the same with bind_param(). Test every query this way, from inserts to selects. It stops injections cold.

For bigger apps, ORM tools like Doctrine handle this out of the box. Just avoid raw queries when you can. One bad habit can open the door wide.

Secure Password Hashing and Management

Old hashes like MD5 crack in seconds with today’s tools. SHA1 fares no better. They store passwords in weak forms that hackers love.

Go with strong options like bcrypt or Argon2. PHP’s password_hash() function does the work. It adds salt automatically and tunes the cost for slowness. Example:

$hash = password_hash($password, PASSWORD_DEFAULT);

When users log in, use password_verify() to check. This keeps brute-force guesses slow. Set a high cost factor, say 12 or more, if your server can handle it. Store hashes only; never plain text.

Rotate salts per user too. It adds another layer. Tools like Laravel’s Hash facade wrap this nicely. Bad hashing leads to account takeovers—don’t risk it.

Mitigating Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)

XSS and CSRF trick users into running bad code or faking actions. They target the web’s trust in your site. Block them with smart checks at key spots.

Context-Aware Output Escaping for XSS Prevention

XSS comes in three flavors: stored, reflected, and DOM-based. Stored hides in your database, like a comment with script tags. Reflected bounces back from a URL. DOM-based messes with client-side JavaScript.

Escape output, not input. When you print user data to HTML, wrap it in htmlspecialchars(). Always set the encoding to UTF-8. Like this:

echo htmlspecialchars($userInput, ENT_QUOTES, ‘UTF-8’);

It turns < into <. Safe for display. Twig or Blade templates escape by default—use them. For JavaScript outputs, json_encode() helps avoid DOM tricks.

Test with tools like OWASP ZAP. One unescaped spot can let hackers steal cookies. Make escaping a habit in every view.

Implementing Robust CSRF Tokens

CSRF fools a logged-in user into actions they didn’t mean. Like clicking a fake link that deletes their account. Checking the referrer header won’t cut it; it’s easy to fake.

Use tokens tied to sessions. Generate a unique one per form with a random string. Store it in the session. On submit, match it against the hidden field.

In plain PHP:

session_start();

if (empty($_SESSION['csrf_token’])) {

    $_SESSION['csrf_token’] = bin2hex(random_bytes(32));

}

Add to your form: Then verify on POST. Frameworks like Symfony provide CSRF protection middleware. It saves time and catches edge cases.

Regenerate tokens after big actions, like login. This stops reuse attacks. Your users stay safe from sneaky forms.

Configuration Hardening and Environment Security

Weak setups invite trouble. Tune your server and PHP to limit damage. It’s like locking doors and windows before leaving home.

Disabling Dangerous PHP Settings

php.ini controls what PHP can do. In production, turn off risky features. Set allow_url_fopen to Off. It blocks fetching remote files that might carry exploits.

Use disable_functions to block exec(), shell_exec(), and others. Hackers love them for running code. Keep memory_limit at 128M or less unless needed. Max_execution_time at 30 seconds stops endless loops.

Test changes in staging first. Tools like phpinfo() show your current setup. A loose config turns small flaws into big breaks.

File System Permissions and Error Reporting Control

Give files just enough access. Web servers need read on most, write only on uploads or caches. Set directories to 755, files to 644. Run as a low-priv user like www-data.

Turn off display_errors in production. Set it to Off. Log errors to a file instead with log_errors = On. Use a custom handler:

set_error_handler(function($errno, $errstr) {

    error_log(“Error: $errstr”);

});

This hides clues from hackers. Scan logs often for patterns. Tight permissions mean even if they get in, they can’t change much.

Protecting Against File Inclusion and Session Hijacking

File tricks and session steals give attackers a foothold. Shut these down with strict rules. Your code stays in control.

Securing Local and Remote File Inclusion (LFI/RFI)

LFI and RFI let users pick files to include. A bad path like ../../../etc/passwd reads sensitive data. RFI pulls from outside, running remote scripts.

Ban dynamic includes if possible. Hard-code paths. If you must use vars, white-list them. Like an array of allowed files: if (!in_array($file, $allowed)) die();

Use realpath() to check for tricks like ../. Frameworks often sandbox this. One slip-up can execute arbitrary code—avoid it.

Robust Session Management and Fixation Prevention

Session fixation sets a known ID before login, letting attackers hijack it. Weak IDs make guessing easy.

