NYCPHP Meetup

[nycphp-talk] PHP Security: The Proper Choice Is to Do It Now

Vugranam Sreedhar vugranam at us.ibm.com
Sat Feb 11 13:16:14 EST 2006


Interesting... I am also just starting to  look at the possibility of
annotating PHP code to improve analyzability of PHP code...Do you have
pointers to Sara's extentions?

With regards,

Sreedhar

-------------------------------------------------------------------------------------------------------------------

Research Staff Member
TJ Watson Research Center
T/L 863-7325
Ext: 914-784-7325



                                                                           
             Chris Shiflett                                                
             <shiflett at php.net                                             
             >                                                          To 
             Sent by:                  NYPHP Talk <talk at lists.nyphp.org>   
             talk-bounces at list                                          cc 
             s.nyphp.org                                                   
                                                                   Subject 
                                       Re: [nycphp-talk] PHP Security: The  
             02/11/2006 01:07          Proper Choice Is to Do It Now       
             PM                                                            
                                                                           
                                                                           
             Please respond to                                             
                NYPHP Talk                                                 
             <talk at lists.nyphp                                             
                   .org>                                                   
                                                                           
                                                                           




Vugranam Sreedhar wrote:
> BTW, are there any code analysis or static analysis tools for
> automatically detecting security problems that you describe in
> your book?

There are penetration testing tools, and these are pretty easy to write
yourself.

Analyzing code is more challenging than it sounds, because your task
winds up being a substantial subset of what a code parser does - you
have to be able to reliably interpret code and what it does, tracking
data the entire time, and making educated guesses about potential
safeguards. There are some recent PHP extensions written by Sara Golemon
that can help, but it's still a very non-trivial task.

I do a fair number of PHP security audits, and most of my process still
revolves around a manual inspection of the code.

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
New York PHP Conference and Expo 2006
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php





More information about the talk mailing list