[nycphp-talk] PHP Security: The Proper Choice Is to Do It Now
Vugranam Sreedhar
vugranam at us.ibm.com
Sat Feb 11 13:16:14 EST 2006
Interesting... I am also just starting to look at the possibility of
annotating PHP code to improve analyzability of PHP code...Do you have
pointers to Sara's extentions?
With regards,
Sreedhar
-------------------------------------------------------------------------------------------------------------------
Research Staff Member
TJ Watson Research Center
T/L 863-7325
Ext: 914-784-7325
Chris Shiflett
<shiflett at php.net
> To
Sent by: NYPHP Talk <talk at lists.nyphp.org>
talk-bounces at list cc
s.nyphp.org
Subject
Re: [nycphp-talk] PHP Security: The
02/11/2006 01:07 Proper Choice Is to Do It Now
PM
Please respond to
NYPHP Talk
<talk at lists.nyphp
.org>
Vugranam Sreedhar wrote:
> BTW, are there any code analysis or static analysis tools for
> automatically detecting security problems that you describe in
> your book?
There are penetration testing tools, and these are pretty easy to write
yourself.
Analyzing code is more challenging than it sounds, because your task
winds up being a substantial subset of what a code parser does - you
have to be able to reliably interpret code and what it does, tracking
data the entire time, and making educated guesses about potential
safeguards. There are some recent PHP extensions written by Sara Golemon
that can help, but it's still a very non-trivial task.
I do a fair number of PHP security audits, and most of my process still
revolves around a manual inspection of the code.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
New York PHP Conference and Expo 2006
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
More information about the talk
mailing list