Use session_regenerate_id(true) after login. It scrubs old data too. Set cookies with HttpOnly to block JavaScript access. Add Secure for HTTPS only.

For SameSite, use Strict or Lax. It stops cross-site reads. Example:

session_set_cookie_params([

    'lifetime’ => 0,

    'path’ => ’/’,

    'domain’ => “,

    'secure’ => true,

    'httponly’ => true,

    'samesite’ => 'Strict’

]);

Store sessions in files or Redis, not cookies. Check IP or user agent on access. Strong sessions keep logins safe.

Staying Ahead: Dependency Management and Patching

Apps don’t stand alone. Packages bring risks too. Keep them clean and current to dodge known holes.

Automated Dependency Scanning and Updates

Composer pulls in tons of code. A vuln in a package can hit your app. Run composer audit often. It flags CVEs in your tree.

Tools like Snyk scan for issues and suggest fixes. GitHub Dependabot sends pull requests for updates. Set it to check weekly.

Lock versions in composer.lock, but update majors carefully. Test after changes. Clean deps mean fewer surprise attacks.

Rapid Patching and Framework Updates

Slow patches let exploits spread. Take the 2021 Log4j mess—it wrecked systems worldwide because teams lagged. PHP frameworks face the same.

Symfony and Laravel release security fixes fast. Subscribe to their alerts. Patch within days of alerts.

Build a schedule: monthly scans, quarterly full audits. Use tools like PHPStan for static checks. Quick updates close doors before knocks come.

Conclusion: Cultivating a Security-First Development Mindset

Securing PHP apps takes layers, not one shield. From input gates to fresh patches, each step builds strength. Miss one, and threats slip through.

Key moves? Use prepared statements to kill SQL injections. Escape outputs to stop XSS. Audit dependencies weekly. Start these from day one.

Make security part of your code reviews. Train your team on threats. Test with scans and pens. Your apps will run safe, users happy. Act now—lock it down today.

Secure by Design: Programming Certificates to Become a DevSecOps Champion

ALT

By 2025, security shouldn’t be an afterthought in your pipeline—it should be baked in from Day 1. As someone who’s broken builds and fixed late-night exploits, I can tell you that DevSecOps Certification is much more than just another line on your resume. It’s the turning point into a safer, smarter development mindset.

From “Fast” to “Secure and Fast”

I started my career in DevOps, racing to ship features as fast as possible. But a single security incident—an exposed API key in a pull request—changed everything. That moment taught me that shipping without secure coding checklists is like leaving your front door unlocked.

That’s when I decided to invest in DevSecOps Certification. I didn’t want to just patch vulnerabilities—I wanted to evolve how my team builds and deploys, securely.

What You Actually Learn (Not Just Buzzwords)

Here’s what diving into DevSecOps certs actually equips you to do:

· CI/CD Security: Automatically scan for vulnerabilities before deploy,no more manual gatekeeping.

· Cloud Security: Understand IAM roles, avoid misconfigurations, and add encryption builds into Terraform.

· Application Security: Embed SAST checks, validate input properly, and avoid dangerous dependencies.

· Secure Coding: Learn to write code that defaults to deny, not allow.

After my certification (I took SANS SEC540), I rewrote error-handling in our microservices and found two major vulnerabilities before prod. That alone repaid the course fee—but the confidence boost was priceless.

Certifications That Serve You, Not the Other Way Around

Here are the ones I’ve found eye-opening:

1. Certified DevSecOps Professional (CDP) Hands-on labs where you break and fix pipelines intentionally—that “aha!” moment stays with you.

2. SANS SEC540 My personal favorite for cloud-native security. Walks you through real-world misconfigs and remediation.

3. CSSLP (Certified Secure Software Lifecycle Professional) Ideal if you’re deep into application architecture and writing code—focuses on application security and secure development lifecycles.

4. PMI-ACP with DevSecOps Focus If you’re part of a product or process-heavy environment, this brings cloud security and Agile frameworks into one plan.

How to Turn Certification into Habit

Programming certificate online are great, but habits keep you secure. Here’s what worked for me:

· Immediately apply new checks in live projects—not placeholder tutorials.

· Teach or mentor teammates. Sharing is learning.

· Get active in communities. GitHub, Slack channels, meetup groups—we all learn faster together.

· Maintain a “security diary” : log small wins like “caught an open S3 bucket” or “added vault-based secrets.”

