PHP Security Consortium Redux
The launch of the PHP Security Consortium was a big success. It required more work than I expected to get things going, but I think we're now set to make some very positive contributions to the community.
In addition to being mentioned on PHP.net, Zend.com, and Slashdot.org, eWeek published a story about the group's purpose and future direction. Although the story misses a few important points - our formation was not triggered by the Santy worm, and I made no mention of offering security audits - the overall characterization of the PHPSC is pretty accurate.
Given the popularity of PHP, this sounds like a good idea. (Richard Monson-Haefel has been doing some great research for us on how and where enterprises are using the "P" scripting languages, and it's pretty amazing. We'll be publishing that report in a month or so.) Hopefully the group's efforts will lead to better programming practices, the root of many application vulnerabilities.
Richard Monson-Haefel, whom Jamie references, has been in touch with me regarding his report. Although the report and his interest in my counsel were unrelated to the formation of the PHP Security Consortium, he initially expressed some of the misconceptions I hope to help dispel.
Dana Epps, a recognized security expert, writes:
This is a positive move for the language. Lets hope the effort to educate the PHP community causes a rippling effect and promote the fixing of many of the problems that exist in the tools and technologies that reside there today.
Congratulations to the PHPSC, and good luck.
It's nice to see so much attention coming from outside of the PHP community. As Dana mentions, she is not a fan of PHP. Those within the PHP community know that PHP's poor reputation is undeserved. While the focus of our group is not advocacy, we can potentially have a positive effect on the general perception of PHP and security.
Of course, there was some attention given within the PHP community as well. John Lim writes:
The recently formed PHP Security Consortium has an excellent set of links to PHP security articles. The session management articles by Chris Shiflett are excellent. They discuss how session stealing can occur, and the different techniques you can use to minimize the risk.
I appreciate John's kind words, and it's nice to see that these articles are helpful. I have plans to enhance and grow our library, so that it contains links to many approved PHP security resources. The idea is that we will try to endorse quality documentation, regardless of where it is hosted. For resources that already have a home, we will provide a link in our library. For everything else, we will provide a home in the articles section.
Thanks to everyone who supports the PHPSC. I promise to work hard at promoting secure programming practices within our community.