Thoughts on the PHP Core Breach
In summary: It's complicated. I shared my thoughts on the path forward.
In my working life as a so-called “Senior Application Security Consultant”, I spend a lot of time breaking software, training development teams, and designing improved processes/tooling to generally make the security of seriously critical systems better overall.
Anyways, I’m writing this post to direct people’s attention to an extremely in-depth and detailed writeup I produced on the PHP Core breach back in March of 2021. Check it out here:
https://www.guidepointsecurity.com/blog/why-github-wont-protect-php/
In broad strokes, I cover the following topics:
- The end-to-end analysis of the breach itself,
- The PHP project’s threat model,
- The Linux Kernel developers’ threat model,
- The PHP project’s response to the breach, and why it’s inadequate,
- Git internals and PGP commit signatures,
- Zerodium & the role of economics in this breach (and supply chain attacks in general),
- and much more.
I put a whole lot of thought and effort into this, so I hope it’s both informative and thought-provoking. If you enjoyed it and want to share your thoughts, hit me up via email!