Worried that the credibility of the PHP scripting language is being hurt by high-profile security flaws in third-party applications, an international group of coding experts is taking matters into their own hands.
The group, which includes Zend Engine developer Andi Gutmans, has formed the PHP Security Consortium with ambitious plans to promote secure programming practices among developers and set up a one-stop shop for documentation, tools and standards.
The formation of the consortium was triggered by the recent Santy worm attack against Web forums running phpBB, a message board software written in PHP. "Theres this odd tendency in the PHP community to call everything PHP, even if its just a third-party application written in PHP. We saw this happen with the phpBB issue, even though that had nothing to do with a security problem in PHP," said Chris Shiflett, a founding member of the new consortium.
At the time of the phpBB/Santy worm attacks, the Apache-backed PHP Group that manages the open-source language was in the middle of rolling out some unrelated PHP security fixes, and the timing led to some confusion.
"[The worm] exposed a mistake in the input validation in the phpBB message board application. … Without proper input validation of untrusted user data combined with any of the PHP calls that can execute code or write to the file system you create a potential security problem," the group said in a notice to developers.
Thats why theres a need for some guidance from a reputable PHP Security Consortium, Shiflett said in an interview with eWEEK.com. "Because PHP has a very low barrier to entry, a lot of inexperienced developers are using it for their solutions," he said. "They dont tend to understand Web application security, and theyre creating applications with serious vulnerabilities.
"There is this urgent need to educate these developers and provide them with resources to get up to speed," Shiflett added.