Final Thoughts: DevSecOps Is a Journey, Not a Checklist

By now, you’ve hopefully seen why DevSecOps Certification feels different—and meaningful. It’s not just about studying; it’s about shifting your role into a security champion.

If you want to make sure you’re investing in courses that match your career goals and actually deliver hands-on, battle-tested skills, CourseCorrect can help. We’ll nudge you toward certs, peer groups, and real-world exercises—the kind that stops breaches before they start.

Securing Django Applications

Learn how to secure your Django applications with this comprehensive guide. Follow best practices for secure configurations, user authentication, preventing common threats, and more.

Introduction

Security is a critical aspect of web application development. Django, being a high-level Python web framework, comes with numerous built-in security features and best practices. However, developers must be aware of additional steps to ensure their applications are secure. This guide will cover essential security practices for securing Django applications, including setting up secure…

View On WordPress

Best Practices for Secure Coding: Tips to Enhance Application

Best Practices For Secure Coding: Tips To Enhance Application Security

In a digital landscape fraught with evolving threats, secure coding is not merely a best practice — it is an imperative. Understanding common vulnerabilities, adopting best practices, conducting regular code reviews, and implementing secure coding guidelines empower development teams to create resilient applications that safeguard sensitive information. By incorporating secure coding principles into the development process, embracing continuous learning, and utilizing tools and resources, developers can contribute to a more secure digital ecosystem. As technology advances, the commitment to secure coding remains paramount in the ongoing battle against cyber threats.

🔒✨ Strengthen your code fortress! Discover the 9 essential principles for secure software development.

From encryption to robust authentication, empower your development journey with security at its core. 💻🚀

LEE’s Web Hacking (SQL-injection AND SECURE-CODING Skills)

Dziś z ranku złapałem kolejny , tym razem chwilowo darmowy kurs. Polecam serdecznie:

https://www.udemy.com/course/lees-web-hacking-sql-injection-and-secure-coding-skills/

Pamiętajcie , w każdej chwili promocja może zniknąć.

View On WordPress

Java มีความปลอดภัยสูงกว่า C ? (จริงเหรอ)

“ภาษา Java มีข้อบังคับ 168 ข้อในขณะที่ภาษา C 116 ข้อ”

ตารางที่ 3  แสดงการแบ่งกลุ่มของ High-Severity Rules ของทั้งสองภาษา

     จากข้อมูลด้านบนจะเห็นว่า High-Severity Rules ของทั้งสองภาษามีบางอย่างที่อยู่ในกลุ่มเดียวกัน แต่ที่เยอะที่สุดทั้งของภาษา C และภาษา Java นั้นแตกต่างกันโดยในภาษา Java จะพบปัญหา Internal privilege execution (IPE) เยอะสุดซึ่งปัญหานี้จะไม่พบในภาษา C เพราะภาษา C ไม่มี Internal privilege Model ในทางกลับกันปัญหาที่พบเยอะที่สุดในภาษา C ก็คือ Memory Corruption ซึ่งก็จะไม่พบในภาษา Java (เพราะมี JVM)

     เพื่อปรับให้ข้อมูลการนับ High-Severity Rules ของทั้งสองภาษา C และ Java ไม่ขึ้นกับเรื่องลักษณะการออกแบบและข้อจำกัดของการโปรแกรมบางประเภท เราจึงสรุป High-Severity Rules ใหม่โดยตัด IPE และ EPE ออกจากภาษา Java และ C ออก

     โดยภายหลังการตัดได้ผลลัพธ์ของ High-Severity Rules ดังนี้

ตารางที่ 4  แสดง High-Severity Rules ของ Java และ C ภายหลังตัดกลุ่ม IPE และ EPE ออก

     จะเห็นได้ว่าหลังตัด Rules ที่เกี่ยวกับ privilege escalation ออกไปแล้วความแตกต่างระหว่างภาษา Java และ C  จะเด่นชัดขึ้นดังตารางที่ 4 ภาษา Java จะมี High-Severity Rules 6% จากทั้งหมด ในส่วนของภาษา C จะมี High-Severity Rules 25% จากทั้งหมด  จากที่กล่าวมาจึงสรุปตามตารางที่ 4 ว่าภาษา Java นั้นมีความปลอดภัยมากกว่าภาษา C 

ที่มา : SEI CMU