NYCPHP Meetup

[nycphp-talk] PHP Security: The Proper Choice Is to Do It Now

Chris Shiflett shiflett at php.net
Sat Feb 11 13:07:02 EST 2006


Vugranam Sreedhar wrote:
> BTW, are there any code analysis or static analysis tools for
> automatically detecting security problems that you describe in
> your book?

There are penetration testing tools, and these are pretty easy to write 
yourself.

Analyzing code is more challenging than it sounds, because your task 
winds up being a substantial subset of what a code parser does - you 
have to be able to reliably interpret code and what it does, tracking 
data the entire time, and making educated guesses about potential 
safeguards. There are some recent PHP extensions written by Sara Golemon 
that can help, but it's still a very non-trivial task.

I do a fair number of PHP security audits, and most of my process still 
revolves around a manual inspection of the code.

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/



More information about the talk mailing list