[nycphp-talk] PHP Security: The Proper Choice Is to Do It Now
Chris Shiflett
shiflett at php.net
Sat Feb 11 13:07:02 EST 2006
Vugranam Sreedhar wrote:
> BTW, are there any code analysis or static analysis tools for
> automatically detecting security problems that you describe in
> your book?
There are penetration testing tools, and these are pretty easy to write
yourself.
Analyzing code is more challenging than it sounds, because your task
winds up being a substantial subset of what a code parser does - you
have to be able to reliably interpret code and what it does, tracking
data the entire time, and making educated guesses about potential
safeguards. There are some recent PHP extensions written by Sara Golemon
that can help, but it's still a very non-trivial task.
I do a fair number of PHP security audits, and most of my process still
revolves around a manual inspection of the code.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
More information about the talk
mailing list