Worried that the credibility of the PHP scripting language is being hurt by high-profile security flaws in third-party applications, an international group of coding experts is taking matters into their own hands.
The group, which includes Zend Engine developer Andi Gutmans, has formed the PHP Security Consortium with ambitious plans to promote secure programming practices among developers and set up a one-stop shop for documentation, tools and standards.
The formation of the consortium was triggered by the recent Santy worm attack against Web forums running phpBB, a message board software written in PHP. “Theres this odd tendency in the PHP community to call everything PHP, even if its just a third-party application written in PHP. We saw this happen with the phpBB issue, even though that had nothing to do with a security problem in PHP,” said Chris Shiflett, a founding member of the new consortium.
At the time of the phpBB/Santy worm attacks, the Apache-backed PHP Group that manages the open-source language was in the middle of rolling out some unrelated PHP security fixes, and the timing led to some confusion.
“[The worm] exposed a mistake in the input validation in the phpBB message board application. … Without proper input validation of untrusted user data combined with any of the PHP calls that can execute code or write to the file system you create a potential security problem,” the group said in a notice to developers.
Thats why theres a need for some guidance from a reputable PHP Security Consortium, Shiflett said in an interview with eWEEK.com. “Because PHP has a very low barrier to entry, a lot of inexperienced developers are using it for their solutions,” he said. “They dont tend to understand Web application security, and theyre creating applications with serious vulnerabilities.
“There is this urgent need to educate these developers and provide them with resources to get up to speed,” Shiflett added.
Next Page: Code audits on apps written in PHP.
Page 2
Shiflett, who is also founder of PHPCommunity.org and a member of the Zend PHP Advisory Board, said the consortium will also conduct code audits of popular third-party applications written in PHP to find security vulnerabilities. “Youll see us issuing advisories and guidance based on our own findings,” he said.
The immediate plan is for the consortium to organize its work into separate projects consisting of documentation, utilities and other resources. The first project is Shifletts own PHP Security Guide, which discusses the most common security concerns for Web developers.
“The guide tries to explain the attack scenarios and give examples of exploits. Developers need to understand how attacks happen and how they can secure their applications,” Shiflett explained.
The aggressive move to beef up security around PHP comes at a crucial time for the project, which is shipped standard with a number of Web servers. The 10-year-old project has seen startling usage growth in recent years, including adoption by high-profile Web properties like Yahoo Inc., Lycos Inc. and Disney Online.
German airline Deutsche Lufthansa has also embraced PHP in a big way, using the scripting language for electronic ticketing and back-end systems for its agencies and bookings. Lufthansa is currently running 50 PHP servers.
Check out eWEEK.coms for the latest security news, reviews and analysis.