In my working life as a so-called “Senior Application Security Consultant”, I spend a lot of time breaking software, training development teams, and designing improved processes/tooling to generally make the security of seriously critical systems better overall.

Anyways, I’m writing this post to direct people’s attention to an extremely in-depth and detailed writeup I produced on the PHP Core breach back in March of 2021. Check it out here:

https://www.guidepointsecurity.com/blog/why-github-wont-protect-php/ (PDF)

In broad strokes, I cover the following topics:

• The end-to-end analysis of the breach itself,
• The PHP project’s threat model,
• The Linux Kernel developers’ threat model,
• The PHP project’s response to the breach, and why it’s inadequate,
• Git internals and PGP commit signatures,
• Zerodium & the role of economics in this breach (and supply chain attacks in general),
• and much more.

I put a whole lot of thought and effort into this, so I hope it’s both informative and thought-provoking. If you enjoyed it and want to share your thoughts, hit me up via email!