About the Author

Chris Shiflett

Chris Shiflett is an author and speaker who leads the web application security practice at OmniTI.

PHP Security Consortium

A little over a month ago, I mentioned the PHP security experiments that I've been conducting. I also solicited volunteers to help with my research.

Many gracious PHP experts from around the world have offered their aid. I did not expect such a response (nor all of the attention that this has received), but I appreciate everyone's interest. I want to keep this group small, and I want to make sure that I only involve people with high ethical standards, so I have chosen a handful of people that I know - either personally or by reputation (through their involvement with and/or contributions to the PHP community). This doesn't mean that I don't trust the others, and it's very likely that more people will have a chance to be involved later, because it looks like this may turn into something much more than a research group.

In addition to myself, the following people are volunteering their time to help promote sound security practices within the PHP community:

Because Ben is proposing a talk to be given at PHP Quebec that discusses our research, discoveries, and progress, we have chosen a name for the group - the PHP Security Consortium. We're still just a small group of people conducting some research, but now Ben has something to call us in his proposal.

In addition to conducting research, we have plans to provide several PEAR modules, improve a few others, generate plenty of documentation, and speak at user groups and conferences - all with the intention of educating the PHP community about security concerns (both old and new) and providing tools and best practices to help promote secure application development.

About This Post

PHP Security Consortium was posted on Tue, 07 Dec 2004 at 23:28:25 GMT.

4 Comments

1. Interesting effort but....'s GravatarInteresting effort but.... said:

Forgive my bluntness but isn't the name 'PHP Security Consortium' a 'big' name for such a small group? Seeing that a consortium is more a group of groups rather than a group of people.

I reckon a more modest name such as 'PHP Security Group' would add credibility and sympathy for this activity instead of seeming like a selected 'elite' with delusions of grandeur.

Titles aside, this sounds like an interesting effort which I hope will bring value to PHP and its community.

Wed, 08 Dec 2004 at 01:33:17 GMT Link

2. Chris Shiflett's GravatarChris Shiflett said:

The name is arbitrary. We could have discussed it in great detail, but we're more interested in other things.

In my opinion, PHP Security Group sounds at least as grand, plus the best way to earn respect is by contributing value to the community, not by choosing a great name.

> Titles aside, this sounds like an interesting effort which I hope will bring value to PHP and its

> community.

Me, too. :-)

Wed, 08 Dec 2004 at 01:46:10 GMT Link

3. trond's Gravatartrond said:

As I'm certain that education on "web security" is needed*, I'm glad to see work being done. I look forward to read the results :)

*An example: I've taken university-level programming classes (and also worked as teaching assistant ("web programming with PHP"-course)) and security is def. not taken seriously enough. Things as simple as data-filtering and/or "protecting" against SQL injections are not given high priority, and sometimes not even mentioned (at least not in Norway).

Mon, 13 Dec 2004 at 00:53:32 GMT Link

4. Patrick Reilly's GravatarPatrick Reilly said:

I am looking forward to the great PEAR modules from this team of pros... Good work guys, keep it up!

Wed, 22 Dec 2004 at 21:13:45 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Talks

php|works / PyWorks

12 - 14 Nov 2008

At Sheraton Gateway Hotel Atlanta Airport, Atlanta, Georgia.

New Comments

Dave wrote:

Hi Seth, I'm experiencing exactly the same problem as you have. Have you fixed it? How?

Posted in
Matt Robinson wrote:

Wotcha Chris, thanks for the tip about headers in the web inspector, I hadn't noticed them! (Actu...

Posted in Inspecting and Hacking HTTP
Stelian Mocanita wrote:

Not much I know so far, didn't get far with debugging it to get as far as http headers but I know...

Posted in Facebook Worm
Chris Shiflett wrote:

Yes, good point. The message this worm sends is really just a phishing attack, and Facebook is do...

Posted in Facebook Worm
yawnmoth wrote:

Given that Samy required no action on the users part, above and beyond viewing an infected users ...

Posted in Facebook Worm

Browse Comments