NYCPHP Meetup

[nycphp-talk] PHP Security: The Proper Choice Is to Do It Now

Vugranam Sreedhar vugranam at us.ibm.com
Sat Feb 11 12:43:23 EST 2006


BTW, are there any code analysis or static analysis tools for automatically
detecting security problems that you describe in your book?
Zend IDE seem to do some shallow code analysis (at least that is the
impression I get when I read their IDE product description...)


With regards,

Sreedhar

-------------------------------------------------------------------------------------------------------------------

Research Staff Member
TJ Watson Research Center
T/L 863-7325
Ext: 914-784-7325



                                                                           
             Chris Shiflett                                                
             <shiflett at php.net                                             
             >                                                          To 
             Sent by:                  NYPHP Talk <talk at lists.nyphp.org>   
             talk-bounces at list                                          cc 
             s.nyphp.org                                                   
                                                                   Subject 
                                       Re: [nycphp-talk] PHP Security: The  
             02/11/2006 11:49          Proper Choice Is to Do It Now       
             AM                                                            
                                                                           
                                                                           
             Please respond to                                             
                NYPHP Talk                                                 
             <talk at lists.nyphp                                             
                   .org>                                                   
                                                                           
                                                                           




Hi Peter,

> The content of Chris Shiflett's Essential PHP Security from
> O'Reilly is poised right now to be put online as a Wiki.

Can you elaborate? There are no plans to do this, although I've
considered enhancing the PHP Security Guide to be a condensed version of
the book. This would require some negotiation with O'Reilly. :-)

There are a few free resources available online, including two free
chapters and most of the code:

http://phpsecurity.org/

> It should accept about 90 days of moderated updates and then be
> openly promoted as the accepted, standardized "Using PHP
> Securely" guide for all PHP programmers.

Web application security is a young and evolving discipline, so any
useful documentation should evolve as well.

> All PHP tutorials online that are old with insecure practices
> should have a simple one line link right under the tutorial
> title: "This tutorial may contain insecure techniques. See:
> [standardized, industry-supported secure PHP programming article]
> here before you begin."

I know what you mean. Ideally, online resources that teach bad practices
would be corrected, but the sheer magnitude of this problem makes any
progress difficult.

> Additionally, I have promoted in this venue before that the
> default php.ini from php.net should be a hardened .ini with shell
> and fopen functions disabled by default.

I definitely agree that allow_url_fopen should be disabled by default,
at least in php.ini-recommended.

> PHP security needs to be further demystified.

Agreed. Given the right background, it's a pretty simple topic.

> Chris's guide is quite sufficient to help engender a positive
> change in the nature of how we all program PHP.

I sure hope so. :-)

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
New York PHP Conference and Expo 2006
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php





More information about the talk mailing list